Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Microsoft Launches AI Malware Prediction Competition with $25K Prize

Featured Deal: Get 98% off the 2018 CompTIA Certification Training Bundle: Lifetime Access Deal

Win32.Banker.FS Trojan.SpyAgent.DA

Started by gibogibo , Mar 17 2009 03:57 PM

This topic is locked

2 replies to this topic

#1 gibogibo

Members
1 posts
OFFLINE

Local time:03:03 PM

Posted 17 March 2009 - 03:57 PM

Hello. I am having serious problems with my laptop:

Unwanted browser window opening/redirecting
Many warning popups (not sure if any are legit)
Can not access CD/DVD drive, USB drives
Desktop background forced to unknown graphic and locked
Task Manager disabled (ctrl/alt/del)
Pop up indicates Win32.Banker.FS Trojan.SpyAgent.DA and others on system
Ran on-line Bit Defender - locked up at completion

Many access violation and system error and dll error popups
Intermittent wireless access
Critical kernal error pop up

Downloaded and ran AVG Free 8.5.

1st run: "Scan whole computer";"3/17/2009, 10:16 AM";"3/17/2009, 12:09 PM";"331968";"57/57";"0/0";"0/0";""

"C:\Documents and Settings\John\Local Settings\Temp\5_odb.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\avto.exe";"Trojan horse SHeur2.WJA";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\avto1.exe";"Trojan horse SHeur2.WJC";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\avto2.exe";"Trojan horse SHeur2.WJB";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\avto3.exe";"Trojan horse SHeur2.WJG";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\avto4.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\q1.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\q2.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\q3.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\q4.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\q5.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\q6.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\q7.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\q8.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\q9.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\teste1_p.exe";"Trojan horse SHeur2.WJF";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\teste2_p.exe";"Trojan horse SHeur2.WJH";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\teste3_p.exe";"Trojan horse SHeur2.WJD";"Moved to Virus Vault"
"C:\Documents and Settings\John\Local Settings\Temp\teste4_p.exe";"Trojan horse SHeur2.WJE";"Moved to Virus Vault"
"C:\WINDOWS\odb.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\WINDOWS\odb.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\WINDOWS\odb.exe (3972)";"Trojan horse FakeAlert.HY";"Reboot is required to finish the action"
"C:\WINDOWS\runsql.exe";"Trojan horse SHeur2.WJE";"Moved to Virus Vault"
"C:\WINDOWS\runsql.exe";"Trojan horse SHeur2.WJE";"Moved to Virus Vault"
"C:\WINDOWS\runsql.exe";"Trojan horse SHeur2.WJE";"Moved to Virus Vault"
"C:\WINDOWS\svc.exe";"Trojan horse SHeur2.WJA";"Moved to Virus Vault"
"C:\WINDOWS\svc.exe";"Trojan horse SHeur2.WJA";"Moved to Virus Vault"
"C:\WINDOWS\runsql.exe (2808)";"Trojan horse SHeur2.WJE";"Reboot is required to finish the action"
"C:\WINDOWS\sv.exe";"Trojan horse SHeur2.WJD";"Moved to Virus Vault"
"C:\WINDOWS\sv.exe";"Trojan horse SHeur2.WJD";"Moved to Virus Vault"
"C:\WINDOWS\sv.exe";"Trojan horse SHeur2.WJD";"Moved to Virus Vault"
"C:\WINDOWS\svc.exe (2876)";"Trojan horse SHeur2.WJA";"Reboot is required to finish the action"
"C:\WINDOWS\sv.exe (2784)";"Trojan horse SHeur2.WJD";"Reboot is required to finish the action"
"C:\WINDOWS\svhoster.exe";"Trojan horse SHeur2.WJF";"Moved to Virus Vault"
"C:\WINDOWS\svhoster.exe";"Trojan horse SHeur2.WJF";"Moved to Virus Vault"
"C:\WINDOWS\svhoster.exe";"Trojan horse SHeur2.WJF";"Moved to Virus Vault"
"C:\WINDOWS\svhoster.exe (2792)";"Trojan horse SHeur2.WJF";"Reboot is required to finish the action"
"C:\WINDOWS\svw.exe";"Trojan horse SHeur2.WJC";"Moved to Virus Vault"
"C:\WINDOWS\svw.exe";"Trojan horse SHeur2.WJC";"Moved to Virus Vault"
"C:\WINDOWS\svw.exe (2900)";"Trojan horse SHeur2.WJC";"Reboot is required to finish the action"
"C:\WINDOWS\svx.exe";"Trojan horse SHeur2.WJB";"Moved to Virus Vault"
"C:\WINDOWS\svw.exe";"Trojan horse SHeur2.WJC";"Moved to Virus Vault"
"C:\WINDOWS\svx.exe";"Trojan horse SHeur2.WJB";"Moved to Virus Vault"
"C:\WINDOWS\svx.exe";"Trojan horse SHeur2.WJB";"Moved to Virus Vault"
"C:\WINDOWS\svx.exe (2884)";"Trojan horse SHeur2.WJB";"Reboot is required to finish the action"
"C:\WINDOWS\svzip.exe";"Trojan horse SHeur2.WJH";"Moved to Virus Vault"
"C:\WINDOWS\svzip.exe";"Trojan horse SHeur2.WJH";"Moved to Virus Vault"
"C:\WINDOWS\svzip.exe";"Trojan horse SHeur2.WJH";"Moved to Virus Vault"
"C:\WINDOWS\svzip.exe (2800)";"Trojan horse SHeur2.WJH";"Reboot is required to finish the action"
"C:\WINDOWS\vlc.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\WINDOWS\vlc.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\WINDOWS\wdmon.exe";"Trojan horse SHeur2.WJG";"Moved to Virus Vault"
"C:\WINDOWS\vlc.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\WINDOWS\vlc.exe (2840)";"Trojan horse FakeAlert.HY";"Reboot is required to finish the action"
"C:\WINDOWS\wdmon.exe";"Trojan horse SHeur2.WJG";"Moved to Virus Vault"
"C:\WINDOWS\wdmon.exe";"Trojan horse SHeur2.WJG";"Moved to Virus Vault"
"C:\WINDOWS\wdmon.exe (2868)";"Trojan horse SHeur2.WJG";"Reboot is required to finish the action"

