Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extremely persistant Vundo infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 angryjack

angryjack

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 28 February 2009 - 01:41 PM

I've got a malware infection that's been going on for a few months now. I've largely crippled it (almost all of the popups are gone, what pops up now usually doesn't load, and my system's response time is...closer to normal), but I just can't seem to get rid of it. It kills access to hotmail unless I've just run Malwarebytes and restarted (within the last hour or so), often hoses access to facebook, blocks Windows Update, keeps trying to respawn itself (which my 10,000 anti malware programs seem to catch pretty well), and every once in a while starts opening a ridiculous number of tabs in any open instance I have of IE, and I have to kill explorer with task manager to make it stop. This whole thing is rather emberassing, I'm a computer professional by trade, but this one's got me stumped. Without further ado, my DDS log:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Sam at 13:17:41.25 on 2009-02-28
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.257 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Sam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.blackle.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com
BHO: {12d51555-86e5-4f97-aa5b-230d337a99a0} - No File
BHO: {2AC5925D-E30E-4D94-A247-3A419223755B} - No File
BHO: {33FF7E1D-CFE0-46FD-8221-4FF866F215AE} - No File
BHO: {384AB494-E42A-4E8E-A674-F1DFB821833D} - No File
BHO: {4300AB4D-64E4-4851-95B5-C09A01A24B2A} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {8E1BD518-0C9D-4223-8090-743B4A9F8A25} - No File
BHO: {A153E71C-7DD5-4F94-859A-F23BA89A84AF} - No File
BHO: {A28B83CD-7ED8-4A2F-9DA5-24F9D15D6451} - No File
BHO: {A7A4CD9F-4E67-4FF4-94B1-725D99401C7D} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\sam\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [4430da47] rundll32.exe "c:\windows\system32\leyeluto.dll",b
mRun: [razedivulo] Rundll32.exe "c:\windows\system32\voyebabe.dll",s
mRun: [CPM4703e9db] Rundll32.exe "c:\windows\system32\fivipute.dll",a
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226027266421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://eval.webex.com/client/T25L/webex/ieatgpc.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\geruwahi.dll
LSA: Notification Packages = cli c:\windows\system32\dotajavo.dll c:\windows\system32\wetuwima.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
S0 vowgo;vowgo;c:\windows\system32\drivers\swvgjso.sys --> c:\windows\system32\drivers\swvgjso.sys [?]

=============== Created Last 30 ================

2009-02-28 07:38 1,665,518 ---sh--- c:\windows\system32\otuleyel.ini
2009-02-27 21:06 61,440 a------- c:\windows\system32\drivers\klcl.sys
2009-02-27 21:06 1,665,505 ---sh--- c:\windows\system32\owugenaj.ini
2009-02-27 19:40 2,713 ---sh--- c:\windows\system32\vemogewe.dll
2009-02-27 19:40 2,713 ---sh--- c:\windows\system32\nizoguya.dll
2009-02-27 19:40 103,424 -------- c:\windows\system32\janeguwo.dll
2009-02-27 19:32 120 ---sh--- c:\windows\system32\ibavoyok.ini
2009-02-27 19:32 144,125 a------- c:\windows\system32\gxuthe.dll
2009-02-27 18:31 73,018 a------- c:\windows\system32\tibiyoni.dll
2009-02-27 18:31 2,713 ---sh--- c:\windows\system32\wapizime.dll
2009-02-27 18:31 2,713 ---sh--- c:\windows\system32\yuyumula.dll
2009-02-27 18:31 2,713 ---sh--- c:\windows\system32\vawilodu.dll
2009-02-27 18:31 2,713 ---sh--- c:\windows\system32\bekozije.dll
2009-02-25 17:34 144,203 a--sh--- c:\windows\system32\sfqrzn.dll
2009-02-24 16:53 144,028 a--sh--- c:\windows\system32\aelkec.dll
2009-02-23 18:00 143,061 a------- c:\windows\system32\qctqpy.dll
2009-02-23 17:00 2,713 ---sh--- c:\windows\system32\fehotote.dll
2009-02-22 07:00 143,148 a--sh--- c:\windows\system32\ivhhos.dll
2009-02-21 09:21 144,186 a--sh--- c:\windows\system32\vrpeid.dll
2009-02-20 21:21 142,933 a--sh--- c:\windows\system32\nivbep.dll
2009-02-20 21:21 2,713 ---sh--- c:\windows\system32\lilufofu.dll
2009-02-20 08:16 2,713 ---sh--- c:\windows\system32\futateka.dll
2009-02-20 08:16 143,091 a--sh--- c:\windows\system32\yzxvku.dll
2009-02-18 16:45 143,114 a--sh--- c:\windows\system32\bgjkma.dll
2009-02-17 11:36 2,713 ---sh--- c:\windows\system32\falukovo.dll
2009-02-17 11:36 143,052 a--sh--- c:\windows\system32\armxni.dll
2009-02-16 18:42 69,632 a------- c:\windows\system32\lfgif13n.dll
2009-02-16 18:42 462,848 a------- c:\windows\system32\ltkrn13n.dll
2009-02-16 18:42 450,560 a------- c:\windows\system32\ltimg13n.dll
2009-02-16 18:42 401,408 a------- c:\windows\system32\lfcmp13n.dll
2009-02-16 18:42 299,008 a------- c:\windows\system32\ltdis13n.dll
2009-02-16 18:42 206,336 a------- c:\windows\system32\ltefx13n.dll
2009-02-16 18:42 163,840 a------- c:\windows\system32\ltfil13n.dll
2009-02-16 18:42 57,344 a------- c:\windows\system32\lfbmp13n.dll
2009-02-16 15:03 142,962 a--sh--- c:\windows\system32\inowky.dll
2009-02-07 11:39 142,040 a--sh--- c:\windows\system32\zhswjb.dll
2009-02-06 19:45 2,713 ---sh--- c:\windows\system32\muyasera.dll
2009-02-06 19:44 142,099 a--sh--- c:\windows\system32\mnpmzt.dll
2009-02-06 07:44 142,511 a--sh--- c:\windows\system32\jjyjwd.dll
2009-02-05 17:28 2,713 ---sh--- c:\windows\system32\funuyoki.dll
2009-02-03 17:00 133,909 a--sh--- c:\windows\system32\tzakii.dll
2009-02-03 17:00 120 ---sh--- c:\windows\system32\opasorek.ini
2009-02-02 16:31 120 ---sh--- c:\windows\system32\efekitah.ini
2009-02-01 10:45 135,326 a--sh--- c:\windows\system32\flsglz.dll
2009-01-31 20:27 120 ---sh--- c:\windows\system32\ilikalun.ini
2009-01-31 20:27 133,350 a--sh--- c:\windows\system32\rfbcvn.dll
2009-01-31 08:27 120 ---sh--- c:\windows\system32\igiwubef.ini
2009-01-31 08:27 133,367 a--sh--- c:\windows\system32\qvegkh.dll
2009-01-30 17:29 120 ---sh--- c:\windows\system32\emefezaj.ini
2009-01-30 17:29 135,330 a--sh--- c:\windows\system32\bncszt.dll
2009-01-29 18:54 133,267 a--sh--- c:\windows\system32\lcfcyg.dll

