Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit by an unknown virus.


  • This topic is locked This topic is locked
4 replies to this topic

#1 grapplingpunk

grapplingpunk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 24 April 2009 - 07:36 PM

Hey folks i was hit by a virus when visiting a forum the other day and tried loads of things to get rid of it. It appears similar to the Virtuomonde one i had last year.

Once i knew i had a virus i ran malware bytes and AVG Antivirus, both found things so i healed/quarantined/deleted them but it appeared to get worse. It changed registry and start up items and when i tried to disable them they just kept reappearing again. I knew from getting rid of the virtuomonde one that you have to disable system restore before deleting them from the start up so they don't reappear on the next boot but can't remember the exact process so don't want to mess it up any further so need another walkthrough as i'm not very good with this stuff.

I've restored my firewall which was disabled bit still can't restore AVG. Webpages are taking an age to load and if i click a link from say google it tries to redirect me elsewhere so it's easier to go to pages already in my favourites or browser already. I get the odd pop but those are minimal.

Anyway here's the logs required and i look forward to someone helping out. Thanks in advance.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Wayne at 0:39:46.32 on 25/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.83 [GMT 1:00]

AV: AVG 7.5.523 *On-access scanning enabled* (Updated)
FW: *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tdctxte.exe
C:\WINDOWS\system32\wtukd32.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Wayne\LOCALS~1\Temp\2291010398.exe
C:\WINDOWS\system32\dncyool64.sys
C:\Documents and Settings\Wayne\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
mSearchAssistant = hxxp://www.google.com
BHO: {02af8cd4-6753-4ae4-9f26-751dcbd24434} - c:\windows\system32\bayunivu.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\wayne\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Diagnostic Manager] c:\docume~1\wayne\locals~1\temp\2291010398.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [905e303e] rundll32.exe "c:\windows\system32\tuzatazo.dll",b
mRun: [CPM936d03a2] Rundll32.exe "c:\windows\system32\gukowema.dll",a
mRun: [VT100 Emulator] c:\windows\system32\VT100.EXE
mRun: [waiting1690] c:\windows\stid1690.exe
mRun: [wamewenafi] Rundll32.exe "c:\windows\system32\buvatolo.dll",s
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRun: [svc] c:\program files\thunmail\testabd.exe
StartupFolder: c:\docume~1\wayne\startm~1\programs\startup\imvu.lnk - c:\program files\imvu\IMVUClient.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\wayne\start menu\programs\>imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\PicLens.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw_promo.cab
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://cameras.homeentertainmentinc.com:81/IPV6CAM.CAB
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2BE6A92D-D51C-4659-B372-BB18C99BC439} - hxxp://www.ppmate.com/search/downcab.jsp
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://smokeybunny.com/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} - hxxp://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cafecam.heerenvanbeijerland.nl/activex/AMC.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: jkkIBTLe - jkkIBTLe.dll
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll c:\windows\system32\higibege.dll c:\windows\system32\gukowema.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gukowema.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\gukowema.dll
STS: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
SEH: {D6163CD3-DC2A-48A1-A145-02C04FCD1249} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJAPJDv
LSA: Notification Packages = scecli c:\windows\system32\higibege.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wayne\applic~1\mozilla\firefox\profiles\0b2tj0xy.default\
FF - prefs.js: browser.search.selectedEngine - F365
FF - component: c:\documents and settings\wayne\application data\idm\idmmzcc2\components\idmmzcc.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-10-31 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-10-31 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-10-31 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-10-31 10760]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-10-31 439296]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-10-31 70144]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-10-31 427008]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-10-31 4960]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2006-11-29 33664]
R2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-21 255488]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-1-12 13696]
R2 msncache;msncache;c:\windows\system32\svchost.exe -k NetworkService [2004-8-10 34816]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 194560]
R2 tdctxte;tdctxte Service;c:\windows\system32\tdctxte.exe [2004-8-4 194560]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-1-12 13568]
S0 avcrjg;avcrjg;c:\windows\system32\drivers\ylgeusa.sys --> c:\windows\system32\drivers\ylgeusa.sys [?]
S1 a0860f24;a0860f24;c:\windows\system32\drivers\a0860f24.sys [2009-4-21 0]
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [2008-4-10 177280]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2007-4-19 49399]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-1-22 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]