2nd Run: "Scheduled scan";"3/17/2009, 12:00 PM";"3/17/2009, 12:00 PM";"0";"14/14";"0/0";"0/0";"Scan log was repaired"

"C:\WINDOWS\runsql.exe";"Trojan horse SHeur2.WJE";"Moved to Virus Vault"
"C:\WINDOWS\runsql.exe (2808)";"Trojan horse SHeur2.WJE";"Reboot is required to finish the action"
"C:\WINDOWS\sv.exe";"Trojan horse SHeur2.WJD";"Moved to Virus Vault"
"C:\WINDOWS\sv.exe (2784)";"Trojan horse SHeur2.WJD";"Reboot is required to finish the action"
"C:\WINDOWS\svw.exe";"Trojan horse SHeur2.WJC";"Moved to Virus Vault"
"C:\WINDOWS\svzip.exe";"Trojan horse SHeur2.WJH";"Moved to Virus Vault"
"C:\WINDOWS\svw.exe (2900)";"Trojan horse SHeur2.WJC";"Reboot is required to finish the action"
"C:\WINDOWS\svzip.exe (2800)";"Trojan horse SHeur2.WJH";"Reboot is required to finish the action"
"C:\WINDOWS\svx.exe";"Trojan horse SHeur2.WJB";"Moved to Virus Vault"
"C:\WINDOWS\svx.exe (2884)";"Trojan horse SHeur2.WJB";"Reboot is required to finish the action"
"C:\WINDOWS\vlc.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"
"C:\WINDOWS\vlc.exe (2840)";"Trojan horse FakeAlert.HY";"Reboot is required to finish the action"
"C:\WINDOWS\wdmon.exe";"Trojan horse SHeur2.WJG";"Moved to Virus Vault"
"C:\WINDOWS\wdmon.exe (2868)";"Trojan horse SHeur2.WJG";"Reboot is required to finish the action"

"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt";"Found Tracking cookie.Sextracker";"Healed"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\fastclick.net.57e8da10";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\fastclick.net.c054072f";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\fastclick.net.fac3d6f0";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\sextracker.com.87622e37";"Found Tracking cookie.Sextracker";"Moved to Virus Vault"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\sextracker.com.dd8b56b5";"Found Tracking cookie.Sextracker";"Moved to Virus Vault"
"C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\773104ap.default\cookies.txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"

3rd RUN (set on Slow): "Scan whole computer";"3/17/2009, 12:41 PM";"3/17/2009, 2:56 PM";"332757";"1/1";"0/0";"0/0";""

"C:\WINDOWS\Temp\5_odb.exe";"Trojan horse FakeAlert.HY";"Moved to Virus Vault"

All problems listed above still exist.

