Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop Hit: Please Help Diagnose- Cannot run even run Kaspersky


  • This topic is locked This topic is locked
43 replies to this topic

#1 Gecko.

Gecko.

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 05 April 2009 - 06:42 AM

Son's laptop was hit by a bunch of stuff. Cannot run even run Kaspersky online to see what it is. Get tons of popups and desktop wallpaper says "active desktop recover". Also get blue sceen and takes a couple of tried to boot unit up. Oh, and whatever it is, it has also disabled windows update and won't allo me to go back to a restore point.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Ty at 21:54:57.46 on Sat 04/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.36 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\inf\rundll33.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Documents and Settings\Ty\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee AntiPhishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: {44f138fa-14d7-4e31-804a-3865ce3531eb} - c:\windows\system32\tejonubo.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google plugin: {684ee1db-cd52-4ca9-9ccf-93d5f6b419ba} - kjsvc32.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {77ab5974-55a3-4737-9fd5-b93c64307f78} - c:\windows\system32\adgfmsna.dll
BHO: {b92c2622-f747-4bde-a6db-f8d0376afedd} - c:\windows\system32\efcbaBUN.dll
BHO: {FD6920B7-514B-4A55-AA60-4D88AA136438} - No File
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [doyewiwiwi] Rundll32.exe "c:\windows\system32\vubuvuha.dll",s
mRun: [d41bb80d] rundll32.exe "c:\windows\system32\sohafafe.dll",b
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [Java S1] \\?\globalroot\systemroot\system32\mschr.exe
dRun: [A00FE57A1.exe] c:\windows\temp\_A00FE57A1.exe
mExplorerRun: [cJlyDCRIfV] c:\windows\yrsfafgp.exe
mExplorerRun: [kvflBCRIfV] c:\docume~1\ty\locals~1\temp\wJQs.exe
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090131a.dll xccd16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: imdds.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: musicmatch.com\online
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: __c00C8E11 - c:\windows\system32\__c00C8E11.dat
AppInit_DLLs: c:\windows\system32\sapoviri.dll dxsvdn.dll uvxplu.dll kbekkn.dll fzucnz.dll tllegt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcbaBUN
LSA: Notification Packages = scecli c:\windows\system32\sapoviri.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-12-8 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-12-8 122368]
S3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-12-8 221184]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-12-8 245760]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-12-8 114464]

=============== Created Last 30 ================

2009-04-04 18:33 1,422,290 ---sh--- c:\windows\system32\orotufiz.ini
2009-04-01 22:44 1,418,069 ---sh--- c:\windows\system32\ososikog.ini
2009-03-26 22:46 3,290,617 ---sh--- c:\windows\system32\ulifahom.ini
2009-03-26 09:44 3,290,854 ---sh--- c:\windows\system32\umezimiv.ini
2009-03-26 09:43 124,928 a--sh--- c:\windows\system32\tllegt.dll
2009-03-25 21:43 3,291,351 ---sh--- c:\windows\system32\efafahos.ini
2009-03-25 21:43 124,928 a--sh--- c:\windows\system32\fzucnz.dll
2009-03-22 19:16 221 a------- C:\xcrashdump.dat
2009-03-22 13:27 24,576 a------- c:\windows\system32\__c00C8E11.dat
2009-03-22 13:27 35,840 a------- c:\windows\system32\gldx.exe
2009-03-19 21:47 1,797,423 ---sh--- c:\windows\system32\ofememeh.ini
2009-03-19 21:47 124,928 a--sh--- c:\windows\system32\kbekkn.dll
2009-03-18 13:32 40,448 a------- c:\windows\system32\KuzSmall.exe
2009-03-18 13:17 42,496 a------- c:\windows\system32\kuzSniper.exe
2009-03-18 13:02 75,264 a------- c:\windows\system32\MPh.exe
2009-03-18 12:26 1,784,637 ---sh--- c:\windows\system32\ivetowuk.ini
2009-03-18 12:25 124,928 a--sh--- c:\windows\system32\uvxplu.dll
2009-03-17 13:09 1,740,557 ---sh--- c:\windows\system32\eteramor.ini
2009-03-17 13:08 124,928 a--sh--- c:\windows\system32\dxsvdn.dll
2009-03-17 13:03 47,616 a------- c:\windows\system32\ptch238120.exe
2009-03-16 22:40 251,392 a------- c:\windows\xccdf32_090131a.dll
2009-03-12 22:43 456,734 a------- c:\windows\system32\mschr.exe
2009-03-12 22:43 36,864 a------- c:\windows\system32\nDler.exe
2009-03-06 19:14 1 a------- c:\windows\system32\tb.dr
2009-03-06 19:13 1 a------- c:\windows\system32\rc.dat
2009-03-06 19:13 1 a------- c:\windows\system32\ps1.dat
2009-03-06 19:13 1 a------- c:\windows\system32\cs.dat
2009-03-06 19:13 1 a------- c:\windows\system32\cookie1.dat
2009-03-06 18:47 44,032 a------- c:\windows\system32\kjsvc32.dll

