Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown Virus/Spyware/Hijacker

  • This topic is locked This topic is locked
4 replies to this topic

#1 JP Balzen

JP Balzen

  • Members
  • 2 posts
  • Local time:01:41 AM

Posted 31 March 2009 - 01:25 PM

I'm working on my mom's computer, and I've run two different antivirus scans, plus AdAware, and I still haven't been able to completely clean her computer. I don't know what virus(es) remain, but there's something still on her computer. I've run bitdefender online and housecall online as I cannot install an AV software due to whatever bug she has. I know it is still infected because when I launch IE and type in a web address, mulitple IE windows open up going to various different websites. Attached are the DDS logs.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 13:13:59.21 on Tue 03/31/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.431 [GMT -5:00]

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
C:\windows\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AOL\1192735984\ee\AOLSoftware.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page =
uSearch Bar =
uURLSearchHooks: AOL Radio Toolbar Search Class: {69224684-5682-419b-9fe4-ef7946ee3319} - c:\program files\aol radio toolbar\aolradiotb.dll
mURLSearchHooks: AOL Radio Toolbar Search Class: {69224684-5682-419b-9fe4-ef7946ee3319} - c:\program files\aol radio toolbar\aolradiotb.dll
BHO: Gamevance: {0ed403e8-470a-4a8a-85a4-d7688cfe39a3} - Gamevance
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOL Radio Toolbar Loader: {2abdb2f7-4cbf-4939-ba12-fddc827b6a2d} - c:\program files\aol radio toolbar\aolradiotb.dll
BHO: {554858aa-90b6-40ab-aa5f-367b6daf520c} - c:\windows\system32\gagoyelo.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: {46f28b62-df36-47eb-55c4-bb2274996e0d}: {d0e69947-22bb-4c55-be74-63fd26b82f64} - c:\windows\system32\duuscw.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: AOL Radio Toolbar: {9167da98-6f9b-46f1-991d-826cae46cab6} - c:\program files\aol radio toolbar\aolradiotb.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} -
EB: AT&&T Yahoo! Sidebar: {51085e3d-a958-42a2-a6be-a6a9b0baf276} - c:\program files\yahoo!\browser\ysidebarIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
uRun: [reader_s] c:\documents and settings\owner\reader_s.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b
mRun: [HostManager] c:\program files\common files\aol\1192735984\ee\AOLSoftware.exe
mRun: [lxcimon.exe] "c:\program files\lexmark 7300 series\lxcimon.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Svelizewug] rundll32.exe "c:\windows\eqadiwoxewofes.dll",e
mRun: [Wbagazay] rundll32.exe "c:\windows\Cpereqalu.dll",e
mRun: [yoyawegeka] Rundll32.exe "c:\windows\system32\hahinetu.dll",s
mRun: [LXCICATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCItime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CPM1fcadf7a] Rundll32.exe "c:\windows\system32\rumerubo.dll",a
mRun: [1cf9ece6] rundll32.exe "c:\windows\system32\guyewijo.dll",b
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: &AOL Radio Toolbar Search - c:\documents and settings\all users\application data\aol radio toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Aces Up! by pogo - hxxp://game3.pogo.com/v/
DPF: Alibaba Slots - hxxp://game3.pogo.com/v/
DPF: Jungle Gin by pogo - hxxp://game3.pogo.com/v/
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/MyFunCardsInitialSetup1.0.1.1.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rumerubo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\rumerubo.dll
SEH: {88B68482-AE05-47F5-8FED-8925E4290C4B} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvTmMgg
LSA: Notification Packages = cli c:\windows\system32\tipenehe.dll

============= SERVICES / DRIVERS ===============

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-19 951632]
R2 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe -service --> c:\windows\system32\lxcicoms.exe -service [?]
S3 botdrv;botdrv;\??\c:\windows\system32\driver.sys --> c:\windows\system32\driver.sys [?]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

