Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Verundo disabling removal programs and hijacking browser


  • This topic is locked This topic is locked
2 replies to this topic

#1 JFBII

JFBII

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 10 March 2009 - 11:48 PM

My son's computer has a pervasive malware that both hijacks the browser, returning him to a search engine whenever the url is recognized as a anti-virus site (symantec, malwarebytes, spybot, trendmicro, EVEN bleepingcomputer) and it disables (we clock or otherwise try to open and nothing happens) the programs that we are able to download on a second computer, and install through a usb. It also disbled system restore, but if we can get there we have a saved configuration from a week before this started. Symantec (pre-installed) caught some elements, so pop-ups are not a problem. The clue was an error message that comes up on boot: file missing - hitijupi.dll

To make it easier - my son returns to college on Sunday, so by Saturday March 14th we may be re-formatting the drive)

The dds:


DDS (Ver_09-02-01.01) - NTFSx86
Run by rhbrad06 at 23:59:45.48 on Tue 03/10/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.197 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\lxdwcoms.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Lexmark 7600 Series\ezprint.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
E:\bleeping\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.wm.edu/it/mynotebook
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1fa95e56-e421-4ef6-a933-61ce125fe334} - c:\windows\system32\wepozara.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: {FAB581BE-6872-43DA-9C2D-72CD9A189F53} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Screen Calendar] "c:\program files\screen calendar\scrcal.exe" -m
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [GetModule25] c:\program files\getmodule\GetModule25.exe
uRun: [GetPack23] "c:\program files\getpack\GetPack23.exe"
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [kajadevaga] Rundll32.exe "c:\windows\system32\hitijupi.dll",s
mRun: [lxdwmon.exe] "c:\program files\lexmark 7600 series\lxdwmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 7600 series\ezprint.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRunOnce: [Malwarebytes' Anti-Malware] e:\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\rhbrad06\startm~1\programs\startup\thepol~1.lnk - d:\autorun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\family feud 2\images\stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143477439982
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\family feud 2\images\armhelper.ocx
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5193/mcfscan.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\windows\system32\jolujara.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {ba934431-76af-4c99-93c2-c3d21944a72e} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Notification Packages = scecli csspwntfy c:\windows\system32\jolujara.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rhbrad06\applic~1\mozilla\firefox\profiles\default.ndk\
FF - plugin: c:\documents and settings\rhbrad06\application data\mozilla\firefox\profiles\default.ndk\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13117.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit1319.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-12-21 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-1-25 85760]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-1-25 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-1-25 4442]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\vmlaunch\BuddyVM.sys [2004-10-5 15872]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-12-21 186016]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-12-21 177824]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-8-15 46112]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-1-17 1763568]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2009-1-19 324976]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090310.017\naveng.sys [2009-3-10 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090310.017\navex15.sys [2009-3-10 876144]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2009-3-8 98984]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S2 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-12-21 83616]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2007-8-11 49399]
S3 mamovec;mamovec;c:\windows\system32\drivers\mamovec.sys [2007-8-11 24784]
S3 mamovem;mamovem;c:\windows\system32\drivers\mamovem.sys [2007-8-11 25044]
S3 mamoveu;mamoveu;c:\windows\system32\drivers\mamoveu.sys [2007-8-11 51584]
S3 oUltraf;oUltraf;\??\c:\docume~1\rhbrad06\locals~1\temp\oultraf.sys --> c:\docume~1\rhbrad06\locals~1\temp\oUltraf.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-1-17 169200]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2005-8-5 57728]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2005-8-5 73600]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

============== File Associations ===============

vbefile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1
vbsfile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1
jsefile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1