==================== Find3M ====================

2009-02-28 07:38 103,936 a--sh--- c:\windows\system32\leyeluto.dll
2009-02-28 07:38 108,544 a--sh--- c:\windows\system32\geruwahi.dll
2009-02-27 19:32 144,125 a------- c:\windows\system32\vezapini.dll
2009-02-27 19:32 109,828 a------- c:\windows\system32\gumuremi.dll
2009-02-27 19:32 95,515 -------- c:\windows\system32\koyovabi.dll
2009-02-27 18:33 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-02-26 20:15 144,062 a--sh--- c:\windows\system32\muleyepa.dll
2009-02-26 20:15 72,811 a--sh--- c:\windows\system32\tizubesa.dll
2009-02-26 20:15 108,230 -------- c:\windows\system32\mukihida.dll
2009-02-25 17:34 144,203 a--sh--- c:\windows\system32\lubazome.dll
2009-02-25 17:34 109,733 a--sh--- c:\windows\system32\kujekire.dll
2009-02-24 16:53 109,827 a--sh--- c:\windows\system32\larakiyu.dll
2009-02-24 16:53 144,028 a--sh--- c:\windows\system32\tolijuhi.dll
2009-02-23 18:00 143,061 a------- c:\windows\system32\lagumijo.dll
2009-02-23 18:00 110,409 a------- c:\windows\system32\pilivaze.dll
2009-02-22 07:00 143,148 a--sh--- c:\windows\system32\wamitura.dll
2009-02-22 07:00 73,015 a--sh--- c:\windows\system32\zemejira.dll
2009-02-22 07:00 109,279 a--sh--- c:\windows\system32\muzewozo.dll
2009-02-21 09:21 144,186 a--sh--- c:\windows\system32\sokekori.dll
2009-02-21 09:21 110,275 a--sh--- c:\windows\system32\woyitato.dll
2009-02-20 21:21 107,845 a--sh--- c:\windows\system32\lisohezu.dll
2009-02-20 21:21 142,933 a--sh--- c:\windows\system32\zimimenu.dll
2009-02-20 08:16 109,833 a--sh--- c:\windows\system32\vukiyufu.dll
2009-02-20 08:16 143,091 a--sh--- c:\windows\system32\tatagise.dll
2009-02-18 16:45 108,269 a--sh--- c:\windows\system32\tibutoda.dll
2009-02-18 16:45 143,114 a--sh--- c:\windows\system32\jabisuko.dll
2009-02-17 11:36 143,052 a--sh--- c:\windows\system32\rojolutu.dll
2009-02-16 15:03 142,962 a--sh--- c:\windows\system32\soluvubu.dll
2009-02-07 11:39 142,040 a--sh--- c:\windows\system32\dipunomu.dll
2009-02-07 07:45 72,298 a--sh--- c:\windows\system32\riseyigo.dll
2009-02-06 19:44 109,147 a--sh--- c:\windows\system32\parahuri.dll
2009-02-06 19:44 142,099 a--sh--- c:\windows\system32\fuhaleke.dll
2009-02-06 07:44 142,511 a--sh--- c:\windows\system32\reratadi.dll
2009-02-06 07:44 108,256 a--sh--- c:\windows\system32\yomubasi.dll
2009-02-06 07:10 9,030 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-05 17:28 108,355 a--sh--- c:\windows\system32\domofepu.dll
2009-02-03 17:00 133,909 a--sh--- c:\windows\system32\buhemubu.dll
2009-02-03 17:00 99,103 a--sh--- c:\windows\system32\lewilozi.dll
2009-02-02 16:31 64,285 a--sh--- c:\windows\system32\lopusuji.dll
2009-02-02 16:31 99,527 a--sh--- c:\windows\system32\zokujole.dll
2009-02-01 10:45 135,326 a--sh--- c:\windows\system32\hifehuzu.dll
2009-02-01 10:45 98,932 a--sh--- c:\windows\system32\dakapuso.dll
2009-01-31 20:27 133,350 a--sh--- c:\windows\system32\lufiyumo.dll
2009-01-31 20:27 100,065 a--sh--- c:\windows\system32\hesonaga.dll
2009-01-31 08:27 133,367 a--sh--- c:\windows\system32\jaduduwu.dll
2009-01-31 08:27 100,157 a--sh--- c:\windows\system32\zayewegi.dll
2009-01-30 17:29 135,330 a--sh--- c:\windows\system32\juvoguru.dll
2009-01-30 17:29 100,010 a--sh--- c:\windows\system32\hiboleta.dll
2009-01-29 18:54 133,267 a--sh--- c:\windows\system32\kugimefu.dll
2009-01-29 18:54 100,103 a--sh--- c:\windows\system32\povejiki.dll
2009-01-28 20:12 135,458 a--sh--- c:\windows\system32\yuwrdy.dll
2009-01-28 20:12 135,458 a--sh--- c:\windows\system32\pidimuva.dll
2009-01-28 20:12 98,936 a--sh--- c:\windows\system32\fapehaza.dll
2009-01-28 06:22 100,148 a--sh--- c:\windows\system32\tunatope.dll
