Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

INfected with search engine redirect, unwanted/bogus spyware cleaner tool (& others?)


  • This topic is locked This topic is locked
32 replies to this topic

#1 Sizuper

Sizuper

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 12 March 2009 - 07:08 PM

Hello,

I picked up a nasty single or bundle of malware last week, I believe it came from downloading a YouTube video.
Here is what has happened to my computer...

The first sign was when the computer locked up completely while downloading the video. I left it alone hoping it was just a temporary freeze due to Internet traffic or file size or something.

Then, a few minutes later I heard the Windows sounds of a reboot...that's when I knew I was in trouble. The problems started immediately after it rebooted.

At first, it did just this:
*All Internet search engine links redirected to some product site or advertisement.
*Every few minutes, Internet Explorer would open a new window (I don't even use ie, I use Firefox) to a product site or ad.
*At first this did not affect my computer or browser speed (except while opening the ie popup ads), but after a couple days, everything was running very slowly.

*A few days after the initial infection, the computer started locking up for no apparent reason. It is always a complete freeze that requires a hard re-boot (the cursor won't respond, not even ctl-alt-del does anything).

*A couple days later, a red circle with a white "X" appeared on my screen-bottom grey bar that looks exactly like the red "X" circle that appears on the Norton AntiVirus box when it's time for an update. Also a callout box pops up from this "X" with the message, "Warning! Security report/Your computer is infected! It is recommended to start spyware cleaner tool." I of course never downloaded or installed anything by that name.
*At the same time the red "X" appeared, the color/shading settings for all my desktop icons changed, then on the next reboot my wallpaper was gone (plain blue background now).
*Along with this came a regular progression of Norton alerts that some program was trying to connect with the Internet, and they were all names I've never seen before so I selected to block them all.
*Also now I frequently get that thing where all my desktop icons disappear, the computer locks up for a few seconds, and slowly all my icons return as unknown file icons and then 1-by-1 back into their usual icons.

So, I followed all the instructions in the Preparation Guide (which is why it took me a week to post this - took awhile to clear enough space on my external storage drive to backup my laptop).
Here is the DDS log file results (thanks in advance for any/all help you can give me on this!):
*****************************************************************************************************

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 19:23:52.80 on Thu 03/12/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.151 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.yahoo.com/config/mail?.intl=us
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=laptop
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {537072b9-c6e7-45ec-8602-75de590ba924} - c:\windows\system32\jodozome.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {2af2faa2-9d64-6c49-0c24-7e822fbd4da7}: {7ad4dbf2-28e7-42c0-94c6-46d92aaf2fa2} - c:\windows\system32\aglsef.dll
BHO: {b56a7d7d-6927-48c8-a975-17df180c71ac} - PCTools Browser Monitor
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [tawowuvizu] Rundll32.exe "c:\windows\system32\fobamito.dll",s
mRun: [0cb58fae] rundll32.exe "c:\windows\system32\jijejeju.dll",b
mRun: [CPM0f86bc32] Rundll32.exe "c:\windows\system32\yijazowi.dll",a
mRun: [Framework Windows] frmwrk32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: connwsp.dll
DPF: WebControlDeploy - hxxp://grouper.com/v1/GrouperSetup.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\ludotoja.dll flkjde.dll c:\windows\system32\yijazowi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yijazowi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\yijazowi.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\ludotoja.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\zwmkl79b.default\
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\zwmkl79b.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-1-16 814728]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090201.003\NAVENG.SYS [2009-2-1 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090201.003\NAVEX15.SYS [2009-2-1 876112]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-2-2 1251720]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2007-4-11 39248]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-4-11 52304]
S3 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-4-11 59984]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-4-11 83536]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-14 34448]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-4-11 708176]
S3 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2007-4-11 1302272]
S4 WinDefend;Windows Defender Service;c:\program files\windows defender\MsMpEng.exe [2006-2-10 45840]