=============== Created Last 30 ================

2009-03-31 07:45 <DIR> --d----- c:\program files\Trend Micro
2009-03-31 06:14 2,510,541 ---sh--- c:\windows\system32\ojiweyug.ini
2009-03-30 18:45 <DIR> --d----- c:\docume~1\owner\applic~1\HouseCall 6.6
2009-03-30 18:13 2,510,792 ---sh--- c:\windows\system32\iwirudew.ini
2009-03-30 06:12 3,292,988 ---sh--- c:\windows\system32\ukavatal.ini
2009-03-29 18:12 122 ---sh--- c:\windows\system32\ubuyimeh.ini
2009-03-29 13:20 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-29 11:43 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{2BAE6915-8510-4B9F-B498-02DA86258AA0}
2009-03-29 11:43 <DIR> --d----- c:\program files\Lavasoft
2009-03-29 10:59 <DIR> --d----- C:\ComboFix
2009-03-29 10:59 388,608 a------- c:\windows\system32\CF6264.exe
2009-03-29 06:12 3,290,746 ---sh--- c:\windows\system32\ibejosok.ini
2009-03-27 18:12 3,290,724 ---sh--- c:\windows\system32\ogilehom.ini
2009-03-27 06:12 3,291,045 ---sh--- c:\windows\system32\anisebal.ini
2009-03-26 05:21 3,291,358 ---sh--- c:\windows\system32\inuhurij.ini
2009-03-26 05:21 140,288 a------- c:\windows\system32\duuscw.dll
2009-03-25 17:28 134,144 a------- c:\windows\eqadiwoxewofes.dll
2009-03-25 17:04 8,704 a------- C:\gosfrwtt.exe
2009-03-25 17:04 40,448 a------- c:\windows\Cpereqalu.dll
2009-03-25 17:04 10,240 a------- C:\stjr.exe
2009-03-25 17:04 40,448 a------- C:\qurdchd.exe
2009-03-25 17:04 10,240 a------- c:\windows\instsp2.exe
2009-03-25 05:04 3,281,591 ---sh--- c:\windows\system32\adiveyev.ini
2009-03-24 17:04 3,281,568 ---sh--- c:\windows\system32\ugamuwir.ini
2009-03-24 16:16 <DIR> --d----- c:\program files\att-prt22
2009-03-24 16:15 <DIR> --d----- c:\program files\ATT-PRT22-WISE
2009-03-24 14:21 <DIR> --d----- C:\Install iTunes
2009-03-24 14:21 <DIR> --d----- C:\Install ICQ
2009-03-24 14:21 <DIR> --d----- C:\AOL Instant Messenger
2009-03-24 14:21 <DIR> --d----- C:\MAV
2009-03-24 14:19 <DIR> --d----- c:\program files\America Online 9.0a

==================== Find3M ====================

2009-03-31 06:13 103,936 a--sh--- c:\windows\system32\rumerubo.dll
2009-03-31 06:13 99,840 a--sh--- c:\windows\system32\guyewijo.dll
2009-03-31 06:13 61,440 a--sh--- c:\windows\system32\dotewawa.exe
2009-03-30 18:13 103,936 a--sh--- c:\windows\system32\gugasara.dll
2009-03-30 18:13 99,840 a--sh--- c:\windows\system32\weduriwi.dll
2009-03-30 18:13 61,440 a--sh--- c:\windows\system32\vadihihe.exe
2009-03-30 06:12 61,440 a--sh--- c:\windows\system32\juretasu.exe
2009-03-29 18:12 61,440 a--sh--- c:\windows\system32\gepesiso.exe
2009-03-29 06:12 61,440 a--sh--- c:\windows\system32\jinojovi.exe
2009-03-27 18:12 61,440 a--sh--- c:\windows\system32\dineloku.exe
2009-03-27 08:13 22,684 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2009-03-27 06:12 61,440 a--sh--- c:\windows\system32\hobavana.exe
2009-03-25 17:16 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-03-25 17:04 14,336 a------- c:\windows\system32\svchost.exe
2009-03-25 17:04 99,840 a--sh--- c:\windows\system32\danayipi.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2008-04-27 11:06 774,144 a------- c:\program files\RngInterstitial.dll
2006-07-22 16:50 66,520 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
0000-00-00 00:00 72,950 a--sh--- c:\windows\system32\gagoyelo.dll
2008-08-27 13:56 700,866 a--sh--- c:\windows\system32\ggMmTvut.ini2
0000-00-00 00:00 72,950 a--sh--- c:\windows\system32\hahinetu.dll
0000-00-00 00:00 72,950 a--sh--- c:\windows\system32\tipenehe.dll
2008-09-05 15:34 10,240 a--sh--- c:\windows\system32\vidajadu.dll

============= FINISH: 13:15:42.51 ===============

Attached Files

BC AdBot (Login to Remove)


#2 SifuMike


    malware expert

  • Staff Emeritus
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:41 PM

Posted 01 April 2009 - 04:41 PM

Hello JP Balzen,

I have some very bad news for you. :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, an expert  for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 JP Balzen

JP Balzen
  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:41 AM

Posted 03 April 2009 - 12:13 AM

Thanks for confirming my original suspicions. This is my mother's computer, and when I got here from out of state, I found no virus protection, no spyware/malware protection, and too many problems to mention. I'm gathering up her driver cd's to format and reinstall now.

#4 SifuMike


    malware expert

  • Staff Emeritus
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:41 PM

Posted 03 April 2009 - 12:40 AM

Hi JP Balzen,

Sorry to give you and your Mom such bad news. I know how much work it is to reformat and reload, so I only recommend it when there is no other way. I hate it when the bad guys win. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike


    malware expert

  • Staff Emeritus
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:41 PM

Posted 11 April 2009 - 04:15 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users