==================== Find3M ====================

2009-04-01 23:23 44,770 a------- c:\docume~1\ty\applic~1\wklnhst.dat
2009-04-01 22:06 36,352 a------- c:\windows\xccdf16_090131a.dll
2009-03-27 11:16 79,872 a--sh--- c:\windows\system32\guporobe.dll
2009-03-26 21:46 79,872 a--sh--- c:\windows\system32\piralume.dll
2009-03-26 09:43 124,928 a--sh--- c:\windows\system32\dipitiwo.dll
2009-03-25 21:43 124,928 a--sh--- c:\windows\system32\giviminu.dll
2009-03-25 00:43 79,872 a--sh--- c:\windows\system32\vonatahi.dll
2009-03-24 12:44 79,872 a--sh--- c:\windows\system32\misahavu.dll
2009-03-24 11:35 79,872 a--sh--- c:\windows\system32\jetehufi.dll
2009-03-23 12:33 124,928 a--sh--- c:\windows\system32\wulemake.dll
2009-03-22 13:47 79,872 a--sh--- c:\windows\system32\zavuzogo.dll
2009-03-22 12:48 79,872 a--sh--- c:\windows\system32\nuwuzeku.dll
2009-03-20 12:20 79,872 a--sh--- c:\windows\system32\suwuwuha.dll
2009-03-19 21:47 124,928 a--sh--- c:\windows\system32\puyekari.dll
2009-03-19 00:25 79,872 a--sh--- c:\windows\system32\jakegetu.dll
2009-03-18 12:25 124,928 a--sh--- c:\windows\system32\wiludubu.dll
2009-03-17 13:08 124,928 a--sh--- c:\windows\system32\zigehuze.dll
2009-03-05 18:14 11,264 a------- c:\windows\system32\imdds.dll
2009-03-03 14:14 30,208 a------- c:\windows\system32\frmwrk32.exe
2009-03-03 14:14 30,208 a------- c:\windows\system32\1000.exe
2009-02-28 23:37 155,175 a------- c:\windows\system32\icv.exe
2009-02-10 13:52 24,064 a------- c:\windows\system32\998.exe
2009-01-28 20:41 88,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-28 17:25 381,353 a--sh--- c:\windows\system32\NUBabcfe.ini2
2009-01-28 17:18 104,960 a------- c:\windows\system32\adgfmsna.dll
2009-01-27 13:12 86,528 a------- c:\windows\system32\dwdkfpvp.dll
2009-01-26 12:37 89,088 a------- c:\windows\system32\mxojtsfg.dll
2009-01-23 19:16 83,456 a------- c:\windows\system32\whymywdk.dll
2009-01-22 19:16 84,480 a------- c:\windows\system32\vcyfenon.dll
2009-01-22 18:50 84,480 a------- c:\windows\system32\hhfknrut.dll
2009-01-21 18:48 82,944 a------- c:\windows\system32\xnvullig.dll
2009-01-19 20:24 86,016 a------- c:\windows\system32\ksypmqjp.dll
2009-01-18 19:55 80,896 a------- c:\windows\system32\xqfjshji.dll
2009-01-17 16:32 81,920 a------- c:\windows\system32\syfhqskx.dll
2009-01-17 12:46 81,920 a------- c:\windows\system32\gwmkwapn.dll
2009-01-16 18:07 134,656 a------- c:\windows\ukohufeh.dll
2009-01-16 13:07 133,120 a------- c:\windows\ibeyafis.dll
2009-01-16 12:55 41,984 a------- c:\windows\Lvakaliyunolif.dll
2009-01-16 12:55 41,984 a------- c:\windows\system32\chert5-998.exe
2009-01-16 12:43 81,920 a------- c:\windows\system32\mailotgo.dll
2009-01-15 16:24 82,432 a------- c:\windows\system32\iwfdobkb.dll
2009-01-14 11:34 35,328 a------- c:\windows\system32\rqRHwVoP.dll
2009-01-14 11:34 45,568 -------- c:\windows\system32\log.exe
2009-01-12 14:59 31,232 a------- c:\windows\system32\pcload.exe
2009-01-07 13:39 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 11:30 287,744 a------- c:\windows\system32\efcbaBUN.dll.vir
2009-01-06 21:37 114,688 a------- c:\windows\system32\prunnet.exe
2008-09-14 13:10 58,984 a------- c:\docume~1\ty\applic~1\GDIPFONTCACHEV1.DAT
2008-09-13 15:21 56 ---shr-- c:\windows\system32\FBBC542F2F.sys
0000-00-00 00:00 124,928 a--sh--- c:\windows\system32\fejogeku.dll
0000-00-00 00:00 79,872 a--sh--- c:\windows\system32\gisiyojo.dll
0000-00-00 00:00 124,928 a--sh--- c:\windows\system32\jotogeni.dll
0000-00-00 00:00 124,928 a--sh--- c:\windows\system32\judopuje.dll
2008-09-13 15:21 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
0000-00-00 00:00 124,928 a--sh--- c:\windows\system32\lakenade.dll
0000-00-00 00:00 124,928 a--sh--- c:\windows\system32\pihuyeha.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\sapoviri.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\tejonubo.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\vubuvuha.dll
0000-00-00 00:00 124,928 a--sh--- c:\windows\system32\zelokore.dll
0000-00-00 00:00 124,928 a--sh--- c:\windows\system32\zezafape.dll