=============== Created Last 30 ================

2009-03-12 18:48 36,864 a------- c:\windows\system32\nDler.exe
2009-03-11 22:20 1 a------- c:\windows\system32\uniq.tll
2009-03-11 22:15 31,744 a------- c:\windows\system32\frmwrk32.exe
2009-03-11 22:15 31,744 a------- c:\windows\system32\1000.exe
2009-03-10 19:52 1,805,682 ---sh--- c:\windows\system32\ujejejij.ini
2009-03-10 19:52 129,024 a--sh--- c:\windows\system32\mkfknp.dll
2009-03-08 22:47 129,024 a--sh--- c:\windows\system32\ppjkmd.dll
2009-03-08 22:47 1,805,682 ---sh--- c:\windows\system32\ihasagof.ini
2009-03-08 11:33 <DIR> --d----- C:\Backup
2009-03-08 11:17 <DIR> --d----- c:\program files\Cobian Backup 9
2009-03-08 10:47 1,805,682 ---sh--- c:\windows\system32\idiyiwel.ini
2009-03-08 10:47 129,024 a--sh--- c:\windows\system32\apmcmj.dll
2009-03-07 10:17 1,805,682 ---sh--- c:\windows\system32\usudujam.ini
2009-03-07 10:17 129,024 a--sh--- c:\windows\system32\aglsef.dll
2009-03-06 19:41 1,805,695 ---sh--- c:\windows\system32\opipimew.ini
2009-03-06 19:41 129,024 a--sh--- c:\windows\system32\flkjde.dll
2009-03-05 21:30 1,805,682 ---sh--- c:\windows\system32\anayuzaj.ini
2009-03-05 21:29 129,024 a--sh--- c:\windows\system32\uioeey.dll
2009-03-05 21:20 44,824 a------- c:\windows\system32\prunnet.exe
2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-19 12:31 31,280 a------- c:\windows\system32\drivers\SymIM.sys
2009-02-19 12:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat
2009-02-19 12:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf
2009-02-19 12:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys
2009-02-19 12:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys
2009-02-19 12:31 96,560 a------- c:\windows\system32\drivers\symfw.sys
2009-02-19 12:31 38,576 a------- c:\windows\system32\drivers\symids.sys
2009-02-19 12:31 37,424 a------- c:\windows\system32\drivers\symndis.sys
2009-02-19 12:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys
2009-02-19 12:31 13,616 a------- c:\windows\system32\drivers\symdns.sys
2009-02-15 18:21 299,083 a------- c:\windows\system32\drivers\CVPNDRVA.sys
2009-02-15 18:21 5,185 a------- c:\windows\system32\drivers\CVirtA.sys
2009-02-15 18:21 163,840 a------- c:\windows\system32\vpnapi.dll
2009-02-15 18:20 <DIR> --d----- c:\program files\common files\Deterministic Networks

==================== Find3M ====================

2009-03-10 19:52 129,024 a--sh--- c:\windows\system32\yizimife.dll
2009-03-10 19:52 84,992 a--sh--- c:\windows\system32\yijazowi.dll
2009-03-10 19:52 79,872 a--sh--- c:\windows\system32\jijejeju.dll
2009-03-08 22:47 129,024 a--sh--- c:\windows\system32\zipowapu.dll
2009-03-08 22:47 84,992 a--sh--- c:\windows\system32\datufobu.dll
2009-03-08 22:47 79,872 a--sh--- c:\windows\system32\fogasahi.dll
2009-03-08 10:47 79,872 -------- c:\windows\system32\lewiyidi.dll
2009-03-08 10:47 84,992 a--sh--- c:\windows\system32\baborefe.dll
2009-03-08 10:47 129,024 a--sh--- c:\windows\system32\nevigapi.dll
2009-03-07 10:17 79,872 a--sh--- c:\windows\system32\majudusu.dll
2009-03-07 10:17 129,024 a--sh--- c:\windows\system32\dimadadu.dll
2009-03-07 10:17 84,992 a--sh--- c:\windows\system32\ruyutave.dll
2009-03-06 19:41 79,872 a--sh--- c:\windows\system32\wemipipo.dll
2009-03-06 19:41 129,024 a--sh--- c:\windows\system32\bozoyipo.dll
2009-03-06 19:41 84,992 a--sh--- c:\windows\system32\mulumobu.dll
2009-03-05 21:29 129,024 a--sh--- c:\windows\system32\bedihidu.dll
2009-03-05 21:29 84,992 a--sh--- c:\windows\system32\bayopuge.dll
2009-01-29 19:02 103,488 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-01-29 18:57 23,976 a------- c:\windows\system32\drivers\ElbyCDIO.sys
2009-01-29 17:54 89,256 a------- c:\windows\system32\ElbyCDIO.dll
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-12 21:11 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-12 21:11 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-12 21:11 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-12 21:11 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-29 20:52 16,202 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-12-19 05:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:10 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 01:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 01:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-06-24 13:02 87,608 a------- c:\docume~1\owner\applic~1\inst.exe
2008-06-24 13:02 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys
2006-05-03 05:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\fobamito.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\jodozome.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\ludotoja.dll
2007-02-21 06:47 31,232 a--shr-- c:\windows\system32\msfDX.dll
2006-03-02 21:39 557,300 a--sh--- c:\windows\system32\wvvwa.bak1
2006-03-26 13:35 631,757 a--sh--- c:\windows\system32\wvvwa.bak2
2008-12-07 15:03 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120720081208\index.dat

============= FINISH: 19:26:15.63 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Sizuper

Sizuper
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 13 March 2009 - 07:26 PM

Sorry, I know this will bump my post and thus drop-kick me to the end of the line again, but the Edit function rejects me saying I am not allowed to edit my own post. But the situation has changed for the worse and I need to post the additional information as it will probably affect the necessary response. So here is an update on the gradual systematic destruction of my laptop:

Immediately after posting this topic, I ran full backup with Cobian Backup, so I would be ready to act on any help I got on how to handle this infection. And it froze my computer completely as described before, somewhere after 75% complete (that was the last time I checked before it froze). I had to turn the computer off to reboot but now it won't reboot.