=============== Created Last 30 ================

2009-04-24 20:41 0 a------- c:\windows\system32\C.tmp
2009-04-24 20:41 84 a------- c:\windows\system32\B.tmp
2009-04-24 20:41 15,000 a------- c:\windows\system32\jksahfo93wjfkd.dll
2009-04-24 19:24 132,096 -------- c:\windows\system32\VT100.EXE
2009-04-24 12:46 1,400,156 ---sh--- c:\windows\system32\ozatazut.ini
2009-04-24 01:20 155 a------- c:\windows\system32\SelfDel.bat
2009-04-24 01:19 108,032 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-24 00:48 65,536 a------- c:\windows\system32\ak1.exe
2009-04-24 00:35 1,400,118 ---sh--- c:\windows\system32\agoyafin.ini
2009-04-23 08:30 <DIR> --d----- c:\program files\KoiCompanion
2009-04-23 01:34 1,399,373 ---sh--- c:\windows\system32\agonived.ini
2009-04-22 13:33 2,713 ---sh--- c:\windows\system32\nureyige.exe
2009-04-21 19:36 2,713 ---sh--- c:\windows\system32\vinomisu.dll
2009-04-21 19:36 2,713 ---sh--- c:\windows\system32\fuweyofa.dll
2009-04-21 19:30 232,960 a------- c:\windows\system32\w.exe
2009-04-21 19:30 36,864 a------- c:\windows\system32\dpcxool64.sys
2009-04-21 19:30 <DIR> --d----- c:\windows\system32\3361
2009-04-21 19:29 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-04-21 19:29 <DIR> --d----- c:\windows\dhcp
2009-04-21 19:29 <DIR> --dshr-- c:\program files\ThunMail
2009-04-21 19:28 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-21 19:28 0 a------- c:\windows\system32\drivers\a0860f24.sys
2009-04-21 19:28 <DIR> --d----- c:\docume~1\wayne\applic~1\pidle
2009-04-21 19:27 2 a------- C:\-1872875375
2009-04-21 19:27 114,752 a------- c:\windows\system32\prunnet.exe
2009-04-21 19:10 943,213 a------- c:\windows\system32\rn.tmp
2009-04-12 07:41 <DIR> --d----- C:\FLAV

==================== Find3M ====================

2009-04-25 00:14 98,304 a------- c:\windows\DUMP9d78.tmp
2009-04-24 23:36 2,189,184 ----h--- c:\windows\system32\ntoskrnl.exe
2009-04-24 12:46 88,576 a--sh--- c:\windows\system32\gukowema.dll
2009-04-24 12:46 80,896 a--sh--- c:\windows\system32\tuzatazo.dll
2009-04-24 12:46 75,264 a--sh--- c:\windows\system32\jemitawa.exe
2009-04-24 00:34 74,752 a--sh--- c:\windows\system32\badarizo.exe
2009-04-24 00:34 87,040 a--sh--- c:\windows\system32\tawagifi.dll
2009-04-24 00:32 98,304 a------- c:\windows\DUMPa807.tmp
2009-04-23 01:34 49,152 a--sh--- c:\windows\system32\vadalulu.dll
2009-04-23 01:34 74,752 a--sh--- c:\windows\system32\seretisa.exe
2009-04-23 01:34 88,064 a--sh--- c:\windows\system32\kajekipa.dll
2009-04-22 20:53 98,304 a------- c:\windows\DUMPa095.tmp
2009-04-22 20:51 98,304 a------- c:\windows\DUMPa028.tmp
2009-04-22 20:49 98,304 a------- c:\windows\DUMP9f6c.tmp
2009-04-22 15:49 98,304 a------- c:\windows\DUMPc071.tmp
2009-04-22 05:40 98,304 a------- c:\windows\DUMP8675.tmp
2009-04-21 19:28 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-21 19:27 34,816 a------- c:\windows\system32\svchost.exe
2009-03-07 06:50 218,940 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-01 22:30 324 a------- c:\docume~1\wayne\applic~1\wklnhst.dat
2009-01-25 22:10 179,200 a------- c:\windows\system32\xvidvfw.dll
2007-08-08 18:35 87,608 a------- c:\docume~1\wayne\applic~1\inst.exe
2007-08-08 18:35 47,360 a------- c:\docume~1\wayne\applic~1\pcouffin.sys
2007-04-05 22:54 87,608 a------- c:\docume~1\wayne\applic~1\ezpinst.exe
2007-12-18 14:35 168 ---shr-- c:\windows\system32\92FA225111.sys
2009-01-23 01:34 49,152 a--sh--- c:\windows\system32\bayunivu.dll
2009-01-23 01:34 49,152 a--sh--- c:\windows\system32\buvatolo.dll
2009-01-23 01:34 49,152 a--sh--- c:\windows\system32\higibege.dll
2007-12-18 14:38 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-06-14 15:26 192,066 a--sh--- c:\windows\system32\vDJPAJjl.ini2
2008-09-09 09:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 0:42:01.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 28 April 2009 - 07:24 PM

