Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected PC, Assistance is greatly appreciated


  • This topic is locked This topic is locked
6 replies to this topic

#1 GrimGrinningGhost

GrimGrinningGhost

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 28 April 2009 - 02:31 PM

I am attemting to help a friend clean his PC however i am having problems. I am unable to perform any updates for malwarebytes and I am unable to run any online scans such as kaspersky webscanner. Following are the DDS logs:


DDS (Ver_09-03-16.01) - NTFSx86
Run by bkeeth at 15:18:01.65 on Tue 04/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.356 [GMT -4:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\TEMP\rtv_winupd.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\TEMP\ql8xqo.exe
C:\WINDOWS\TEMP\ql8xqo.exe
C:\WINDOWS\TEMP\3992500616.exe
C:\WINDOWS\TEMP\Google Toolbar\gtbAA.tmp.exe
C:\WINDOWS\system32\3361\SVCHOST.exe -sysrun
C:\Documents and Settings\Bill Keeth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: c:\windows\system32\yhs783ijfo3fe.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\yhs783ijfo3fe.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [reader_s] c:\documents and settings\bill keeth\reader_s.exe
uRun: [Diagnostic Manager] c:\docume~1\billke~1\locals~1\temp\3941094366.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Radio-TV adverts] c:\windows\temp\rtv_winupd.exe
mRun: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRunOnce: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [svc] c:\program files\thunmail\testabd.exe
dRun: [<NO NAME>] c:\windows\temp\ql8xqo.exe
dRun: [Windows Resurections] c:\windows\temp\ql8xqo.exe
dRun: [Diagnostic Manager] c:\windows\temp\315847274.exe
dRun: [VRT24] c:\windows\temp\VRT24.exe
dRun: [A00F29B0F9.exe] c:\windows\temp\_A00F29B0F9.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240719576977
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} - hxxp://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
Notify: __c00f31b1 - c:\windows\system32\__c00F31B1.dat
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\thunmail\testabd.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\yhs783ijfo3fe.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\yhs783ijfo3fe.dll

============= SERVICES / DRIVERS ===============

R2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-18 256512]
R2 ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 14336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 119808]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-25 36368]
R2 yahooauservice;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-9-25 280392]
S1 62672521;62672521;c:\windows\system32\drivers\62672521.sys [2009-4-21 0]
S1 f2c296a8;f2c296a8;c:\windows\system32\drivers\f2c296a8.sys [2009-4-18 0]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k NetworkService [2005-8-16 14336]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-25 345696]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-9-25 923216]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-9-25 566872]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2007-1-23 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2007-1-23 14336]