After showing the black background screen with the WindowsXP logo and the booting progress bar for a short while, it goes black for a few seconds as if it is going to the next boot step, but then goes to blue screen with the following error message:

"Stop: e000021a {Fatal System Error}
The Windoms Logon Process System process terminated unexpectedly with a status of 0X00000000 (0X00000000 0X00000000).
The system has been shut down."


Then it goes into a perpetual loop of trying to reboot, and failing to the same blue screen error message.

It rebooted once on its own after I left it to do many auto-reboot tries, and I tried to run backup again, but it never even started because apparently if you're not hooked up to the Internet for it to check for new versions, it stops there and does not commence backing up your data. It froze again and I had to hold the power button down to turn off & try to reboot, which it has not done again successfully.

I tried to reboot as 'Last Known Good Configuration', in all 3 Safe Modes and Debugging Mode but always it does the same thing and reverts to the same blue screen error message and shuts off into reboot attempt #8 billion.

Don't know if the Cobain Backup "caused" this latest problem or it was just coincidentally running on the freeze that took the problems to the next level. Don't know if this will help you in the diagnosis/Rx or if it means I'm out of luck and the sub-human scum of the Earth have claimed another computer, but I hope something can still be done....I live in Connecticut and since Circuit City & CompUSA went out of business I don't think there's anywhere in the state to take a computer for repair.

**********************
Update: After leaving the perpetual attempted reboot loop going for a few hours last night, it rebooted again (second time since it started giving the blue screen error message), so I am hopeful that if you are able to give me some instructions to help fix it, that I can with some patience get my computer to reboot. I've given up on the backup of data, as the Cobian again just stopped because it couldn't reach the server to check for a new version....if this is part of its protocol, that it won't work unless it's been able to first check online for a new version, that's pretty bizarre.

Edited by Sizuper, 14 March 2009 - 12:55 PM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:33 PM

Posted 24 March 2009 - 03:54 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 Sizuper

Sizuper
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 25 March 2009 - 07:03 PM

Hello again and thank you again for helping me!

Here is the detailed description of whatís happened and what Iíve done to try to address it:

I believe the infection came from downloading a YouTube video.
*First thing that happened was that the computer locked up completely while downloading the video. I left it alone hoping it was just a temporary freeze. Then, a few minutes later I heard the Windows sounds of a reboot. The problems started immediately after it rebooted.

*At first, it did just this:
--All Internet search engine links redirected to some product site or advertisement.
--Every few minutes, Internet Explorer would open a new window (I don't even use ie, I use Firefox) to a product site or ad.
--At first this did not affect my computer or browser speed (except while opening the ie popup ads), but after a couple days, everything was running very slowly.

*A few days after the initial infection, the computer started locking up for no apparent reason. It is always a complete freeze that requires a hard re-boot (the cursor won't respond, not even ctl-alt-del does anything).

*A couple days later, a red circle with a white "X" appeared on my screen-bottom gray bar that looks exactly like the red "X" circle that appears on the Norton AntiVirus box when it's time for an update. Also a call-out box pops up from this "X" with the message, "Warning! Security report/Your computer is infected! It is recommended to start spyware cleaner tool." I of course never downloaded or installed anything by that name.
*At the same time the red "X" appeared, the color/shading settings for all my desktop icons changed, then on the next reboot my wallpaper was gone (plain blue background now).
*Along with this came a regular progression of Norton alerts that some program was trying to connect with the Internet, and they were all names I've never seen before so I selected to block them all.
*Also now I frequently get that thing where all my desktop icons disappear, the computer locks up for a few seconds, and slowly all my icons return as unknown file icons and then 1-by-1 back into their usual icons.

**What I did to try to fix the problem:
-Ran a full Norton anti-virus scan, which found nothing.
-Ran Spyware Doctor (a version that is over a year old), but it only gets so far before crashing my computer (which is why it is an old version and I never re-upped for their service). But it did find 7 bugs before freezing up, so I re-booted and ran it again, and when it found the 7 bugs, I stopped the scan and had it get rid of the 7 bugs and re-booted. This however did nothing to fix any of the problems I was having.
-Next I ran HiJackThis and it gave me a long report that I donít know how to read or interpret, so I came here.

After logging onto Bleeping Computer:
*I followed all the instructions in the Preparation Guide except the full system backup. I tried, but could not get it to finish.
*I ran full backup with Cobian Backup but it froze my computer completely just as described above, somewhere after 75% complete (that was the last time I checked before it froze).
*I had to turn the computer off to reboot but now it won't reboot.

Here is what happens when it tries to boot up:
*After showing the black background screen with the WindowsXP logo and the booting progress bar for a short while, it goes black for a few seconds as if it is going to the next boot step, but then goes to blue screen with the following error message:

"Stop: e000021a {Fatal System Error}
The Windoms Logon Process System process terminated unexpectedly with a status of 0X00000000 (0X00000000 0X00000000).
The system has been shut down."