Hello grapplingpunk

I knew from getting rid of the virtuomonde one that you have to disable system restore before deleting them from the start up so they don't reappear on the next boot but can't remember the exact process so don't want to mess it up any further so need another walkthrough as i'm not very good with this stuff.


No, that is not correct.
Do NOT start your fix by disabling System Restore.
This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points.
Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running.
Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off.
Clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly.

Go turn your system restore point on.

********************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

********************


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ SE Runtime Environment 6 Update 1
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
********************

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure.

This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot. It is not necessary to reboot to get the items to show up in HijackThis.

Now please create a new Hijackthis Log and post it as a reply.

Edited by SifuMike, 28 April 2009 - 07:26 PM.
spelling

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 grapplingpunk

grapplingpunk
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 01 May 2009 - 06:24 AM

Hi Mike, thanks for the reply. Sorry for the delay in getting back to you as i haven't been able to get online till today. Also bear with me as i'm out of town over the weekend so i'll message you when i return so please don't think i've bailed out on you as i appreciate all the help thus far.

Anyway here's the results from the checkup.txt file...

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
AVG7.5
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
SpywareBlaster v3.5.1
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
CCleaner (remove only)
Java™ SE Runtime Environment 6 Update 1
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
AVG avgemc.exe
Spybot SDHelper is disabled!
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 120 seconds.
`````````End of Log```````````

I uninstalled the old version of Java and downloaded the newer version but it wouldn't install i got the following message...

Posted Image

I've ticked all the boxes on the startup tab though i'm sure some of them are malware which is why i unticked them previously.

Here's the new DDS/HJT log as requested....


DDS (Ver_09-03-16.01) - NTFSx86
Run by Wayne at 12:17:12.42 on 01/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.35 [GMT 1:00]

AV: AVG 7.5.523 *On-access scanning enabled* (Outdated)
FW: *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tdctxte.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\3361\SVCHOST.exe -sysrun
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\DOCUME~1\Wayne\LOCALS~1\Temp\85451466.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
svchost.exe C:\WINDOWS\TEMP\VRT11.tmp
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Wayne\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\dncyool64.sys
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.canpharmacynetwork.com/?aff=4303
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: {02af8cd4-6753-4ae4-9f26-751dcbd24434} - c:\windows\system32\bayunivu.dll
BHO: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\wayne\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Diagnostic Manager] c:\docume~1\wayne\locals~1\temp\85451466.exe
uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [VT100 Emulator]
mRun: [waiting1690] c:\windows\stid1690.exe
mRun: [wamewenafi] Rundll32.exe "c:\windows\system32\buvatolo.dll",s
mRun: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [905e303e] rundll32.exe "c:\windows\system32\sojerire.dll",b
mRun: [CPM936d03a2] Rundll32.exe "c:\windows\system32\felazako.dll",a
mRunOnce: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRun: [svc] c:\program files\thunmail\testabd.exe
dRun: [Diagnostic Manager] c:\windows\temp\984716998.exe
dRun: [A00F1E1FE.exe] c:\windows\temp\_A00F1E1FE.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\documents and settings\wayne\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\wayne\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\wayne\startm~1\programs\startup\imvu.lnk - c:\program files\imvu\IMVUClient.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw_promo.cab
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://cameras.homeentertainmentinc.com:81/IPV6CAM.CAB
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2BE6A92D-D51C-4659-B372-BB18C99BC439} - hxxp://www.ppmate.com/search/downcab.jsp
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://smokeybunny.com/activex/AMC.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} - hxxp://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cafecam.heerenvanbeijerland.nl/activex/AMC.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: jkkIBTLe - jkkIBTLe.dll
Notify: rksocket - rksocket.dll
Notify: __c00D4AE2 - c:\windows\system32\__c00D4AE2.dat
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll c:\windows\system32\higibege.dll c:\windows\system32\felazako.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\felazako.dll
STS: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\felazako.dll
SEH: {D6163CD3-DC2A-48A1-A145-02C04FCD1249} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJAPJDv
LSA: Notification Packages = scecli c:\windows\system32\higibege.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wayne\applic~1\mozilla\firefox\profiles\0b2tj0xy.default\
FF - prefs.js: browser.search.selectedEngine - F365
FF - component: c:\documents and settings\wayne\application data\idm\idmmzcc2\components\idmmzcc.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-01 11:35 59,904 a------- c:\windows\system32\15.tmp
2009-05-01 11:35 40 a------- c:\windows\system32\12.tmp
2009-05-01 11:34 22,538 a------- c:\windows\system32\lmppcsetup.exe
2009-05-01 10:37 <DIR> --dsh--- c:\windows\system32\twain_32
2009-05-01 10:36 59,904 a------- c:\windows\system32\14.tmp
2009-05-01 10:36 40 a------- c:\windows\system32\13.tmp
2009-04-29 08:58 121 ---sh--- c:\windows\system32\erirejos.ini
2009-04-28 00:34 8,544 a------- c:\windows\system32\drivers\wanatw4.sys
2009-04-28 00:34 8,544 a------- c:\windows\system32\drivers\motodrv.sys
2009-04-28 00:34 8,544 a------- c:\windows\system32\drivers\motccgp.sys
2009-04-28 00:34 8,544 a------- c:\windows\system32\drivers\CoachUsb.sys
2009-04-28 00:28 125,440 a------- c:\windows\system32\ntdll64.exe
2009-04-28 00:22 29,696 a------- c:\windows\system32\loader49.exe
2009-04-27 22:54 55 a------- c:\windows\system32\ahtn.htm
2009-04-27 22:54 4,785 a------- c:\windows\system32\warning.gif
2009-04-27 22:54 475 a------- c:\windows\system32\win32hlp.cnf
2009-04-27 22:54 125,440 a------- c:\windows\system32\dllcache\userinit.exe
2009-04-27 22:54 1 a------- c:\windows\system32\uniq.tll
2009-04-27 22:53 50,176 a------- c:\windows\system32\frmwrk32.exe
2009-04-27 20:33 24,064 ---sh--- c:\documents and settings\wayne\protect.dll