=============== Created Last 30 ================

2009-03-09 23:19 <DIR> --d----- C:\Malwarebytes' Anti-Malware
2009-03-09 22:43 <DIR> --d----- c:\program files\Trend Micro
2009-03-09 20:38 <DIR> --d----- c:\docume~1\rhbrad06\applic~1\AdwareAlert
2009-03-09 20:38 <DIR> --d----- c:\program files\AdwareAlert
2009-03-09 20:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 20:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-09 20:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-09 20:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 19:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-03-08 16:34 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-03-08 16:31 118,272 a------- c:\windows\system32\hpz3l5jy.dll
2009-03-08 16:31 970,752 a----r-- c:\windows\system32\hpwtiop3.dll
2009-03-08 16:31 729,088 a----r-- c:\windows\system32\hpwwiax3.dll
2009-03-08 16:31 364,544 a----r-- c:\windows\system32\hppldcoi.dll
2009-03-08 16:31 294,912 a----r-- c:\windows\system32\hpovst11.dll
2009-03-08 16:31 6,784 a------- c:\windows\system32\drivers\serscan.sys
2009-03-08 16:31 6,784 a------- c:\windows\system32\dllcache\serscan.sys
2009-03-08 16:28 1,373,528 a----r-- c:\windows\hpzshl01.exe
2009-03-08 16:28 1,140,056 a----r-- c:\windows\hpzmsi01.exe
2009-03-08 16:28 12,717 a----r-- c:\windows\hpwscr14.dat
2009-03-08 16:28 <DIR> --d----- c:\windows\braveheart
2009-03-08 16:24 1,108 a----r-- c:\windows\hpwmdl14.dat
2009-03-08 16:24 180,005 a------- c:\windows\hpwins14.dat
2009-03-08 14:37 <DIR> --d----- c:\documents and settings\all users\Lx_cats
2009-03-08 14:32 <DIR> --d----- C:\logs
2009-03-08 14:31 40,960 a------- c:\windows\system32\lxdwvs.dll
2009-03-08 14:31 360,448 a------- c:\windows\system32\lxdwcoin.dll
2009-03-08 14:31 61,218 a------- c:\windows\system32\lxdwprpr.chm
2009-03-08 14:31 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-03-08 14:31 87,040 a------- c:\windows\system32\dllcache\wiafbdrv.dll
2009-03-08 14:31 1,036,288 a------- c:\windows\system32\lxdwdrs.dll
2009-03-08 14:31 81,920 a------- c:\windows\system32\lxdwcaps.dll
2009-03-08 14:31 69,632 a------- c:\windows\system32\lxdwcnv4.dll
2009-03-08 14:30 <DIR> --d----- c:\program files\Lexmark Toolbar
2009-03-08 14:30 <DIR> --d----- c:\program files\Lexmark Printable Web
2009-03-08 14:30 44 a------- c:\windows\system32\lxdwrwrd.ini
2009-03-08 14:30 352,256 a------- c:\windows\system32\LXDWwupd.dll
2009-03-08 14:30 17,064 a------- c:\windows\system32\LXDWwupd.exe
2009-03-08 14:27 <DIR> --d----- c:\program files\Lexmark 7600 Series
2009-03-08 13:14 <DIR> --dsh--- c:\windows\system32\lowsec
2009-03-08 13:14 308,752 a------- c:\windows\sysguard.exe

==================== Find3M ====================

2009-03-08 01:00 5,427 a------- c:\windows\system32\EGATHDRV.SYS
2009-02-04 04:11 52,995 a--sh--- c:\windows\system32\WDLRstwa.ini2
2009-01-10 22:20 911,265 a------- c:\windows\Prison Tycoon 2 Uninstaller.exe
2008-12-26 20:27 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-26 20:05 4,362 a------- c:\windows\system32\ealregsnapshot1.reg
2008-12-12 13:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-08-09 03:51 256 a------- c:\documents and settings\rhbrad06\pool.bin
2007-07-17 13:49 14,189,184 a------- c:\program files\FamilyFeud2Setup.exe
2007-04-19 17:55 10,853,650 a------- c:\program files\Tetpic5000.zip
2007-04-01 18:35 22,005,188 a------- c:\program files\ChaksTemple.zip
2007-03-17 12:24 10,824,829 a------- c:\program files\TurtleOdyssey.zip
2007-02-16 21:28 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 0:00:57.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JFBII

JFBII
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 12 March 2009 - 08:52 AM

Update -

We think we fixed it!! We used Malwarebytes by downloading it to a usb on another machine, then installing it in the infected machine thru the usb. The went into Windows Exlorer to find the mbam.exe file and renamed it "gotcha.exe" so it would be allowed to open.

Ran scan and fouind close to 60 bad files and registry entries, 11 types of malware. Cleaned those, then ran Spybot S&D AND Symantec Viruscan - BOTH found more pieces. Rebooted - ran all again, now all clean. Still working on cleaning those items in quarantine in Symantec.

Thanks for being here, and the advice visible to all of us.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:44 PM

Posted 12 March 2009 - 11:24 AM

Thanks for informing us what you have done.
Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users