*Then it goes into a perpetual loop of trying to reboot, and failing to the same blue screen error message.
* I tried to reboot as 'Last Known Good Configuration', in all 3 Safe Modes and Debugging Mode but always it does the same thing and reverts to the same blue screen error message and shuts off into a perpetual loop of reboot attempts.

I have successfully re-booted a few times now, but it takes dozens, even hundreds of attempts to re-boot before it succeeds. I tried to run Cobian Backup but it wonít even engage now, stalling at the initiation step of checking for new versions. I imagine if it did, my system would crash again before it was done.

Current status:
After getting your reply, I tried to re-boot last night and some time this morning, it finally re-booted once again. So I ran the new DDS scan to get the attached text files. I will not do anything else on the computer until hearing from you on what to do, and I will leave it on, so unless it freezes with no activity, it should be in the same condition as when I posted these DDS reports. It has yet to crash without some program actually running on it, so hopefully it will stay working.

Here is the DDS file content from the scan run today:
****************************************************************************************


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 14:09:43.71 on Wed 03/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.148 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\userinit.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.yahoo.com/config/mail?.intl=us
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=laptop
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {69f527d7-76c4-3e7b-6434-4832012bc615}: {516cb210-2384-4346-b7e3-4c677d725f96} - c:\windows\system32\acfhom.dll
BHO: {537072b9-c6e7-45ec-8602-75de590ba924} - c:\windows\system32\jodozome.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {b56a7d7d-6927-48c8-a975-17df180c71ac} - PCTools Browser Monitor
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [tawowuvizu] Rundll32.exe "c:\windows\system32\fobamito.dll",s
mRun: [Framework Windows] frmwrk32.exe
mRun: [0cb58fae] rundll32.exe "c:\windows\system32\sulejere.dll",b
mRun: [CPM0f86bc32] Rundll32.exe "c:\windows\system32\welatili.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\temp\ntdll64.dll
LSP: connwsp.dll
DPF: WebControlDeploy - hxxp://grouper.com/v1/GrouperSetup.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\ludotoja.dll flkjde.dll acfhom.dll c:\windows\system32\welatili.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\welatili.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\welatili.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\ludotoja.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\zwmkl79b.default\
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\zwmkl79b.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-1-16 814728]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090201.003\NAVENG.SYS [2009-2-1 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090201.003\NAVEX15.SYS [2009-2-1 876112]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-2-2 1251720]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2007-4-11 39248]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-4-11 52304]
S3 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-4-11 59984]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-4-11 83536]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-14 34448]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-4-11 708176]
S3 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2007-4-11 1302272]
S4 WinDefend;Windows Defender Service;c:\program files\windows defender\MsMpEng.exe [2006-2-10 45840]

=============== Created Last 30 ================

2009-03-20 23:12 2,713 ---sh--- c:\windows\system32\jevogigu.exe
2009-03-13 23:07 488 a------- c:\windows\system32\win32hlp.cnf
2009-03-13 23:04 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2009-03-13 22:58 27,136 a------- c:\windows\system32\998.exe
2009-03-12 19:48 1,805,682 ---sh--- c:\windows\system32\erejelus.ini
2009-03-12 19:48 124,928 a--sh--- c:\windows\system32\acfhom.dll
2009-03-12 18:48 36,864 a------- c:\windows\system32\nDler.exe
2009-03-11 22:20 1 a------- c:\windows\system32\uniq.tll
2009-03-11 22:15 31,744 a------- c:\windows\system32\frmwrk32.exe
2009-03-11 22:15 31,744 a------- c:\windows\system32\1000.exe
2009-03-10 19:52 1,805,682 ---sh--- c:\windows\system32\ujejejij.ini
2009-03-10 19:52 129,024 a--sh--- c:\windows\system32\mkfknp.dll
2009-03-08 22:47 129,024 a--sh--- c:\windows\system32\ppjkmd.dll
2009-03-08 22:47 1,805,682 ---sh--- c:\windows\system32\ihasagof.ini
2009-03-08 11:33 <DIR> --d----- C:\Backup
2009-03-08 11:17 <DIR> --d----- c:\program files\Cobian Backup 9
2009-03-08 10:47 1,805,682 ---sh--- c:\windows\system32\idiyiwel.ini
2009-03-08 10:47 129,024 a--sh--- c:\windows\system32\apmcmj.dll
2009-03-07 10:17 1,805,682 ---sh--- c:\windows\system32\usudujam.ini
2009-03-07 10:17 129,024 a--sh--- c:\windows\system32\aglsef.dll
2009-03-06 19:41 1,805,695 ---sh--- c:\windows\system32\opipimew.ini
2009-03-06 19:41 129,024 a--sh--- c:\windows\system32\flkjde.dll
2009-03-05 21:30 1,805,682 ---sh--- c:\windows\system32\anayuzaj.ini
2009-03-05 21:29 129,024 a--sh--- c:\windows\system32\uioeey.dll
2009-03-05 21:20 44,824 a------- c:\windows\system32\prunnet.exe