=============== Created Last 30 ================

2009-04-28 15:09 46 a------- c:\windows\system32\p2hhr.bat
2009-04-28 15:09 15,000 a------- c:\windows\system32\yhs783ijfo3fe.dll
2009-04-28 14:54 27,648 a------- c:\windows\system32\__c00F31B1.dat
2009-04-28 14:54 39,936 a------- c:\windows\system32\winglsetup.exe
2009-04-28 14:39 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-28 14:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 14:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-27 22:08 0 a------- c:\windows\system32\D.tmp
2009-04-25 22:51 0 a------- c:\windows\system32\A6.tmp
2009-04-24 23:14 132,608 -------- c:\windows\system32\VT100.EXE
2009-04-24 20:31 <DIR> --d----- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2009-04-24 20:07 <DIR> --d----- c:\docume~1\billke~1\applic~1\Malwarebytes
2009-04-24 20:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-22 22:22 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-22 22:12 0 a------- c:\windows\system32\65.tmp
2009-04-21 23:16 <DIR> --d----- C:\ProgramData
2009-04-21 23:16 <DIR> --d----- c:\program files\Angle Interactive
2009-04-21 23:08 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-21 23:08 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-21 22:43 0 a------- C:\34.tmp
2009-04-21 22:43 0 a------- C:\A.tmp
2009-04-21 22:43 0 a------- C:\9.tmp
2009-04-21 22:43 0 a------- C:\8.tmp
2009-04-21 22:43 0 a------- C:\7.tmp
2009-04-21 22:43 0 a------- C:\6.tmp
2009-04-21 18:22 <DIR> --d----- c:\program files\LanqiEngine
2009-04-21 18:22 3 a------- c:\windows\system32\bversion.dll
2009-04-21 18:22 735,232 a------- c:\windows\system32\AdvOcr.dll
2009-04-21 18:22 94,208 a------- c:\windows\system32\TRSOCR.dll
2009-04-21 18:22 1,308 a------- c:\windows\system32\TRSOCR.ini
2009-04-21 18:22 1,308 a------- c:\windows\system32\TRSOCR.dat
2009-04-21 18:03 0 a------- c:\windows\system32\drivers\62672521.sys
2009-04-21 18:03 108,544 a------- C:\wxsdug.exe
2009-04-21 18:03 578,560 a------- c:\windows\system32\uapimwh
2009-04-21 18:03 15,000 a------- c:\windows\system32\hf873uwndf.dll
2009-04-21 18:02 0 a------- C:\2D.tmp
2009-04-21 18:02 0 a------- C:\2C.tmp
2009-04-21 18:02 0 a------- C:\2B.tmp
2009-04-21 18:02 0 a------- C:\2A.tmp
2009-04-21 18:02 0 a------- C:\29.tmp
2009-04-21 18:02 0 a------- C:\28.tmp
2009-04-21 18:01 38 a------- C:\27.tmp
2009-04-21 18:01 0 a------- C:\26.tmp
2009-04-21 18:01 0 a------- C:\25.tmp
2009-04-21 18:01 38 a------- C:\24.tmp
2009-04-21 18:01 52,736 a------- C:\23.tmp
2009-04-21 18:01 21,504 a------- C:\1D.tmp
2009-04-21 17:56 38 a------- C:\22.tmp
2009-04-21 17:56 0 a------- C:\21.tmp
2009-04-21 17:56 0 a------- C:\20.tmp
2009-04-21 17:56 0 a------- C:\1F.tmp
2009-04-21 17:56 0 a------- C:\1E.tmp
2009-04-21 17:56 0 a------- C:\1C.tmp
2009-04-21 17:56 0 a------- C:\1B.tmp
2009-04-21 17:56 0 a------- C:\1A.tmp
2009-04-21 17:56 0 a------- C:\19.tmp
2009-04-21 17:56 38 a------- C:\18.tmp
2009-04-21 17:56 52,736 a------- C:\17.tmp
2009-04-21 17:56 21,504 a------- C:\16.tmp
2009-04-18 16:03 565,248 a------- c:\windows\system32\IPHACTION.dll
2009-04-18 15:56 38 a------- C:\15.tmp
2009-04-18 15:56 0 a------- C:\14.tmp
2009-04-18 15:56 0 a------- C:\13.tmp
2009-04-18 15:56 0 a------- C:\12.tmp
2009-04-18 15:56 0 a------- C:\11.tmp
2009-04-18 15:56 0 a------- C:\F.tmp
2009-04-18 15:56 0 a------- C:\10.tmp
2009-04-18 15:56 0 a------- C:\E.tmp
2009-04-18 15:56 0 a------- C:\D.tmp
2009-04-18 15:56 38 a------- C:\C.tmp
2009-04-18 15:56 52,736 a------- C:\B.tmp
2009-04-18 15:55 155 a------- c:\windows\system32\SelfDel.bat
2009-04-18 15:46 0 a------- c:\windows\system32\drivers\f2c296a8.sys
2009-04-18 15:40 21,504 a------- c:\windows\system32\ak1.exe
2009-04-18 15:37 0 a------- c:\windows\system32\IpSvchostF.dll
2009-04-18 15:36 61,440 a------- c:\windows\system32\tcpd.exe
2009-04-18 15:36 989,696 a------- c:\windows\system32\kernel32_check.dll
2009-04-18 15:36 172,032 a------- c:\windows\system32\tcpcon.dll
2009-04-18 15:36 10,240 a------- c:\windows\system32\Packer.dll
2009-04-18 15:36 9 a------- c:\windows\system32\iphy.dll
2009-04-18 15:36 3 a------- c:\windows\system32\fhpatch.dll
2009-04-18 15:36 25 a------- c:\windows\system32\tcpd.dll
2009-04-18 15:36 0 a------- c:\windows\system32\fiplock.dll
2009-04-18 15:34 0 a------- c:\windows\mqcd.dbt
2009-04-18 15:34 <DIR> --d----- c:\windows\system32\3361
2009-04-18 15:34 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-04-18 15:34 <DIR> --d----- c:\windows\dhcp
2009-04-18 15:34 <DIR> --dshr-- c:\program files\ThunMail
2009-04-18 15:34 102,766 a------- c:\windows\system32\drivers\193d2dfb.sys
2009-04-18 15:33 43,520 a------- C:\ptrf.exe
2009-04-18 15:33 28,672 a------- c:\windows\system32\inqby.sr
2009-04-18 15:33 32,768 a------- c:\windows\system32\ferryl.cbv
2009-04-18 15:33 32,768 a------- c:\windows\system32\fairy.an