2009-01-28 06:22 133,325 a--sh--- c:\windows\system32\zeyivule.dll
2009-01-28 06:22 133,325 a--sh--- c:\windows\system32\zehlpr.dll
2009-01-27 21:33 133,446 a--sh--- c:\windows\system32\wakuribi.dll
2009-01-27 21:33 133,446 a--sh--- c:\windows\system32\qryxfv.dll
2009-01-27 21:33 63,176 a--sh--- c:\windows\system32\miyowepa.dll
2009-01-26 19:53 69,873 a--sh--- c:\windows\system32\tiravare.dll
2009-01-26 19:53 141,090 a--sh--- c:\windows\system32\xqfmtp.dll
2009-01-26 19:53 141,090 a--sh--- c:\windows\system32\nituworo.dll
2009-01-26 19:53 107,718 a--sh--- c:\windows\system32\vesijobu.dll
2009-01-25 08:34 100,459 a--sh--- c:\windows\system32\royegize.dll
2009-01-25 08:34 133,433 a--sh--- c:\windows\system32\wajivepe.dll
2009-01-25 08:34 133,433 a--sh--- c:\windows\system32\nniqfg.dll
2009-01-24 10:26 133,381 a--sh--- c:\windows\system32\rilajezo.dll
2009-01-24 10:26 133,381 a--sh--- c:\windows\system32\qrehyc.dll
2009-01-24 10:26 99,456 a--sh--- c:\windows\system32\pazoloni.dll
2009-01-23 22:12 133,366 a--sh--- c:\windows\system32\mxqnrk.dll
2009-01-23 22:12 133,366 a--sh--- c:\windows\system32\defupabo.dll
2009-01-23 22:12 100,619 a--sh--- c:\windows\system32\yimazitu.dll
2009-01-23 15:50 389,120 a------- c:\windows\system32\CF8394.exe
2009-01-23 14:23 389,120 a------- c:\windows\system32\CF23978.exe
2009-01-23 14:23 389,120 a------- c:\windows\system32\CF23975.exe
2009-01-23 10:12 134,330 a--sh--- c:\windows\system32\wawepafo.dll
2009-01-23 10:12 134,330 a--sh--- c:\windows\system32\vsldhe.dll
2009-01-23 10:12 99,529 a--sh--- c:\windows\system32\hivupena.dll
2009-01-23 10:12 63,703 a--sh--- c:\windows\system32\hahefimo.dll
2009-01-22 18:04 133,264 a--sh--- c:\windows\system32\bsgobx.dll
2009-01-22 18:04 133,264 a--sh--- c:\windows\system32\bofajuge.dll
2009-01-22 17:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-18 22:22 100,477 a------- c:\windows\system32\jonanimo.dll
2009-01-18 22:12 2,713 ---sh--- c:\windows\system32\wayikilu.dll
2009-01-18 22:12 2,713 ---sh--- c:\windows\system32\lutawudi.dll
2009-01-18 08:57 99,426 a--sh--- c:\windows\system32\wahoneza.dll
2009-01-17 10:18 100,623 a--sh--- c:\windows\system32\dadoziyo.dll
2009-01-17 09:18 98,479 a--sh--- c:\windows\system32\bikodiri.dll
2009-01-17 09:18 62,641 a--sh--- c:\windows\system32\velowuza.dll
2009-01-15 18:23 68,791 a--sh--- c:\windows\system32\pumoveze.dll
2009-01-15 18:23 127,857 a--sh--- c:\windows\system32\gojafuka.dll
2009-01-15 06:23 131,775 a--sh--- c:\windows\system32\waolkj.dll
2009-01-15 06:23 131,775 a--sh--- c:\windows\system32\momokoma.dll
2009-01-13 18:22 131,703 a--sh--- c:\windows\system32\zwdqfb.dll
2009-01-13 18:22 131,703 a--sh--- c:\windows\system32\fivisuba.dll
2009-01-13 06:21 99,573 a--sh--- c:\windows\system32\karekenu.dll
2009-01-12 15:12 64,244 a------- c:\windows\system32\lujagaje.dll
2009-01-12 15:12 102,184 a------- c:\windows\system32\zoyutoma.dll
2009-01-12 09:15 2,713 ---sh--- c:\windows\system32\porerere.dll
2009-01-12 09:15:06 ---SH--- 2,713 c:\windows\system32\bomililu.dll
2008-10-31 12:11 104 ---shr-- c:\windows\system32\480F13F8BD.sys
0000-00-00 00:00 73,015 a--sh--- c:\windows\system32\botisuka.dll
0000-00-00 00:00 38,912 a--sh--- c:\windows\system32\felobazi.dll
0000-00-00 00:00 73,018 a--sh--- c:\windows\system32\fodovela.dll
0000-00-00 00:00 47,104 a--sh--- c:\windows\system32\mimahila.dll
0000-00-00 00:00 73,015 a--sh--- c:\windows\system32\nuvanube.dll
0000-00-00 00:00 73,018 a--sh--- c:\windows\system32\sizegufi.dll
0000-00-00 00:00 91,136 a--sh--- c:\windows\system32\tobuvuzi.dll
0000-00-00 00:00 73,018 a--sh--- c:\windows\system32\wetuwima.dll
2008-09-16 18:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat

============= FINISH: 13:19:57.70 ===============

BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:11 PM

Posted 12 March 2009 - 08:52 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma. Appologies for taking so long in getting to you and your problem.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Can you update Malwarebytes' Anti-Malware and do a full scan please, and post the log. Also if you still have it, the last log from Malwarebytes' Anti-Malware showing the infection would also be appreciated.

Also Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 angryjack

angryjack
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 15 March 2009 - 06:48 AM

I've attached to two logs you asked for. The infection seems to have escalated in the last few days. I can no longer get out to any external websites and my background was replaced, all that good stuff. I'm currently running on a second install of XP I put on a recovery partition in order to operate. Unfortunately, the I386 that was stored on the C: drive was a bit corrupted, so I don't have the kind of functionality I want (I need to run a batch file whenever I power up in order to start all the non essential services for networking, half the OS was displaying in Arabic after first install, but a few windows updates took care of that, and I'm missing a bunch of device drivers that I can't seem to find). Your help would be greatly appreciated.

Attached Files



#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:11 PM

Posted 16 March 2009 - 04:22 PM

I am sorry to have left you hanging this weekend. I am having a cat5e cable problem. I have a real ugly fix right now so I can do some catch up and let people know I didn't abandon them intentionally. I won't be able to post again until March 17 at about 5PM East Coast USA time (UCT -4).

Sorry for any inconvenience.


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-- If you receive this error:
"Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid", please download Comdlg32.ocx, place it in your C:\Windows\system32 folder and try running VundoFix again.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:11 PM

Posted 22 March 2009 - 06:29 PM

angryjack, do you still need help?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 angryjack

angryjack
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 30 March 2009 - 04:14 PM

Hey, extremely sorry that I left this for so long. Having a 3 month old leads to forgetting about things. Here's the VundoFix log, it showed zero results, but that boot of the OS still appears to be pretty heavily infected.