2009-04-27 20:32 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-27 20:17 8,544 a------- c:\windows\system32\drivers\ylgeusa.sys
2009-04-27 19:51 81,700 a------- c:\windows\system32\hrpdcf.bin
2009-04-27 19:51 172 a------- c:\windows\system32\k86.bin
2009-04-27 19:51 123,392 a------- c:\windows\system32\uk_serv.exe
2009-04-27 19:36 27,648 a------- c:\windows\system32\__c00D4AE2.dat
2009-04-27 19:36 39,936 a------- c:\windows\system32\winglsetup.exe
2009-04-27 19:16 1,418,166 ---sh--- c:\windows\system32\oluwijew.ini
2009-04-27 01:42 121 ---sh--- c:\windows\system32\agodozap.ini
2009-04-25 09:55 231,424 a------- c:\windows\system32\tpsaxyd.exe
2009-04-25 00:45 1,400,156 ---sh--- c:\windows\system32\ekibotof.ini
2009-04-24 20:41 0 a------- c:\windows\system32\C.tmp
2009-04-24 20:41 84 a------- c:\windows\system32\B.tmp
2009-04-24 20:41 15,000 a------- c:\windows\system32\jksahfo93wjfkd.dll
2009-04-24 19:24 132,096 -------- c:\windows\system32\VT100.EXE
2009-04-24 12:46 1,400,436 ---sh--- c:\windows\system32\ozatazut.ini
2009-04-24 01:20 155 a------- c:\windows\system32\SelfDel.bat
2009-04-24 01:19 108,032 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-24 00:48 65,536 a------- c:\windows\system32\ak1.exe
2009-04-24 00:35 1,400,118 ---sh--- c:\windows\system32\agoyafin.ini
2009-04-23 08:30 <DIR> --d----- c:\program files\KoiCompanion
2009-04-23 01:34 1,399,373 ---sh--- c:\windows\system32\agonived.ini
2009-04-22 13:33 2,713 ---sh--- c:\windows\system32\nureyige.exe
2009-04-21 19:36 2,713 ---sh--- c:\windows\system32\vinomisu.dll
2009-04-21 19:36 2,713 ---sh--- c:\windows\system32\fuweyofa.dll
2009-04-21 19:30 232,960 a------- c:\windows\system32\w.exe
2009-04-21 19:30 36,864 a------- c:\windows\system32\dpcxool64.sys
2009-04-21 19:30 <DIR> --d----- c:\windows\system32\3361
2009-04-21 19:29 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-04-21 19:29 <DIR> --d----- c:\windows\dhcp
2009-04-21 19:29 <DIR> --dshr-- c:\program files\ThunMail
2009-04-21 19:28 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-21 19:28 0 a------- c:\windows\system32\drivers\a0860f24.sys
2009-04-21 19:28 <DIR> --d----- c:\docume~1\wayne\applic~1\pidle
2009-04-21 19:27 2 a------- C:\-1872875375
2009-04-21 19:27 114,752 a------- c:\windows\system32\prunnet.exe
2009-04-21 19:10 943,213 a------- c:\windows\system32\rn.tmp
2009-04-12 07:41 <DIR> --d----- C:\FLAV

==================== Find3M ====================

2009-05-01 11:21 90,112 a------- c:\windows\DUMP6d40.tmp
2009-04-29 09:10 90,112 a------- c:\windows\DUMP7109.tmp
2009-04-29 08:56 87,040 a--sh--- c:\windows\system32\felazako.dll
2009-04-29 08:56 79,872 a--sh--- c:\windows\system32\sojerire.dll
2009-04-29 08:56 75,776 a--sh--- c:\windows\system32\wosarako.exe
2009-04-28 05:18 2,189,184 ----h--- c:\windows\system32\ntoskrnl.exe
2009-04-27 20:16 98,304 a------- c:\windows\DUMP9589.tmp
2009-04-27 19:51 24,307 a------- c:\windows\system32\rksocket.dll
2009-04-27 19:51 8,544 a------- c:\windows\system32\rkskt.sys
2009-04-27 19:51 8,544 a------- c:\windows\system32\drivers\sptd.sys
2009-04-27 19:25 98,304 a------- c:\windows\DUMP972f.tmp
2009-04-27 19:15 88,576 a--sh--- c:\windows\system32\sejuvoma.dll
2009-04-27 19:15 79,360 a--sh--- c:\windows\system32\wejiwulo.dll
2009-04-27 19:15 74,240 a--sh--- c:\windows\system32\loyayono.exe
2009-04-27 00:23 75,776 a--sh--- c:\windows\system32\vokuharo.exe
2009-04-27 00:23 87,552 a--sh--- c:\windows\system32\zumupobi.dll
2009-04-27 00:23 79,872 a--sh--- c:\windows\system32\pazodoga.dll
2009-04-26 12:24 87,552 a--sh--- c:\windows\system32\jodunufe.dll