2009-04-18 15:33 28,672 a------- c:\windows\system32\dolman.zt
2009-04-18 15:33 79,360 a------- c:\windows\system32\ashl.nq
2009-04-18 15:33 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-04-18 15:33 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-18 15:33 2 a------- C:\-2066135241
2009-04-18 15:33 30,720 a------- C:\cpjopaid.exe
2009-04-18 15:33 290,304 a------- C:\wcfgayg.exe
2009-04-18 15:33 69,632 a------- C:\tqpxlyy.exe
2009-04-17 22:05 1,420,036 ---sh--- c:\windows\system32\eruzemur.ini
2009-04-17 10:05 1,419,766 ---sh--- c:\windows\system32\aratemog.ini
2009-04-12 20:58 1,419,766 ---sh--- c:\windows\system32\ajilemud.ini
2009-04-09 20:18 <DIR> --d----- c:\program files\iPod
2009-04-09 20:18 <DIR> --d----- c:\program files\iTunes
2009-04-09 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-04-25 20:36 90,112 a------- c:\windows\DUMP6c08.tmp
2009-04-25 20:13 90,112 a------- c:\windows\DUMP6adf.tmp
2009-04-24 23:15 2,145,280 ----h--- c:\windows\system32\ntoskrnl.exe
2009-04-23 21:46 82,944 a--sh--- c:\windows\system32\jivazona.exe
2009-04-22 21:00 83,456 a--sh--- c:\windows\system32\labedubo.exe
2009-04-21 18:03 107,520 a--sh--- c:\windows\system32\pujadoli.dll
2009-04-21 18:03 84,480 a--sh--- c:\windows\system32\zukuyepu.exe
2009-04-18 15:55 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-18 15:33 578,560 a------- c:\windows\system32\user32.DLL
2009-04-18 15:33 108,032 a--sh--- c:\windows\system32\vupotiki.dll
2009-04-18 15:33 83,968 a--sh--- c:\windows\system32\kajovofu.exe
2009-04-17 22:05 25,600 a--sh--- c:\windows\system32\dofakase.dll
2009-04-17 22:05 83,968 a--sh--- c:\windows\system32\kewesufa.exe
2009-04-17 10:05 109,056 a--sh--- c:\windows\system32\zuleluje.dll
2009-04-16 18:20 109,568 a--sh--- c:\windows\system32\fokumiro.dll
2009-04-15 22:10 107,520 a--sh--- c:\windows\system32\yifunaga.dll
2009-04-14 23:00 108,544 a--sh--- c:\windows\system32\votinote.dll
2009-04-14 10:41 70,144 a--sh--- c:\windows\system32\piyipoju.dll
2009-04-14 10:05 70,656 a--sh--- c:\windows\system32\yinehuma.dll
2009-04-14 10:05 108,544 a--sh--- c:\windows\system32\dewafenu.dll
2009-04-14 09:40 108,544 a--sh--- c:\windows\system32\pevapiye.dll
2009-04-14 09:17 108,544 a--sh--- c:\windows\system32\megavutu.dll
2009-04-13 20:57 109,568 a--sh--- c:\windows\system32\suluyohe.dll
2009-04-13 20:57 83,968 a--sh--- c:\windows\system32\wayijiyu.exe
2009-04-13 08:58 70,656 a--sh--- c:\windows\system32\bomefaga.dll
2009-04-13 08:57 107,520 a--sh--- c:\windows\system32\sumogozo.dll
2009-04-13 08:57 83,968 a--sh--- c:\windows\system32\wadibevu.exe
2009-04-12 20:57 83,456 a--sh--- c:\windows\system32\leyeluto.exe
2009-04-12 20:57 109,056 a--sh--- c:\windows\system32\venulowi.dll
2009-04-11 22:07 109,568 a--sh--- c:\windows\system32\jufetiju.dll
2009-04-11 22:07 83,456 a--sh--- c:\windows\system32\gubekuku.exe
2009-04-11 08:09 84,992 a--sh--- c:\windows\system32\jevodode.exe
2009-04-11 08:09 108,544 a--sh--- c:\windows\system32\lobuzosi.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 14:22 1,241,088 -------- c:\windows\system32\dllcache\SETA7.tmp
2009-03-08 04:39 11,063,808 -------- c:\windows\system32\dllcache\SETA6.tmp
2009-03-08 04:32 72,704 -------- c:\windows\system32\dllcache\SETAB.tmp
2009-03-08 04:32 193,536 -------- c:\windows\system32\dllcache\SETB2.tmp
2009-03-08 04:32 128,512 -------- c:\windows\system32\dllcache\SETAC.tmp
2009-03-08 04:32 594,432 -------- c:\windows\system32\dllcache\SETA9.tmp
2009-03-08 04:32 1,985,024 -------- c:\windows\system32\dllcache\SETA8.tmp
2009-03-08 04:31 59,904 -------- c:\windows\system32\dllcache\SETA3.tmp
2009-03-08 04:31 55,296 -------- c:\windows\system32\dllcache\SETAA.tmp
2009-03-08 04:31 348,160 a------- c:\windows\system32\dllcache\SETAF.tmp
2009-03-08 04:31 216,064 -------- c:\windows\system32\dllcache\SETB0.tmp
2009-03-08 04:24 68,608 -------- c:\windows\system32\dllcache\SETB1.tmp
2009-03-08 04:11 445,952 -------- c:\windows\system32\dllcache\SETA5.tmp
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 21:07 3,698,584 -------- c:\windows\system32\dllcache\SETA4.tmp
2009-01-03 23:56 0 ac------ c:\docume~1\billke~1\applic~1\wklnhst.dat
2007-02-24 15:05 774,144 a------- c:\program files\RngInterstitial.dll
2007-02-11 10:49 13,056 ac------ c:\program files\uninstaljoy.log
2009-01-14 10:16 70,656 a--sh--- c:\windows\system32\heneberu.dll
2009-01-14 10:52 70,144 a--sh--- c:\windows\system32\herilimi.dll
2008-06-26 21:21 1,264 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-11 22:07 70,656 a--sh--- c:\windows\system32\madidewu.dll
2009-01-14 10:52 70,144 a--sh--- c:\windows\system32\nuniyije.dll
2009-01-14 10:16 70,656 a--sh--- c:\windows\system32\sidaduhu.dll
2009-01-14 10:16 70,656 a--sh--- c:\windows\system32\wufahasa.dll
2008-09-07 19:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 15:18:29.81 ===============