============= FINISH: 21:58:04.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 12 April 2009 - 08:14 AM

I know resources are limited, this is all voluntary and I shouldn't bump my topic, but it's been 1 week to the day since I posted. I just didnít want anyone think Iíve forgotten or abandoned the thread and would still really appreciate the help.

To that end, since I last posted, Iíve been able to run malewarebytes on my sonís laptop. It indicates the system is infected with the Vundo.H Trojan (and some others things that I cannot recall right now). I still cannot run spybot search and destroy or adware.

#3 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:03:04 AM

Posted 12 April 2009 - 08:28 AM

Hello, Gecko.

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Your computer is quite heavily infected. We will begin with ComboFix:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#4 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 12 April 2009 - 09:46 AM

Jat,

Thank you taking on this challenge. I cannot seem to get the system to run in normal mode now. I can run in safe mode. Is it okay to run the above steps in safe mode?

#5 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:03:04 AM

Posted 12 April 2009 - 09:55 AM

Yes, that is fine

Edited by Jat90, 12 April 2009 - 09:56 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#6 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 12 April 2009 - 10:33 AM

Managed to run ComboFix in normal mode. Disabled McAfee, but Combo Fix still showed it as active. Uninstalled McAfee, but Combo Fix still showed it as active. Ran Combo Fix anyway. Installed Microsoft Windows Recovery Console using ComboFix. Then ComboFix went to scan for malware, but seconds into it the system blue screened. Had to reboot and run ComboFix again. Blue screened again, saying ďthe problem seems to be caused by the following file: C\catchme.sys. PAGE_FAULT_IN_NONPAGED_AREA. I'm going to try in safe mode to see if I get the same thing.

#7 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:03:04 AM

Posted 12 April 2009 - 10:56 AM

Hello,

You could try it, I'm not sure it will work though. If it doesn't we will use different tools to tackle this problem.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#8 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 12 April 2009 - 11:03 AM

I was able to run ComboFix in safe mode.

ComboFix has noted the presence of rootkit activity and asked that I note it for use later:
C:\WINDOWS\system32\drivers\senekakwlddqlx.sys
C:\WINDOWS\system32\senekaeuxwkxwy.dll
C:\WINDOWS\system32\senekaagtuqcfw.dll
C:\WINDOWS\system32\senekayqbiqcwv.dat
C:\WINDOWS\system32\senekaciqjlqpu.db
C:\WINDOWS\system32\senekairiqplto.dll
(Could not do a cut and paste from dialog box, but I think Iíve typed them correctly)

The C:\ComboFix.txt log follows:

ComboFix 09-04-12.03 - Ty 2009-04-12 11:45.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.324 [GMT -4:00]
Running from: c:\documents and settings\Ty\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\program files\AntiSpyware Pro
c:\program files\Antivirus 2009
c:\windows\system32\__c00C8E11.dat
c:\windows\system32\1000.exe
c:\windows\system32\998.exe
c:\windows\system32\akttzn.exe
c:\windows\system32\alog.txt
c:\windows\system32\anticipator.dll
c:\windows\system32\apifihit.ini
c:\windows\system32\awtoolb.dll
c:\windows\system32\bb1.dat
c:\windows\system32\bdn.com
c:\windows\system32\bkbodfwi.ini
c:\windows\system32\bsva-egihsg52.exe
c:\windows\system32\chert5-998.exe
c:\windows\system32\cmds.txt
c:\windows\system32\cookie1.dat
c:\windows\system32\cs.dat
c:\windows\system32\dipitiwo.dll
c:\windows\system32\dpcproxy.exe
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekakwlddqlx.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\dxsvdn.dll
c:\windows\system32\ebefezoz.ini
c:\windows\system32\efafahos.ini
c:\windows\system32\emesx.dll
c:\windows\system32\eraroped.ini
c:\windows\system32\eteramor.ini
c:\windows\system32\fejogeku.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\fugedepi.dll
c:\windows\system32\fzucnz.dll
c:\windows\system32\gfstjoxm.ini
c:\windows\system32\ghrtvjpw.ini
c:\windows\system32\gilluvnx.ini
c:\windows\system32\giviminu.dll
c:\windows\system32\gwgtgaug.ini
c:\windows\system32\hoproxy.dll
c:\windows\system32\hxiwlgpm.dat
c:\windows\system32\hxiwlgpm.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\ijhsjfqx.ini
c:\windows\system32\inf\xccdfb16_090131.dll
c:\windows\system32\inf\xccefb090131.scr
c:\windows\system32\iulvwmvm.ini
c:\windows\system32\ivetowuk.ini
c:\windows\system32\izeginob.ini
c:\windows\system32\jikonidi.dll
c:\windows\system32\jotogeni.dll
c:\windows\system32\judopuje.dll
c:\windows\system32\kbekkn.dll
c:\windows\system32\kdwymyhw.ini
c:\windows\system32\kpelioln.ini
c:\windows\system32\lakenade.dll
c:\windows\system32\ldr.exe
c:\windows\system32\lejiwafe.dll
c:\windows\system32\lneohrng.ini
c:\windows\system32\log.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\mcrh.tmp
c:\windows\system32\medup012.dll
c:\windows\system32\msgp.exe
c:\windows\system32\msnbho.dll
c:\windows\system32\mssecu.exe
c:\windows\system32\msvchost.exe
c:\windows\system32\mtr2.exe
c:\windows\system32\mwin32.exe
c:\windows\system32\netode.exe
c:\windows\system32\newsd32.exe
c:\windows\system32\nonefycv.ini
c:\windows\system32\npawkmwg.ini
c:\windows\system32\NUBabcfe.ini
c:\windows\system32\NUBabcfe.ini2
c:\windows\system32\odubiwud.ini
c:\windows\system32\ofememeh.ini
c:\windows\system32\ogtoliam.ini
c:\windows\system32\orotufiz.ini
c:\windows\system32\ososikog.ini
c:\windows\system32\ozivujef.ini
c:\windows\system32\paso.el
c:\windows\system32\pihuyeha.dll
c:\windows\system32\pjqmpysk.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\ps1.dat
c:\windows\system32\ps1.exe
c:\windows\system32\psof1.exe
c:\windows\system32\psoft1.exe
c:\windows\system32\puyekari.dll
c:\windows\system32\pvpfkdwd.ini
c:\windows\system32\rc.dat
c:\windows\system32\regc64.dll
c:\windows\system32\regm64.dll
c:\windows\system32\Rundl1.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\senekaagtuqcfw.dll
c:\windows\system32\senekaciqjlqpu.db
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaeuxwkxwy.dll
c:\windows\system32\senekairiqplto.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekayqbiqcvw.dat
c:\windows\system32\smp
c:\windows\system32\smp\msrc.exe
c:\windows\system32\sncntr.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\ssurf022.dll
c:\windows\system32\ssvchost.com
c:\windows\system32\ssvchost.exe
c:\windows\system32\sysreq.exe
c:\windows\system32\taack.dat
c:\windows\system32\taack.exe
c:\windows\system32\tb.dr
c:\windows\system32\tcibklqs.ini
c:\windows\system32\temp#01.exe
c:\windows\system32\thun.dll
c:\windows\system32\thun32.dll
c:\windows\system32\tllegt.dll
c:\windows\system32\tmp.reg
c:\windows\system32\turnkfhh.ini
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\twex.exe
c:\windows\system32\twext.exe
c:\windows\system32\ulifahom.ini
c:\windows\system32\umezimiv.ini
c:\windows\system32\uniq.tll
c:\windows\system32\uvxplu.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\vayihufi.dll
c:\windows\system32\VBIEWER.OCX
c:\windows\system32\vbsys2.dll
c:\windows\system32\vcatchpi.dll
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vyfnxwwi.ini
c:\windows\system32\wiludubu.dll
c:\windows\system32\winlogonpc.exe
c:\windows\system32\winsystem.exe
c:\windows\system32\WINWGPX.EXE
c:\windows\system32\wulemake.dll
c:\windows\system32\xksqhfys.ini
c:\windows\system32\zelokore.dll
c:\windows\system32\zezafape.dll
c:\windows\system32\zigehuze.dll
c:\windows\xccdf16_090131a.dll
c:\windows\xccdf32_090131a.dll
c:\windows\xccwinsys.ini
c:\windows\ynh.dx
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-12 15:36 . 2006-03-03 04:42 73728 ----a-w C:\pv.exe
2009-04-12 15:35 . 2009-04-12 15:36 -------- d-----w C:\32788R22FWJFW
2009-04-10 15:24 . 2009-04-10 15:24 20480 ----a-w c:\windows\system32\nDler2.exe
2009-04-09 17:01 . 2009-04-09 17:01 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-07 20:32 . 2009-04-09 17:00 84045 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-05 13:47 . 2009-04-05 13:47 -------- d-----w c:\documents and settings\Ty\Application Data\Malwarebytes
2009-04-05 13:46 . 2009-03-26 20:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 13:46 . 2009-03-26 20:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 13:46 . 2009-04-05 13:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 13:46 . 2009-04-05 13:46 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-22 17:27 . 2009-03-22 17:27 35840 ----a-w c:\windows\system32\gldx.exe