DDS.TXT

DDS (Ver_09-03-16.01) - NTFSx86
Run by John at 16:25:02.34 on Tue 03/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.40 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ctfmon.exe
C:\WINDOWS\servicelayer.exe
C:\Program Files\Messenger\MSMSGS.EXE
svchost.exe "C:\WINDOWS\system32\12520850x.exe"
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\TEMP\C.tmp
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\John\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com/
mDefault_Page_URL = hxxp://www.hp.com
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {539338c9-5480-4c1d-affe-271357e25ff0} - c:\windows\system32\wewefove.dll
BHO: {49ad77c5-d7a1-75f9-9954-1f2070b17387}: {78371b07-02f1-4599-9f57-1a7d5c77da94} - c:\windows\system32\ctdhdo.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [Creative Live! Cam Manager] "c:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe"
uRun: [UpdateWin] c:\windows\system32\12520850x.exe
uRun: [userinit] c:\windows\system32\ntos.exe
uRunServices: [UpdateWin] c:\windows\system32\12520850x.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVFX Engine] c:\program files\creative\creative live! cam\videofx\StartFX.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Ktiyitivumejabiv] rundll32.exe "c:\windows\Wpitimu.dll",e
mRun: [UpdateWin] c:\windows\system32\12520850x.exe
mRun: [yewopubeke] Rundll32.exe "c:\windows\system32\popiwoba.dll",s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [CPM4ff4e647] Rundll32.exe "c:\windows\system32\pufajahe.dll",a
mRun: [4cc7d5db] rundll32.exe "c:\windows\system32\gohifodi.dll",b
mRun: [ctfmon] c:\windows\ctfmon.exe
mRun: [servicelayer] c:\windows\servicelayer.exe
mRunServices: [UpdateWin] c:\windows\system32\12520850x.exe
dRun: [userinit] c:\windows\system32\ntos.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\wifufulu.dll ctdhdo.dll c:\windows\system32\pufajahe.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pufajahe.dll
STS: IPC Configuration Utility - No File
STS: Windows Installer Class: {020487cc-fc04-4b1e-863f-d9801796230b} - c:\docume~1\john\locals~1\temp\wndutl32.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\pufajahe.dll
LSA: Notification Packages = scecli c:\windows\system32\wifufulu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\pegf3iy5.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-3-18 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-18 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-3-18 107912]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-3-18 298264]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [2007-9-12 27008]
S2 40C0CA64;40C0CA64;c:\windows\system32\91cd3028.exe -k --> c:\windows\system32\91CD3028.EXE -k [?]
S2 C0A7F5A8;C0A7F5A8;c:\windows\system32\2af98820.exe -k --> c:\windows\system32\2AF98820.EXE -k [?]

=============== Created Last 30 ================

2009-03-17 12:25 282,112 a------- c:\windows\servicelayer.exe
2009-03-17 12:25 280,064 a------- c:\windows\ctfmon.exe
2009-03-17 10:14 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-17 10:13 1,718,174 ---sh--- c:\windows\system32\idofihog.ini
2009-03-17 10:12 123,392 a--sh--- c:\windows\system32\ctdhdo.dll

==================== Find3M ====================

2009-03-17 10:12 86,016 a--sh--- c:\windows\system32\pufajahe.dll
2009-03-17 10:12 123,392 a--sh--- c:\windows\system32\wudepuve.dll
2009-03-17 10:12 80,896 a--sh--- c:\windows\system32\gohifodi.dll
2007-11-18 10:15 1,648 a------- c:\program files\eVideoShare.lnk
2008-03-17 18:45 41,984 ---shr-- c:\windows\system32\12520850x.exe
2008-03-18 07:55 86,016 a--sh--- c:\windows\system32\divimuvo.dll
2008-03-17 19:54 122,880 a--sh--- c:\windows\system32\donojawi.dll
2008-03-18 07:55 122,880 a--sh--- c:\windows\system32\jaditibi.dll
2008-03-18 07:55 122,880 a--sh--- c:\windows\system32\mbfvpp.dll
2008-03-17 19:54 86,528 a--sh--- c:\windows\system32\mebarepo.dll
2008-03-18 07:55 80,896 a--sh--- c:\windows\system32\nefavega.dll
2008-03-17 19:54 122,880 a--sh--- c:\windows\system32\stxnft.dll
0000-00-00 00:00 48,640 a--sh--- c:\windows\system32\wewefove.dll
0000-00-00 00:00 48,640 a--sh--- c:\windows\system32\wifufulu.dll

============= FINISH: 16:27:20.42 ===============

I also have attached the Attach.txt log zipped if needed.

Thanks for any assistance in advance, this one is CRAZY!

John

Attached Files

Attach.zip 2.62KB 1 downloads

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 JSntgRvr

Master Surgeon General

Malware Response Team
11,946 posts
OFFLINE

Gender:Male
Location:Puerto Rico
Local time:04:03 PM

Posted 17 March 2009 - 08:58 PM

Hi, gibogibo :thumbup2:

Welcome.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
Install the Recovery Console upon request.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

Back to top

#3 JSntgRvr

Master Surgeon General

Malware Response Team
11,946 posts
OFFLINE

Gender:Male
Location:Puerto Rico
Local time:04:03 PM

Posted 25 March 2009 - 11:38 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!