==================== Find3M ====================

2009-03-13 23:03 104,960 a------- c:\windows\system32\userinit.exe
2009-03-12 19:48 124,928 a--sh--- c:\windows\system32\nolomipu.dll
2009-03-12 19:48 84,992 a--sh--- c:\windows\system32\welatili.dll
2009-03-12 19:48 79,872 a--sh--- c:\windows\system32\sulejere.dll
2009-03-10 19:52 129,024 a--sh--- c:\windows\system32\yizimife.dll
2009-03-10 19:52 84,992 a--sh--- c:\windows\system32\yijazowi.dll
2009-03-10 19:52 79,872 -------- c:\windows\system32\jijejeju.dll
2009-03-08 22:47 129,024 a--sh--- c:\windows\system32\zipowapu.dll
2009-03-08 22:47 84,992 a--sh--- c:\windows\system32\datufobu.dll
2009-03-08 22:47 79,872 a--sh--- c:\windows\system32\fogasahi.dll
2009-03-08 10:47 79,872 -------- c:\windows\system32\lewiyidi.dll
2009-03-08 10:47 84,992 a--sh--- c:\windows\system32\baborefe.dll
2009-03-08 10:47 129,024 a--sh--- c:\windows\system32\nevigapi.dll
2009-03-07 10:17 79,872 a--sh--- c:\windows\system32\majudusu.dll
2009-03-07 10:17 129,024 a--sh--- c:\windows\system32\dimadadu.dll
2009-03-07 10:17 84,992 a--sh--- c:\windows\system32\ruyutave.dll
2009-03-06 19:41 79,872 a--sh--- c:\windows\system32\wemipipo.dll
2009-03-06 19:41 129,024 a--sh--- c:\windows\system32\bozoyipo.dll
2009-03-06 19:41 84,992 a--sh--- c:\windows\system32\mulumobu.dll
2009-03-05 21:29 129,024 a--sh--- c:\windows\system32\bedihidu.dll
2009-03-05 21:29 84,992 a--sh--- c:\windows\system32\bayopuge.dll
2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-19 12:31 31,280 a------- c:\windows\system32\drivers\SymIM.sys
2009-02-19 12:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat
2009-02-19 12:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf
2009-02-19 12:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys
2009-02-19 12:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys
2009-02-19 12:31 96,560 a------- c:\windows\system32\drivers\symfw.sys
2009-02-19 12:31 38,576 a------- c:\windows\system32\drivers\symids.sys
2009-02-19 12:31 37,424 a------- c:\windows\system32\drivers\symndis.sys
2009-02-19 12:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys
2009-02-19 12:31 13,616 a------- c:\windows\system32\drivers\symdns.sys
2009-01-29 19:02 103,488 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-01-29 18:57 23,976 a------- c:\windows\system32\drivers\ElbyCDIO.sys
2009-01-29 17:54 89,256 a------- c:\windows\system32\ElbyCDIO.dll
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-12 21:11 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-29 20:52 16,202 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-06-24 13:02 87,608 a------- c:\docume~1\owner\applic~1\inst.exe
2008-06-24 13:02 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys
2006-05-03 05:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\fobamito.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\jodozome.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\ludotoja.dll
2007-02-21 06:47 31,232 a--shr-- c:\windows\system32\msfDX.dll
2006-03-02 21:39 557,300 a--sh--- c:\windows\system32\wvvwa.bak1
2006-03-26 13:35 631,757 a--sh--- c:\windows\system32\wvvwa.bak2
2008-12-07 15:03 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120720081208\index.dat

============= FINISH: 14:12:10.53 ===============

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 25 March 2009 - 07:33 PM

Hello.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

Post back with:
-Combofix log
-GMER log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Sizuper

Sizuper
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 26 March 2009 - 05:48 AM

Uh-oh.

I ran ComboFix, it could not hook up to the site to download/install Microsoft Windows Recovery Console, went on searching for malware, it re-booted itself after a prompt that it found Rootkit activity. Was buzzing right along, deleting files and completing stages, but then stalled out.

It stopped after completing Stage 50 and deleting 2 more files (qmgr0.dat and qmgr1.dat) both from the C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Download Manager folder

There are no desktop icons, utility bar or Start button showing - nothing but my wallpapaer picture and the ComboFix window.

I left it overnight, but it is still stalled out at the same place. My first instinct was to close the ComboFix window, seeing if it completes a boot or to re-boot and start over, but I don't want to damage the machine, so what should I do next? I have left the ComboFix window open in case you need to know what files it deleted.

Thanks,
--Sizuper

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 26 March 2009 - 02:58 PM

Hello.

Yes, just close Combofix and turn off your machine. Turn it back on afterwards and see if you are able to find the Combofix report. If it was created it should be found at the C:\ drive. The file is called "Combofix.txt". If it is created post back with the log, if not let me know.