Again, your help is greatly appreciated.

Attached Files


Edited by GrimGrinningGhost, 28 April 2009 - 02:53 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 AM

Posted 28 April 2009 - 03:12 PM

Hello.

Your friend's computer is EXTREMELY infected with various of infections. More importantly he/she is infected with the file infector VIRUT. He/She will need to format this computer and start over unfortunately.

Posted ImageVirut File Infector Warning

Your system is infected with a polymorphic file infector called Virut and also has IRC bot functionality. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to reinstall and format the operating system on this machine. As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, pictures etc..) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

More information on Virut can be found over here and here

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 GrimGrinningGhost

GrimGrinningGhost
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 28 April 2009 - 03:16 PM

Thanks much for the help, i will pass along the bad news.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 AM

Posted 28 April 2009 - 03:21 PM

You're welcome.

Unfortunately, infections like this the only option to go is to format. :thumbup2:

Here are some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


If you have nothing else to add or ask, please let me know so I can close off this topic.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 GrimGrinningGhost

GrimGrinningGhost
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 28 April 2009 - 03:34 PM

Feel free to close this topic, your replies were very helpful. Armed with this information, i am sure my friend will keep his new installation free from infection.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 AM

Posted 28 April 2009 - 03:50 PM

You're welcome.

Hope all goes well with your friend!

Happy surfing and good luck!

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 AM

Posted 28 April 2009 - 03:51 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users