Attached Files



#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:11 PM

Posted 30 March 2009 - 04:26 PM

As it has been so long, update Malwarebytes' Anti-Malware and delete combofix, and then download a new copy. Reboot to safe mode and then run Malwarebytes' Anti-Malware and then combofix. Post the logs from both.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 angryjack

angryjack
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 30 March 2009 - 07:56 PM

Logs are attached. Tons of matches with the updates tools, even though I haven't used the infected boot in weeks.

Attached Files



#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:11 PM

Posted 30 March 2009 - 09:10 PM

Did Malwarebytes' Anti-Malware delete all the files? From the log it looks as if they were not deleted. Also it appears as if Malwarebytes' Anti-Malware didn't get updated to the newest signatures. Keep updating til it won't update. Then run the scan and delete the files. Post the new log up.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 angryjack

angryjack
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 31 March 2009 - 07:33 AM

That log was saved before I removed the files. Must have missed the option to save the logfile afterwards. The problem with getting it fully updated is that that partition is for some reason unable to contact the internet. I can run the software from my recovery partition, but I don't think it'll hit the infected registry.

#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:11 PM

Posted 31 March 2009 - 11:51 AM

Have you tried installing it normally since combofix ran?

Please download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 angryjack

angryjack
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 01 April 2009 - 04:42 PM

Got on the internet on my regular partition by messing with the firewall. I ran SuperAntiSpyware twice, once before updates and once after. The two logs:

****************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/31/2009 at 08:57 PM

Application Version : 4.26.1000

Core Rules Database Version : 3816
Trace Rules Database Version: 1770

Scan type : Complete Scan
Total Scan Time : 01:40:51

Memory items scanned : 489
Memory threats detected : 0
Registry items scanned : 6404
Registry threats detected : 7
File items scanned : 121713
File threats detected : 263