Let me know how it goes.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Sizuper

Sizuper
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 26 March 2009 - 06:19 PM

Thank extremeboy - here is the Combofix log (I can already report that the red X bogus spyware thing is gone and ie hasn't popped up again since re-booting...I will now run a scan with GMER, per the instructions):

**************************************************************************************


ComboFix 09-03-25.02 - Owner 2009-03-26 0:33:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.175 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 26 March 2009 - 06:42 PM

Hello.

Just want to confirm something. The Combofix log you just posted, is it complete, as in is that the FULL Combofix log? Make sure it is, if not then post the Combofix log again, if it is just let me know.

Run the GMER and post back that log and we will continue from there. :thumbup2:

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Sizuper

Sizuper
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 26 March 2009 - 09:22 PM

Hello Extremeboy,

I just re-checked and that's the whole Combofix log.

Below is the GMER log.

Couple things to add that may or may not be important:
*The Task Manager has become disabled. When I hit Ctl-Alt-Del now, I get "Task Manager has been disabled by your Administrator."
*Also, my desktop background had earlier changed from my background picture to all-blue. Now it has changed to all-white with a big "Active Desktop Recovery" message in the upper-center of the screen. It offers 4 options to restore, and none of them work:
1) It has a button to "Restore Active Desktop" nut when I click that, I get the standard "Internet Explorer Script Error" message ('Object doesn't support this property or method'). Clicking Yes or No does nothing. (2)When I right-click the desktop and select Properties, then click on the Desktop tab, it does not allow me to select anything in the Background box. (3) When I right-click Desktop, click Properties then click Customize Desktop, the instructions say to go under the 'Web' tab to to un-click a box under "Web Pages" but there is no 'Web' tab. (4) To turn off active desktop, same problem as #3: no 'Web' tab.


Hope that is useful. Here is the GMER file contents...thanks again!
*************************************************************************************

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-03-26 21:38:15
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

SSDT 85BA6D58 ZwAlertResumeThread
SSDT 85A51BB8 ZwAlertThread
SSDT 85DFC4E0 ZwAllocateVirtualMemory
SSDT 859A1CC8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey
SSDT 84EA6948 ZwCreateMutant
SSDT 85A2FC18 ZwCreateThread
SSDT 859126D8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey
SSDT 84E98090 ZwFreeVirtualMemory
SSDT 85EED2E0 ZwImpersonateAnonymousToken
SSDT 85F163F0 ZwImpersonateThread
SSDT 84E6A6C8 ZwMapViewOfSection
SSDT 85C7DDD0 ZwOpenEvent
SSDT 8595E178 ZwOpenProcessToken
SSDT 859126A0 ZwOpenSection
SSDT 84E20498 ZwOpenThreadToken
SSDT 85EED550 ZwResumeThread
SSDT 85E8B640 ZwSetContextThread
SSDT 85CD1F58 ZwSetInformationProcess
SSDT 85DBA998 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey
SSDT 8598E700 ZwSuspendProcess
SSDT 84E81DF0 ZwSuspendThread
SSDT 85CDFD40 ZwTerminateProcess
SSDT 85BA7A50 ZwTerminateThread
SSDT 85A51B28 ZwUnmapViewOfSection
SSDT 85627E18 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2700] kernel32.dll!VirtualProtect + 1C 7C801AF0 7 Bytes JMP 05350034
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 01CD2648 c:\windows\system32\welatili.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 430A197A C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 430A19AB C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 053501C4
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 05350246
.text C:\Program Files\Internet Explorer\iexplore.exe[2700] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 01CD2C73 c:\windows\system32\welatili.dll

---- Files - GMER 1.0.12 ----

ADS C:\ComboFix\f_system:test
ADS C:\Documents and Settings\All Users\Application Data\TEMP:40F038C5
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
ADS C:\Documents and Settings\Owner\Favorites\Amazon items to order\YouTube - 24 Season 6 Trailer.url:favicon
ADS C:\Documents and Settings\Owner\Favorites\CT Fishing Spots.url:favicon
ADS C:\Documents and Settings\Owner\Favorites\Fishing\CT\ctfisherman.com - CT fishing reports, message board, news, photo gallery and more..url:favicon
ADS C:\Documents and Settings\Owner\Favorites\Fishing\CT\Forums\ctfisherman.com Saltwater.url:favicon
ADS C:\Documents and Settings\Owner\Favorites\Fishing\CT\Forums\Noreast.com LIS Board.url:favicon
ADS C:\Documents and Settings\Owner\Favorites\Fishing\CT\Noreast.com [CT Reports, Features].url:favicon
ADS C:\Documents and Settings\Owner\Favorites\Fishing\CT\Reports\Noreast.com [Welcome].url:favicon
ADS C:\Documents and Settings\Owner\Favorites\Fishing\CT\Tides\Best - any Format - Free Tide Tables Interactive - CT.url:favicon
ADS ...

---- EOF - GMER 1.0.12 ----

Edited by Sizuper, 26 March 2009 - 09:26 PM.


#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 27 March 2009 - 02:52 PM

Hello.

Run Combofix again this time the instructions are slightly different. Make sure you install Recovery Console.