2009-03-18 17:32 . 2009-03-18 17:33 40448 ----a-w c:\windows\system32\KuzSmall.exe
2009-03-18 17:17 . 2009-03-18 17:17 42496 ----a-w c:\windows\system32\kuzSniper.exe
2009-03-18 17:02 . 2009-03-18 17:02 75264 ----a-w c:\windows\system32\MPh.exe
2009-03-17 17:03 . 2009-03-17 17:03 47616 ----a-w c:\windows\system32\ptch238120.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 15:04 . 2005-12-09 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-04-09 16:43 . 2009-01-09 16:42 49152 --sha-w c:\windows\system32\kejajumo.dll
2009-04-08 18:27 . 2009-01-08 18:27 49152 --sha-w c:\windows\system32\hejivego.dll
2009-04-06 15:34 . 2006-01-01 22:33 44770 ----a-w c:\documents and settings\Ty\Application Data\wklnhst.dat
2009-04-05 12:52 . 2008-03-20 02:14 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-05 12:43 . 2008-03-20 02:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-27 15:16 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\guporobe.dll
2009-03-27 01:46 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\piralume.dll
2009-03-25 04:43 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\vonatahi.dll
2009-03-24 16:44 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\misahavu.dll
2009-03-24 15:35 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\jetehufi.dll
2009-03-22 17:47 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\zavuzogo.dll
2009-03-22 16:48 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\nuwuzeku.dll
2009-03-20 16:20 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\suwuwuha.dll
2009-03-19 04:25 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\jakegetu.dll
2009-03-13 02:43 . 2009-03-13 02:43 456734 ----a-w c:\windows\system32\mschr.exe
2009-03-13 02:43 . 2009-03-13 02:43 36864 ----a-w c:\windows\system32\nDler.exe
2009-03-06 22:47 . 2009-03-06 22:47 44032 ----a-w c:\windows\system32\kjsvc32.dll
2009-03-05 22:14 . 2009-03-05 22:14 11264 ----a-w c:\windows\system32\imdds.dll
2009-03-01 03:37 . 2009-03-01 03:37 155175 ----a-w c:\windows\system32\icv.exe
2009-01-29 00:41 . 2004-08-19 22:05 88859 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-28 21:18 . 2009-01-28 21:18 104960 ----a-w c:\windows\system32\adgfmsna.dll
2009-01-27 17:12 . 2009-01-27 17:12 86528 ----a-w c:\windows\system32\dwdkfpvp.dll
2009-01-26 16:37 . 2009-01-26 16:37 89088 ----a-w c:\windows\system32\mxojtsfg.dll
2009-01-24 20:24 . 2009-01-24 20:24 516 ----a-w C:\Settings.ini
2009-01-23 23:16 . 2009-01-23 23:16 83456 ----a-w c:\windows\system32\whymywdk.dll
2009-01-22 23:16 . 2009-01-22 23:16 84480 ----a-w c:\windows\system32\vcyfenon.dll
2009-01-22 22:50 . 2009-01-22 22:50 84480 ----a-w c:\windows\system32\hhfknrut.dll
2009-01-21 22:48 . 2009-01-21 22:48 82944 ----a-w c:\windows\system32\xnvullig.dll
2009-01-20 00:24 . 2009-01-20 00:24 86016 ----a-w c:\windows\system32\ksypmqjp.dll
2009-01-18 23:55 . 2009-01-18 23:55 80896 ----a-w c:\windows\system32\xqfjshji.dll
2009-01-17 20:32 . 2009-01-17 20:32 81920 ----a-w c:\windows\system32\syfhqskx.dll
2009-01-17 16:46 . 2009-01-17 16:46 81920 ----a-w c:\windows\system32\gwmkwapn.dll
2009-01-16 22:07 . 2009-01-16 22:07 134656 ----a-w c:\windows\ukohufeh.dll
2009-01-16 17:07 . 2009-01-16 17:07 133120 ----a-w c:\windows\ibeyafis.dll
2009-01-16 16:55 . 2009-01-16 16:55 41984 ----a-w c:\windows\Lvakaliyunolif.dll
2009-01-16 16:43 . 2009-01-16 16:43 81920 ----a-w c:\windows\system32\mailotgo.dll
2009-01-15 20:24 . 2009-01-15 20:24 82432 ----a-w c:\windows\system32\iwfdobkb.dll
2009-01-14 15:34 . 2009-01-14 15:34 35328 ----a-w c:\windows\system32\rqRHwVoP.dll
2009-01-12 18:59 . 2009-01-12 18:59 31232 ----a-w c:\windows\system32\pcload.exe
2008-09-14 17:10 . 2006-01-12 04:07 58984 ----a-w c:\documents and settings\Ty\Application Data\GDIPFONTCACHEV1.DAT
2009-03-27 15:16 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\guporobe.dll
2009-04-08 18:27 . 2009-01-08 18:27 49152 --sha-w c:\windows\system32\hejivego.dll
2009-03-19 04:25 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\jakegetu.dll
2009-03-24 15:35 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\jetehufi.dll
2009-04-09 16:43 . 2009-01-09 16:42 49152 --sha-w c:\windows\system32\kejajumo.dll
2009-03-24 16:44 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\misahavu.dll
2009-03-22 16:48 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\nuwuzeku.dll
2009-03-27 01:46 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\piralume.dll
2009-03-20 16:20 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\suwuwuha.dll
2009-03-25 04:43 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\vonatahi.dll
2009-03-22 17:47 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\zavuzogo.dll
2009-04-06 15:34 . 2009-04-06 15:36 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009033020090406\index.dat
2009-04-06 15:34 . 2009-04-06 15:36 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009040620090407\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44f138fa-14d7-4e31-804a-3865ce3531eb}]
2009-01-09 12:43 49152 --ahs---- c:\windows\system32\fegusire.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77AB5974-55A3-4737-9FD5-B93C64307F78}]
2009-01-28 17:18 104960 --a------ c:\windows\system32\adgfmsna.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-08 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"doyewiwiwi"="c:\windows\system32\venijija.dll" [2009-01-09 49152]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Java S1"="\\?\globalroot\systemroot\system32\mschr.exe" [?]
"nDler2"="\\?\globalroot\systemroot\system32\nDler2.exe" [?]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-08 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-26 38496]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]