2009-04-26 12:24 79,872 a--sh--- c:\windows\system32\reveneko.dll
2009-04-26 12:24 75,264 a--sh--- c:\windows\system32\kusavapu.exe
2009-04-25 00:45 80,896 a--sh--- c:\windows\system32\fotobike.dll
2009-04-25 00:45 87,552 a--sh--- c:\windows\system32\kusawezu.dll
2009-04-25 00:45 52,224 a--sh--- c:\windows\system32\vujayoda.exe
2009-04-25 00:14 98,304 a------- c:\windows\DUMP9d78.tmp
2009-04-24 12:46 88,576 a--sh--- c:\windows\system32\gukowema.dll
2009-04-24 12:46 80,896 -------- c:\windows\system32\tuzatazo.dll
2009-04-24 12:46 75,264 a--sh--- c:\windows\system32\jemitawa.exe
2009-04-24 00:34 74,752 a--sh--- c:\windows\system32\badarizo.exe
2009-04-24 00:34 87,040 a--sh--- c:\windows\system32\tawagifi.dll
2009-04-24 00:32 98,304 a------- c:\windows\DUMPa807.tmp
2009-04-23 01:34 49,152 a--sh--- c:\windows\system32\vadalulu.dll
2009-04-23 01:34 74,752 a--sh--- c:\windows\system32\seretisa.exe
2009-04-23 01:34 88,064 a--sh--- c:\windows\system32\kajekipa.dll
2009-04-22 20:53 98,304 a------- c:\windows\DUMPa095.tmp
2009-04-22 20:51 98,304 a------- c:\windows\DUMPa028.tmp
2009-04-22 20:49 98,304 a------- c:\windows\DUMP9f6c.tmp
2009-04-22 15:49 98,304 a------- c:\windows\DUMPc071.tmp
2009-04-22 05:40 98,304 a------- c:\windows\DUMP8675.tmp
2009-04-21 19:28 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-21 19:27 34,816 a------- c:\windows\system32\svchost.exe
2009-03-07 06:50 218,940 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-01 22:30 324 -------- c:\docume~1\wayne\applic~1\wklnhst.dat
2007-08-08 18:35 87,608 -------- c:\docume~1\wayne\applic~1\inst.exe
2007-08-08 18:35 47,360 -------- c:\docume~1\wayne\applic~1\pcouffin.sys
2007-04-05 22:54 87,608 -------- c:\docume~1\wayne\applic~1\ezpinst.exe
2007-12-18 14:35 168 ---shr-- c:\windows\system32\92FA225111.sys
2009-01-23 01:34 49,152 a--sh--- c:\windows\system32\bayunivu.dll
2009-01-23 01:34 49,152 a--sh--- c:\windows\system32\buvatolo.dll
2009-01-23 01:34 49,152 a--sh--- c:\windows\system32\higibege.dll
2007-12-18 14:38 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-06-14 15:26 192,066 a--sh--- c:\windows\system32\vDJPAJjl.ini2
2008-09-09 09:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 12:20:47.20 ===============

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 01 May 2009 - 09:26 AM

Hi grapplingpunk,

I uninstalled the old version of Java and downloaded the newer version but it wouldn't install i got the following message...


That because the Java download was interrupted and corrupted. Try downloading it again and install it.

**********

AV: AVG 7.5.523 *On-access scanning enabled* (Outdated)


Your AVG version is old.
Upgrading to AVG 8.5 is free and it contains the Anti-Spyware engine which is not present in the 7.5 version (unless you have the anti-malware or internet security suite in which case having the Ewido suite is redundant).
  • Download the latest version from AVG'S Website
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the your old AVG
  • Run the installation file downloaded before and proceed with the installation. At one point it will warn you that to install AVG 8.5 it will remove previous versions, accept and go forward with the installation.
After AVG 7 is uninstalled and AVG 8.5 installed, update it and do a complete scan

**********


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,


A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 01 May 2009 - 09:38 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 22 May 2009 - 05:48 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users