Adware.Tracking Cookie
C:\Documents and Settings\Sam\Cookies\sam@kontera[1].txt
C:\Documents and Settings\Sam\Cookies\sam@track.doudig[1].txt
C:\Documents and Settings\Sam\Cookies\sam@mediaresponder[1].txt
C:\Documents and Settings\Sam\Cookies\sam@cbs.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@paypal.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@unitedwayofamerica.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@sitestat.mayoclinic[1].txt
C:\Documents and Settings\Sam\Cookies\sam@imrworldwide[2].txt
C:\Documents and Settings\Sam\Cookies\sam@e-2dj6wjliwndpwbp.stats.esomniture[1].txt
C:\Documents and Settings\Sam\Cookies\sam@server.cpmstar[2].txt
C:\Documents and Settings\Sam\Cookies\sam@ads4.slickdeals[2].txt
C:\Documents and Settings\Sam\Cookies\sam@at.atwola[1].txt
C:\Documents and Settings\Sam\Cookies\sam@azjmp[2].txt
C:\Documents and Settings\Sam\Cookies\sam@track.freebrandgiveaways[2].txt
C:\Documents and Settings\Sam\Cookies\sam@www.technologyquestions[2].txt
C:\Documents and Settings\Sam\Cookies\sam@realmedia[2].txt
C:\Documents and Settings\Sam\Cookies\sam@2o7[3].txt
C:\Documents and Settings\Sam\Cookies\sam@bs.serving-sys[2].txt
C:\Documents and Settings\Sam\Cookies\sam@eas.apm.emediate[1].txt
C:\Documents and Settings\Sam\Cookies\sam@accountonline[2].txt
C:\Documents and Settings\Sam\Cookies\sam@atdmt[1].txt
C:\Documents and Settings\Sam\Cookies\sam@tacoda[2].txt
C:\Documents and Settings\Sam\Cookies\sam@advertising[3].txt
C:\Documents and Settings\Sam\Cookies\sam@richmedia.yahoo[1].txt
C:\Documents and Settings\Sam\Cookies\sam@medhelpinternational.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.ad4game[2].txt
C:\Documents and Settings\Sam\Cookies\sam@specificmedia[1].txt
C:\Documents and Settings\Sam\Cookies\sam@nextag[2].txt
C:\Documents and Settings\Sam\Cookies\sam@serving-sys[2].txt
C:\Documents and Settings\Sam\Cookies\sam@adbrite[1].txt
C:\Documents and Settings\Sam\Cookies\sam@adlegend[2].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.ovguide[2].txt
C:\Documents and Settings\Sam\Cookies\sam@www.accountonline[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.gmbtrack[1].txt
C:\Documents and Settings\Sam\Cookies\sam@tracking.hearthstoneonline[1].txt
C:\Documents and Settings\Sam\Cookies\sam@rotator.adjuggler[2].txt
C:\Documents and Settings\Sam\Cookies\sam@e-2dj6wjlislazico.stats.esomniture[2].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.pointroll[1].txt
C:\Documents and Settings\Sam\Cookies\sam@socialmedia[1].txt
C:\Documents and Settings\Sam\Cookies\sam@e-2dj6wgk4uhajebp.stats.esomniture[2].txt
C:\Documents and Settings\Sam\Cookies\sam@revsci[1].txt
C:\Documents and Settings\Sam\Cookies\sam@208.122.40[1].txt
C:\Documents and Settings\Sam\Cookies\sam@tracking.gajmp[2].txt
C:\Documents and Settings\Sam\Cookies\sam@media.medhelp[1].txt
C:\Documents and Settings\Sam\Cookies\sam@adopt.euroclick[1].txt
C:\Documents and Settings\Sam\Cookies\sam@cgm.adbureau[2].txt
C:\Documents and Settings\Sam\Cookies\sam@snapfish.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@atwola[1].txt
C:\Documents and Settings\Sam\Cookies\sam@adecn[1].txt
C:\Documents and Settings\Sam\Cookies\sam@media6degrees[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.financialcontent[2].txt
C:\Documents and Settings\Sam\Cookies\sam@admarketplace[2].txt
C:\Documents and Settings\Sam\Cookies\sam@edge.ru4[1].txt
C:\Documents and Settings\Sam\Cookies\sam@msnportal.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@tribalfusion[1].txt
C:\Documents and Settings\Sam\Cookies\sam@3.adbrite[1].txt
C:\Documents and Settings\Sam\Cookies\sam@friendlytrack[1].txt
C:\Documents and Settings\Sam\Cookies\sam@servedby.adxpower[2].txt
C:\Documents and Settings\Sam\Cookies\sam@publishers.clickbooth[1].txt
C:\Documents and Settings\Sam\Cookies\sam@aff.primaryads[1].txt
C:\Documents and Settings\Sam\Cookies\sam@adserver.adtechus[1].txt
C:\Documents and Settings\Sam\Cookies\sam@112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.nba[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.findit-quick[1].txt
C:\Documents and Settings\Sam\Cookies\sam@enhance[2].txt
C:\Documents and Settings\Sam\Cookies\sam@specificclick[2].txt
C:\Documents and Settings\Sam\Cookies\sam@insightexpressai[2].txt
C:\Documents and Settings\Sam\Cookies\sam@dmtracker[1].txt
C:\Documents and Settings\Sam\Cookies\sam@bridge1.admarketplace[1].txt
C:\Documents and Settings\Sam\Cookies\sam@clickwww3[1].txt
C:\Documents and Settings\Sam\Cookies\sam@adopt.specificclick[2].txt
C:\Documents and Settings\Sam\Cookies\sam@overture[2].txt
C:\Documents and Settings\Sam\Cookies\sam@media.ntsserve[2].txt
C:\Documents and Settings\Sam\Cookies\sam@en.personalantispy[2].txt
C:\Documents and Settings\Sam\Cookies\sam@interclick[1].txt
C:\Documents and Settings\Sam\Cookies\sam@questionmarket[1].txt
C:\Documents and Settings\Sam\Cookies\sam@waterfrontmedia.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@game-advertising-online[1].txt
C:\Documents and Settings\Sam\Cookies\sam@adinterax[1].txt
C:\Documents and Settings\Sam\Cookies\sam@lynxtrack[1].txt
C:\Documents and Settings\Sam\Cookies\sam@viacom.adbureau[2].txt
C:\Documents and Settings\Sam\Cookies\sam@guthyrenker.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@collective-media[2].txt
C:\Documents and Settings\Sam\Cookies\sam@e-2dj6wgk4epdpoco.stats.esomniture[2].txt
C:\Documents and Settings\Sam\Cookies\sam@www.halstats[1].txt
C:\Documents and Settings\Sam\Cookies\sam@msnbc.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.socialtrack[1].txt
C:\Documents and Settings\Sam\Cookies\sam@media303[2].txt
C:\Documents and Settings\Sam\Cookies\sam@mediaresponder[3].txt
C:\Documents and Settings\Sam\Cookies\sam@blockbuster.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@media.mtvnservices[2].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.bridgetrack[1].txt
C:\Documents and Settings\Sam\Cookies\sam@hornymatches[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.adultdatecash[1].txt
C:\Documents and Settings\Sam\Cookies\sam@metacafe.122.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@mediaresponder[2].txt
C:\Documents and Settings\Sam\Cookies\sam@sales.liveperson[3].txt
C:\Documents and Settings\Sam\Cookies\sam@stopzilla[2].txt
C:\Documents and Settings\Sam\Cookies\sam@network.realmedia[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.shutterfly[2].txt
C:\Documents and Settings\Sam\Cookies\sam@ar.atwola[1].txt