2009-04-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA} - kjsvc32.dll
BHO-{B92C2622-F747-4BDE-A6DB-F8D0376AFEDD} - c:\windows\system32\efcbaBUN.dll
BHO-{FD6920B7-514B-4A55-AA60-4D88AA136438} - (no file)
HKLM-Run-d41bb80d - c:\windows\system32\zozefebe.dll
HKU-Default-Run-A00FE57A1.exe - c:\windows\TEMP\_A00FE57A1.exe
HKLM-Explorer_Run-cJlyDCRIfV - c:\windows\yrsfafgp.exe
HKLM-Explorer_Run-kvflBCRIfV - c:\docume~1\Ty\LOCALS~1\Temp\wJQs.exe
HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fugedepi.dll
Notify-__c00C8E11 - c:\windows\system32\__c00C8E11.dat
Notify-rqRHwVoP - (no file)


.
------- Supplementary Scan -------
.
LSP: imdds.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: musicmatch.com\online
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 11:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(612)
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
.
**************************************************************************
.
Completion time: 2009-04-12 12:01 - machine was rebooted [Ty]
ComboFix-quarantined-files.txt 2009-04-12 16:01
ComboFix2.txt 2008-03-30 02:10

Pre-Run: 23,187,079,168 bytes free
Post-Run: 25,672,814,592 bytes free

364 --- E O F --- 2008-12-30 01:47

Edited by Gecko., 12 April 2009 - 11:06 AM.


#9 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:03:04 AM

Posted 12 April 2009 - 11:06 AM

Hello,

Before we continue fixing, you should know the following.

:thumbup2: Rootkit Warning

Rootkits are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Please let me know what you decide to do.

Edited by Jat90, 12 April 2009 - 11:11 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#10 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 12 April 2009 - 11:24 AM

Jat,

Thank you. I will need to do a little reading of the links provided and see if my son still has his factory disks to determine if the the drive can be wipe clean, reformat and reinstall the OS. I will also need to consult my son to determine what he wants me to do. I should have an answer and get back to you within a days time.

#11 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:03:04 AM

Posted 12 April 2009 - 11:27 AM

Ok, no problem :thumbup2:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#12 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 13 April 2009 - 09:45 AM

Because my son cannot find the OEM disks for his laptop, I guess our only option at this point is to attempt to clean the laptop as best can be done, knowing full well it should not be considered a safe system unless sometime in the future its wiped clean, reformatted and the OS reinstall.