Download and Run Combofix

Important: Before we start please disabe any anti-virus programs or any real-time protection that is enabled.

Please refer to this page if your unsure how.
  • Please follow the instructions for running Combofix from here
  • Please read the guide carefully and follow every instructions percisly and remeber to install the Recovery Console first.
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Download the appropriate Windows XP setup boot disk and drag it on Combofix like the image below:
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • After you succusfully install the recovery console, will see this window.
    Posted Image
    Please select Yes.
  • Combofix will then run, when combofix it finished, it will create a log for you. Please copy and paste that log in your next reply.
  • Please post that log on your next reply. (the log is located in C:\ComboFix.txt.)
Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-Combofix log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Sizuper

Sizuper
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 27 March 2009 - 10:50 PM

Hello again,

Unfortunately now Combofix won't run. It opens the blue window with the C: in the upper-left corner of the bar on top, but just sits there without initiating. Tried leaving it open for a long time, tried closing the window & re-starting Combofix, tried deleting and downloading from another one of the sites you linked and installing/running the new exe - but nothing works. It always opens the blue window with the flashing cursor at the top and does nothing. I am following the instructions but could there be something I am missing?

The first time I tried to run it, it gave an error message that I had an incompatible OS (even though I have XP), but in a few seconds opened the blue window anyway. This happened the first time I tried to run it before, when it successfully ran and deleted a bunch of files and completed 50 stages before stalling out and giving me what I surmise was an incomplete log.

Thanks,
--Sizuper

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 28 March 2009 - 11:40 AM

Hello.

Could you first post back with the quarantine log for me. It can be found at the Qoobox folder.

C:\Qoobox <-This folder.

In that folder you should see a text document called "ComboFix-quarantined-files.txt". Please post back the contents of that log in your next reply for me.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Sizuper

Sizuper
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 28 March 2009 - 05:34 PM

Hello Extremeboy,

The bad news is that there is no "ComboFix-quarantined-files.txt" file in my Qoobox folder. I searched every sub-folder and the only txt file in my Qoobox folder is "catchme", which appears to just record all the runs or attempts to run Combofix.

The GOOD news is that through repeted tries, Combofix finally ran through to completion, rebooting itself and creating a new log file. The only way I could get it to run is to decline the option of DLg & installing the Recovery Console (I've tried to find it online to download and install manually, but can't find it anywhere). At least I think it finished. It never closed itself or gave me a message that the log file was done, but it had a new log file created so after awhile, I closed the Combofix window and copied the log file contents (I checked after Combofix ran through but there still is no quarantined file in my Qoobox folder). Here's the contents of the Combofix log:

************************************************************************************************

ComboFix 09-03-26.03 - Owner 2009-03-28 17:53:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.96 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\erejelus.ini
.
---- Previous Run -------
.
C:\DOCUME~1\Owner\LOCALS~1\Temp\mousehook.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\ntdll64.dll
C:\Documents and Settings\Owner\Application Data\inst.exe
C:\WINDOWS\system32\1000.exe
C:\WINDOWS\system32\998.exe
C:\WINDOWS\system32\acfhom.dll
C:\WINDOWS\system32\aglsef.dll
C:\WINDOWS\system32\anayuzaj.ini
C:\WINDOWS\system32\apmcmj.dll
C:\WINDOWS\system32\bedihidu.dll
C:\WINDOWS\system32\bozoyipo.dll
C:\WINDOWS\system32\dimadadu.dll
C:\WINDOWS\system32\drivers\seneka.sys
C:\WINDOWS\system32\drivers\senekachtlkpex.sys
C:\WINDOWS\system32\erejelus.ini
C:\WINDOWS\system32\flkjde.dll
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\idiyiwel.ini
C:\WINDOWS\system32\ihasagof.ini
C:\WINDOWS\system32\ludotoja.dll
C:\WINDOWS\system32\mkfknp.dll
C:\WINDOWS\system32\nevigapi.dll
C:\WINDOWS\system32\nolomipu.dll
C:\WINDOWS\system32\opipimew.ini
C:\WINDOWS\system32\ppjkmd.dll
C:\WINDOWS\system32\prunnet.exe
C:\WINDOWS\system32\senekaeisenecr.dll
C:\WINDOWS\system32\senekaivfwbymx.dll
C:\WINDOWS\system32\senekasmcortfn.dll
C:\WINDOWS\system32\senekatdlkixdu.dat
C:\WINDOWS\system32\senekauwqcxgxn.dat
C:\WINDOWS\system32\uioeey.dll
C:\WINDOWS\system32\ujejejij.ini
C:\WINDOWS\system32\uniq.tll
C:\WINDOWS\system32\usudujam.ini
C:\WINDOWS\system32\win32hlp.cnf
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\yizimife.dll
C:\WINDOWS\system32\zipowapu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-26 20:06 . 2009-03-26 20:46 250 --a------ C:\WINDOWS\gmer.ini
2009-03-20 23:12 . 2009-03-20 23:12 2,713 ---hs---- C:\WINDOWS\system32\jevogigu.exe
2009-03-12 18:48 . 2009-03-12 19:03 36,864 --a------ C:\WINDOWS\system32\nDler.exe
2009-03-08 11:33 . 2009-03-08 11:40 <DIR> d-------- C:\Backup
2009-03-08 11:17 . 2009-03-08 11:17 <DIR> d-------- C:\Program Files\Cobian Backup 9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 22:02 14,431 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2009-03-28 21:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2009-03-28 21:06 --------- d-----w C:\Program Files\Common Files\aolshare
2009-03-28 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2009-03-28 21:05 --------- d-----w C:\Program Files\Common Files\AOL
2009-03-28 21:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2009-03-28 21:01 --------- d-----w C:\Program Files\Spyware Doctor
2009-03-28 21:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2009-03-28 21:01 --------- d-----w C:\Program Files\QuickTime
2009-03-28 21:01 --------- d-----w C:\Program Files\Orbitdownloader
2009-03-28 21:01 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2009-03-28 21:01 --------- d-----w C:\Program Files\ImgBurn
2009-03-28 21:01 --------- d-----w C:\Program Files\HPQ
2009-03-28 21:01 --------- d-----w C:\Program Files\DivX
2009-03-28 21:01 --------- d-----w C:\Program Files\America Online 9.0
2009-03-12 23:48 84,992 --sha-w C:\WINDOWS\system32\welatili.dll
2009-03-12 23:48 79,872 --sha-w C:\WINDOWS\system32\sulejere.dll
2009-03-10 23:52 84,992 --sha-w C:\WINDOWS\system32\yijazowi.dll
2009-03-10 23:52 79,872 ------w C:\WINDOWS\system32\jijejeju.dll
2009-03-10 00:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Orbit
2009-03-09 02:47 84,992 --sha-w C:\WINDOWS\system32\datufobu.dll
2009-03-09 02:47 79,872 --sha-w C:\WINDOWS\system32\fogasahi.dll
2009-03-08 14:47 84,992 --sha-w C:\WINDOWS\system32\baborefe.dll
2009-03-08 14:47 79,872 ------w C:\WINDOWS\system32\lewiyidi.dll
2009-03-07 14:17 84,992 --sha-w C:\WINDOWS\system32\ruyutave.dll
2009-03-07 14:17 79,872 --sha-w C:\WINDOWS\system32\majudusu.dll
2009-03-06 23:41 84,992 --sha-w C:\WINDOWS\system32\mulumobu.dll
2009-03-06 23:41 79,872 --sha-w C:\WINDOWS\system32\wemipipo.dll
2009-03-06 01:29 84,992 --sha-w C:\WINDOWS\system32\bayopuge.dll
2009-02-19 17:03 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2009-02-19 17:03 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2009-02-19 16:31 96,560 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2009-02-19 16:31 9,844 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2009-02-19 16:31 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2009-02-19 16:31 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2009-02-19 16:31 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2009-02-19 16:31 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2009-02-19 16:31 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2009-02-19 16:31 184,496 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2009-02-19 16:31 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2009-02-19 16:31 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2009-02-15 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-02-15 22:20 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2009-02-15 02:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2009-02-14 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2009-02-09 03:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2009-02-09 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2009-02-09 02:54 --------- d-----w C:\Program Files\SlySoft
2009-02-09 02:31 --------- d-----w C:\Program Files\MagicISO
2009-02-08 22:42 --------- d-----w C:\Program Files\PowerISO
2009-01-31 16:30 --------- d-----w C:\Program Files\DVD Shrink
2009-01-29 23:02 103,488 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2009-01-29 22:57 23,976 ----a-w C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2009-01-29 21:54 89,256 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2009-01-17 02:35 3,594,752 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2009-01-13 01:11 60,808 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-12-30 00:52 16,202 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-06-24 17:02 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-08-25 03:52 300,400 ----a-w C:\Program Files\mozilla firefox\components\coFFPlgn.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
1601-01-01 00:12 47,616 --sha-w C:\WINDOWS\system32\fobamito.dll
1601-01-01 00:12 47,616 --sha-w C:\WINDOWS\system32\jodozome.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2008-12-07 19:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120720081208\index.dat
.

Edited by Sizuper, 28 March 2009 - 05:41 PM.


#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 28 March 2009 - 05:45 PM

Hello.

There was a rootkit on your machine.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you want to continue do the steps below please.

Another incomplete Combofix log..........

Please do the following for me. Make sure you follow the steps I provided below. Do not miss a step.

Delete Combofix.exe you have on your desktop right now. Now follow the instructions below.

Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

  • Once you have it saved on your desktop, close all open windows.
  • Save all document or windows that are open because when running combofix you won't have internet connection and everything will be closed.
  • Click on your Start Menu, then Run, In the run box type:
    "%userprofile%\desktop\combofix.exe" /killall
  • Allow Combofix to run, and select Run if prompted.
  • Combofix will now run.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with the Combofix log once it's complete.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users