C:\Documents and Settings\Sam\Cookies\sam@yeprevenue[1].txt
C:\Documents and Settings\Sam\Cookies\sam@e-2dj6wdl4ohczogo.stats.esomniture[1].txt
C:\Documents and Settings\Sam\Cookies\sam@dominionenterprises.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ad.turn[2].txt
C:\Documents and Settings\Sam\Cookies\sam@linkstattrack[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.findstuff[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.emedtv[2].txt
C:\Documents and Settings\Sam\Cookies\sam@lemmefindit[2].txt
C:\Documents and Settings\Sam\Cookies\sam@ge.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.telegraph.co[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.googleadservices[1].txt
C:\Documents and Settings\Sam\Cookies\sam@track.bestbuy[2].txt
C:\Documents and Settings\Sam\Cookies\sam@searchfeed[2].txt
C:\Documents and Settings\Sam\Cookies\sam@iacas.adbureau[2].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.lucidmedia[1].txt
C:\Documents and Settings\Sam\Cookies\sam@e-2dj6wjnyqld5gfp.stats.esomniture[1].txt
C:\Documents and Settings\Sam\Cookies\sam@technologyquestions[1].txt
C:\Documents and Settings\Sam\Cookies\sam@chitika[2].txt
C:\Documents and Settings\Sam\Cookies\sam@trafficmp[2].txt
C:\Documents and Settings\Sam\Cookies\sam@bridge2.admarketplace[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.burstbeacon[1].txt
C:\Documents and Settings\Sam\Cookies\sam@stats.paypal[2].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Sam\Cookies\sam@roiservice[1].txt
C:\Documents and Settings\Sam\Cookies\sam@revenuehit[2].txt
C:\Documents and Settings\Sam\Cookies\sam@clickshift[1].txt
C:\Documents and Settings\Sam\Cookies\sam@server.iad.liveperson[4].txt
C:\Documents and Settings\Sam\Cookies\sam@content.yieldmanager[1].txt
C:\Documents and Settings\Sam\Cookies\sam@serw.clicksor[2].txt
C:\Documents and Settings\Sam\Cookies\sam@track.dig4me[1].txt
C:\Documents and Settings\Sam\Cookies\sam@adtech[1].txt
C:\Documents and Settings\Sam\Cookies\sam@server.iad.liveperson[3].txt
C:\Documents and Settings\Sam\Cookies\sam@highbeam.122.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.cnn[2].txt
C:\Documents and Settings\Sam\Cookies\sam@content.yieldmanager[3].txt
C:\Documents and Settings\Sam\Cookies\sam@adtracker.socialmedia[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.freearcade[1].txt
C:\Documents and Settings\Sam\Cookies\sam@208.122.40[3].txt
C:\Documents and Settings\Sam\Cookies\sam@clickbooth[1].txt
C:\Documents and Settings\Sam\Cookies\sam@server.iad.liveperson[2].txt
C:\Documents and Settings\Sam\Cookies\sam@secure-media-sf2p.facebook[1].txt
C:\Documents and Settings\Sam\Cookies\sam@tns-counter[1].txt
C:\Documents and Settings\Sam\Cookies\sam@a.websponsors[2].txt
C:\Documents and Settings\Sam\Cookies\sam@adknowledge[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.stopzilla[2].txt
C:\Documents and Settings\Sam\Cookies\sam@smartadserver[1].txt
C:\Documents and Settings\Sam\Cookies\sam@cdn.invitemedia[1].txt
C:\Documents and Settings\Sam\Cookies\sam@cb.adbureau[1].txt
C:\Documents and Settings\Sam\Cookies\sam@invitemedia[1].txt
C:\Documents and Settings\Sam\Cookies\sam@web4.realtracker[1].txt
C:\Documents and Settings\Sam\Cookies\sam@cratebarrel.112.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@perf.overture[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.googleadservices[2].txt
C:\Documents and Settings\Sam\Cookies\sam@clickz.lonelycheatingwives[1].txt
C:\Documents and Settings\Sam\Cookies\sam@yadro[1].txt
C:\Documents and Settings\Sam\Cookies\sam@sales.liveperson[2].txt
C:\Documents and Settings\Sam\Cookies\sam@usnews.122.2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@a1.interclick[2].txt
C:\Documents and Settings\Sam\Cookies\sam@247realmedia[2].txt
C:\Documents and Settings\Sam\Cookies\sam@qnsr[1].txt
C:\Documents and Settings\Sam\Cookies\sam@www.tracktrust[1].txt
C:\Documents and Settings\Sam\Cookies\sam@eb.adbureau[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.mediageeks[1].txt
C:\Documents and Settings\Sam\Cookies\sam@xiti[1].txt
C:\Documents and Settings\Sam\Cookies\sam@2o7[1].txt
C:\Documents and Settings\Sam\Cookies\sam@ads.bridgetrack[2].txt
C:\Documents and Settings\Sam\Cookies\sam@advertising[1].txt
C:\Documents and Settings\Sam\Cookies\sam@advertising[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@112.2o7[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@a1.interclick[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@ads.bleepingcomputer[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@ads.bridgetrack[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@adserver.adtechus[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@at.atwola[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@borders.112.2o7[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@c7.zedo[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@cnetasiapacific.122.2o7[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@dynamic.media.adrevolver[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@ehg-ioffer.hitbox[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@ge.112.2o7[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@imrworldwide[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@kontera[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@microsoftwga.112.2o7[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@microsoftwindows.112.2o7[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@paypal.112.2o7[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@richmedia.yahoo[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@smartadserver[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@specificclick[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@specificmedia[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@stats.paypal[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@webstats.broadcom[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@www.accountonline[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt
E:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\4430C8C9
HKLM\Software\Microsoft\4430C8C9#4430c8c9
HKLM\Software\Microsoft\4430C8C9#Version
HKLM\Software\Microsoft\4430C8C9#44306549
HKLM\Software\Microsoft\4430C8C9#44300cac
HKU\s-1-5-21-3764708755-2304324260-1061204078-1005\Software\Microsoft\FIAS4051
HKU\s-1-5-21-3764708755-2304324260-1061204078-1005\Software\Microsoft\FIAS4052N