#13 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:03:04 AM

Posted 13 April 2009 - 10:05 AM

Hello,

Ok then we shall continue with the fix. There is still a lot left to do:

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\nDler2.exe
c:\windows\system32\SelfDel.bat
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\gldx.exe
c:\documents and settings\Ty\Application Data\wklnhst.dat
c:\windows\system32\kejajumo.dll
c:\windows\system32\hejivego.dll
c:\windows\system32\guporobe.dll
c:\windows\system32\piralume.dll
c:\windows\system32\vonatahi.dll
c:\windows\system32\misahavu.dll
c:\windows\system32\jetehufi.dll
c:\windows\system32\zavuzogo.dll
c:\windows\system32\nuwuzeku.dll
c:\windows\system32\suwuwuha.dll
c:\windows\system32\jakegetu.dll
c:\windows\system32\mschr.exe
c:\windows\system32\nDler.exe
c:\windows\system32\kjsvc32.dll
c:\windows\system32\icv.exe
c:\windows\system32\adgfmsna.dll
c:\windows\system32\dwdkfpvp.dll
c:\windows\system32\mxojtsfg.dll
c:\windows\system32\whymywdk.dll
c:\windows\system32\vcyfenon.dll
c:\windows\system32\hhfknrut.dll
c:\windows\system32\xnvullig.dll
c:\windows\system32\ksypmqjp.dll
c:\windows\system32\xqfjshji.dll
c:\windows\system32\syfhqskx.dll
c:\windows\system32\gwmkwapn.dll
c:\windows\ukohufeh.dll
c:\windows\ibeyafis.dll
c:\windows\Lvakaliyunolif.dll
c:\windows\system32\mailotgo.dll
c:\windows\system32\iwfdobkb.dll
c:\windows\system32\rqRHwVoP.dll
c:\documents and settings\Ty\Application Data\GDIPFONTCACHEV1.DAT
c:\windows\system32\guporobe.dll
c:\windows\system32\hejivego.dll
c:\windows\system32\jakegetu.dll
c:\windows\system32\jetehufi.dll
c:\windows\system32\kejajumo.dll
c:\windows\system32\misahavu.dll
c:\windows\system32\nuwuzeku.dll
c:\windows\system32\piralume.dll
c:\windows\system32\suwuwuha.dll
c:\windows\system32\vonatahi.dll
c:\windows\system32\zavuzogo.dll

Folder::
C:\32788R22FWJFW

DDS:
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: musicmatch.com\online


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#14 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 13 April 2009 - 07:42 PM

I've removed McAfee, but ComboFix still indicates its running. Not sure why.
The C:\ComboFix.txt log follows:

ComboFix 09-04-13.A2 - Ty 2009-04-13 20:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.179 [GMT -4:00]
Running from: c:\documents and settings\Ty\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ty\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
* Created a new restore point

FILE ::
c:\documents and settings\Ty\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\Ty\Application Data\wklnhst.dat
c:\windows\ibeyafis.dll
c:\windows\Lvakaliyunolif.dll
c:\windows\system32\adgfmsna.dll
c:\windows\system32\dwdkfpvp.dll
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\gldx.exe
c:\windows\system32\guporobe.dll
c:\windows\system32\gwmkwapn.dll
c:\windows\system32\hejivego.dll
c:\windows\system32\hhfknrut.dll
c:\windows\system32\icv.exe
c:\windows\system32\iwfdobkb.dll
c:\windows\system32\jakegetu.dll
c:\windows\system32\jetehufi.dll
c:\windows\system32\kejajumo.dll
c:\windows\system32\kjsvc32.dll
c:\windows\system32\ksypmqjp.dll
c:\windows\system32\mailotgo.dll
c:\windows\system32\misahavu.dll
c:\windows\system32\mschr.exe
c:\windows\system32\mxojtsfg.dll
c:\windows\system32\nDler.exe
c:\windows\system32\nDler2.exe
c:\windows\system32\nuwuzeku.dll
c:\windows\system32\piralume.dll
c:\windows\system32\rqRHwVoP.dll
c:\windows\system32\SelfDel.bat
c:\windows\system32\suwuwuha.dll
c:\windows\system32\syfhqskx.dll
c:\windows\system32\vcyfenon.dll
c:\windows\system32\vonatahi.dll
c:\windows\system32\whymywdk.dll
c:\windows\system32\xnvullig.dll
c:\windows\system32\xqfjshji.dll
c:\windows\system32\zavuzogo.dll
c:\windows\ukohufeh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\documents and settings\Ty\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\Ty\Application Data\wklnhst.dat
c:\windows\ibeyafis.dll
c:\windows\Lvakaliyunolif.dll
c:\windows\system32\adgfmsna.dll
c:\windows\system32\dwdkfpvp.dll
c:\windows\system32\fegusire.dll
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\gldx.exe
c:\windows\system32\guporobe.dll
c:\windows\system32\gwmkwapn.dll
c:\windows\system32\hejivego.dll
c:\windows\system32\hhfknrut.dll
c:\windows\system32\icv.exe
c:\windows\system32\itafolil.ini
c:\windows\system32\iwfdobkb.dll
c:\windows\system32\jakegetu.dll
c:\windows\system32\jetehufi.dll
c:\windows\system32\kejajumo.dll
c:\windows\system32\kjsvc32.dll
c:\windows\system32\ksypmqjp.dll
c:\windows\system32\mailotgo.dll
c:\windows\system32\misahavu.dll
c:\windows\system32\mschr.exe
c:\windows\system32\mxojtsfg.dll
c:\windows\system32\nDler.exe
c:\windows\system32\nDler2.exe
c:\windows\system32\nuwuzeku.dll
c:\windows\system32\pehuraba.dll
c:\windows\system32\piralume.dll
c:\windows\system32\rqRHwVoP.dll
c:\windows\system32\SelfDel.bat
c:\windows\system32\suwuwuha.dll
c:\windows\system32\syfhqskx.dll
c:\windows\system32\uniboyil.ini
c:\windows\system32\vcyfenon.dll
c:\windows\system32\venijija.dll
c:\windows\system32\vonatahi.dll
c:\windows\system32\whymywdk.dll
c:\windows\system32\xnvullig.dll
c:\windows\system32\xqfjshji.dll
c:\windows\system32\yujitana.dll
c:\windows\system32\zavuzogo.dll
c:\windows\ukohufeh.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-05 13:47 . 2009-04-05 13:47 -------- d-----w c:\documents and settings\Ty\Application Data\Malwarebytes
2009-04-05 13:46 . 2009-03-26 20:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 13:46 . 2009-03-26 20:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 13:46 . 2009-04-05 13:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 13:46 . 2009-04-05 13:46 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-18 17:32 . 2009-03-18 17:33 40448 ----a-w c:\windows\system32\KuzSmall.exe
2009-03-18 17:17 . 2009-03-18 17:17 42496 ----a-w c:\windows\system32\kuzSniper.exe
2009-03-18 17:02 . 2009-03-18 17:02 75264 ----a-w c:\windows\system32\MPh.exe
2009-03-17 17:03 . 2009-03-17 17:03 47616 ----a-w c:\windows\system32\ptch238120.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 15:04 . 2005-12-09 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-04-06 15:34 . 2009-04-06 15:36 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009040620090407\index.dat
2009-04-06 15:34 . 2009-04-06 15:36 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009033020090406\index.dat
2009-04-05 12:52 . 2008-03-20 02:14 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-05 12:43 . 2008-03-20 02:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-05 22:14 . 2009-03-05 22:14 11264 ----a-w c:\windows\system32\imdds.dll
2009-01-29 00:41 . 2004-08-19 22:05 88859 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-24 20:24 . 2009-01-24 20:24 516 ----a-w C:\Settings.ini
2008-09-12 16:04 . 2006-01-01 21:35 58984 ----a-w c:\documents and settings\Ty\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-08-19 22:16 . 2006-01-01 21:04 136 ----a-w c:\documents and settings\Ty\Local Settings\Application Data\fusioncache.dat
2004-08-19 22:16 . 2004-08-19 22:16 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-12_12.00.38.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-14 00:33 . 2009-04-14 00:33 16384 c:\windows\TEMP\Perflib_Perfdata_ed8.dat
+ 2009-04-14 00:27 . 2005-10-21 00:02 163328 c:\windows\erdnt\subs\ERDNT.EXE
- 2009-04-12 15:55 . 2005-10-21 00:02 163328 c:\windows\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-08 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"d41bb80d"="c:\windows\system32\lilofati.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Java S1"="\\?\globalroot\systemroot\system32\mschr.exe" [?]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-08 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-26 38496]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]

2009-04-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{44f138fa-14d7-4e31-804a-3865ce3531eb} - c:\windows\system32\fegusire.dll


.
------- Supplementary Scan -------
.
LSP: imdds.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: musicmatch.com\online
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 20:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\imdds.dll

- - - - - - - > 'explorer.exe'(976)
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-13 20:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-14 00:37
ComboFix2.txt 2009-04-12 16:01
ComboFix3.txt 2008-03-30 02:10

Pre-Run: 25,022,574,592 bytes free
Post-Run: 25,008,123,904 bytes free

248 --- E O F --- 2008-12-30 01:47

Edited by Gecko., 13 April 2009 - 07:44 PM.


#15 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:03:04 AM

Posted 14 April 2009 - 03:01 AM

Hello,

Hows is your pc now? Let's do this:

Suspicious Files

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\MPh.exe
c:\windows\system32\ptch238120.exe
c:\windows\system32\imdds.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users