Trojan.Dropper/Gen-SoftDev
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BNCSZT.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BOFAJUGE.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BSGOBX.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DAKAPUSO.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FAPEHAZA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FLSGLZ.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GIZEPIBU.DLL.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HAHEFIMO.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HESONAGA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HIBOBIDU.DLL.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HIBOLETA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HIFEHUZU.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HIVUPENA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HOSEYAHU.DLL.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JUVOGURU.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LEWILOZI.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LOPUSUJI.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MIFUWAPE.DLL.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MIYOWEPA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MXQNRK.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NNIQFG.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PAZOLONI.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PIDIMUVA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\POVEJIKI.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QREHYC.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RILAJEZO.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ROYEGIZE.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TZAKII.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VAKISUWI.DLL.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VELOWUZA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VIKOTIYU.DLL.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VSLDHE.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WAJIVEPE.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WAWEPAFO.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YIMAZITU.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YUFUTIDE.DLL.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YUWRDY.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ZAYEWEGI.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ZOKUJOLE.DLL.VIR

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\FALUKOVO.DLL

Adware.Vundo/Variant-SR
C:\WINDOWS\SYSTEM32\LUTAWUDI.DLL

Trace.Known Threat Sources
E:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DQJWLSBP\virusremover2009[1].jpg

****************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/01/2009 at 07:29 AM

Application Version : 4.26.1000

Core Rules Database Version : 3822
Trace Rules Database Version: 1778

Scan type : Complete Scan
Total Scan Time : 01:39:52

Memory items scanned : 489
Memory threats detected : 0
Registry items scanned : 6404
Registry threats detected : 0
File items scanned : 121812
File threats detected : 0


****************************************************************

As you can see, it seems to think the issue is gone. However, internet performance is still abysmal and I can't turn on automatic updates. I also ran Malwarebytes again after updating it. The log should be attached, if my connection didn't die while uploading it.

Attached Files


Edited by angryjack, 01 April 2009 - 04:43 PM.


#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:11 PM

Posted 01 April 2009 - 09:34 PM

I need you to turn off system restore and then turn it back on, then create a new restore point. I generally don't like doing this during the clean phase, but you have way to many problems with the system restore files, so we need to get rid of them.


Disable and Enable System Restore.
If you are using Windows Vista or XP, then I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.

Here are some good tutorials for that.
Windows Vista Restore Guide
or
Windows XP System Restore Guide
Reboot
Re-enable system restore with instructions from tutorial above

Create a System Restore Point
Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

After that,

Download WinSockFix from here or here.

Backing up the Registry

1. Double click on WinsockXPFix.exe to open.
2. On the Winsock and TCP Repair Utility screen, click "ReG-Backup"
3. On the ERDNT Welcome screen, click "OK".
4. On the Backup to: screen, click "OK".
5. On the Folder does not exist question screen click "Yes".
6. You will see a status screen as your registry is being backed up.
7. On the Registry backup is complete! screen, click "OK" and you will go back to the main window.

Resetting the Winsock Stack

1. On the Winsock and TCP Repair Utility screen, click "Fix".
2. On the Apply the VB_Winsock fix? screen click "Yes".
3. The screen will display a status message "repair completed please reboot."
4. On the Repair Completed screen click "OK" to reboot your computer.
5. If your computer was not using DHCP, you will need to reconfigure TCP/IP.
6. You should have connectivity restored.

Winsock Repair Tutorial| Tutorial with graphics

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Let me know how it is running.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:11 PM

Posted 11 April 2009 - 01:06 AM

This thread is closed due to inactivity.
If you need this topic reopened, please send me a PM. This applies to the thread originator only, all others start a new thread.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users