Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serious Malware Issue


  • This topic is locked This topic is locked
5 replies to this topic

#1 Cronus

Cronus

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 29 April 2009 - 04:38 PM

I have a laptop running Windows XP, and a couple weeks ago it received a virus that causes a number of issues.

At first, I would only experience slower speeds, frequent popups for various anti-virus tools and registry defenders.

But now it seems to have gotten worse and I began to get redirected from Google search results. But now the computer
won't even work. It will log in and then I have between 5 and 30 seconds before everything freezes and nothing works.
In that time I've been able to pull up task manager and look at the processes. After the computer logs in, multiple copies
of the process 'zy2e7.exe' will begin to fill the list, until about 20 or 30 copies start running, and then the computer will freeze.

This is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:09:22 PM, on 4/28/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: Safe modeRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Internet Explorer\Iexplore.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\Stacia\Desktop\HiJackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,O2 - BHO: (no name) - {9ffdd0ba-45d4-4686-b6df-e7bd00ec505b} - C:\WINDOWS\system32\nubinufu.dllO2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dllO2 - BHO: C:\WINDOWS\system32\nhser43uhjnefr.dll - {C2BA40A2-74F3-42BD-F434-2604812C8954} - C:\WINDOWS\system32\nhser43uhjnefr.dllO3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dllO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exeO4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exeO4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exeO4 - HKLM\..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "D:\itunes\iTunesHelper.exe"O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exeO4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\TEMP\BN2.tmpO4 - HKLM\..\Run: [Advanced DHTML Enable] C:\DOCUME~1\Stacia\LOCALS~1\Temp\100.exeO4 - HKLM\..\Run: [razavugawu] Rundll32.exe "C:\WINDOWS\system32\gutenadu.dll",sO4 - HKLM\..\Run: [CPMdf5d156e] Rundll32.exe "c:\windows\system32\modubelo.dll",aO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [dc6e26f2] rundll32.exe "C:\WINDOWS\system32\zibigihu.dll",bO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\Stacia\LOCALS~1\Temp\zy2e7.exeO4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Stacia\LOCALS~1\Temp\2354818756.exeO4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Stacia\reader_s.exeO4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-2309567600-5450604377-959902122-2275\service.exeO4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exeO4 - HKCU\..\Run: [12CFG214-K641-24SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1859\vsofat.exeO4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKUS\S-1-5-20\..\Run: [razavugawu] Rundll32.exe "C:\WINDOWS\system32\gutenadu.dll",s (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\zw4wlxj.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3667089828.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\LocalService\reader_s.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\zw4wlxj.exe (User 'Default user')O4 - Global Startup: SuperHybridEngine.lnk = ?O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htmO9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO11 - Options group: [java_sun] Java (Sun)O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - [url="http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1240765375061&h=a47d79c4f79fc9f304e8856ef469115b/&filename=jinstall-6u13-windows-i586-jc.cab"]http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab[/url]O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: c:\windows\system32\towuvela.dll C:\WINDOWS\system32\jesamude.dll C:\WINDOWS\system32\notosujo.dll c:\windows\system32\modubelo.dll c:\windows\system32\yuzepijo.dllO21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\modubelo.dllO22 - SharedTaskScheduler: kjm6t5rinmhp8o87t7r6gh - {C2BA40A2-74F3-42BD-F434-2604812C8954} - C:\WINDOWS\system32\nhser43uhjnefr.dllO22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\modubelo.dllO22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\kjsdiowq8oikf.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe--End of file - 7354 bytes


Thanks to anyone who reads this.
Double thanks to anyone who posts. ^-^

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 AM

Posted 30 April 2009 - 04:58 AM

Hi Cronus,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please run this program and copy/paste the log in your next reply. Do not put it in a codebox.

Posted Image

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker and then double click dds.scr to run the tool.

When done, DDS will open two logs:
  • DDS.txt
  • Attach.txt
Save both reports to your desktop first and then copy & paste them into your next reply.


I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Cronus

Cronus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 30 April 2009 - 04:57 PM

I ran the DDS scan.


DDS (Ver_09-03-16.01) - NTFSx86 MINIMAL
Run by Stacia at 21:28:53.67 on Wed 04/29/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.786 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Stacia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: {9ffdd0ba-45d4-4686-b6df-e7bd00ec505b} - c:\windows\system32\nubinufu.dll
BHO: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Windows Resurections] c:\docume~1\stacia\locals~1\temp\zy2e7.exe
uRun: [Diagnostic Manager] c:\docume~1\stacia\locals~1\temp\2118463682.exe
uRun: [reader_s] c:\documents and settings\stacia\reader_s.exe
uRun: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] c:\recycler\s-1-5-21-2309567600-5450604377-959902122-2275\service.exe
uRun: [12CFG515-K641-55SF-N66P] c:\recycler\s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
uRun: [12CFG214-K641-24SF-N85P] c:\recycler\s-1-5-21-0243936033-3052116371-381863308-1859\vsofat.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [<NO NAME>] c:\docume~1\stacia\locals~1\temp\zy2e7.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [PromoReg] c:\windows\temp\BN2.tmp
mRun: [Advanced DHTML Enable] c:\docume~1\stacia\locals~1\temp\100.exe
mRun: [razavugawu] Rundll32.exe "c:\windows\system32\gutenadu.dll",s
mRun: [CPMdf5d156e] Rundll32.exe "c:\windows\system32\modubelo.dll",a
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dc6e26f2] rundll32.exe "c:\windows\system32\zibigihu.dll",b
dRun: [<NO NAME>] c:\windows\temp\zw4wlxj.exe
dRun: [Windows Resurections] c:\windows\temp\zw4wlxj.exe
dRun: [Diagnostic Manager] c:\windows\temp\3667089828.exe
dRun: [reader_s] c:\documents and settings\localservice\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1240765375061&h=a47d79c4f79fc9f304e8856ef469115b/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\towuvela.dll c:\windows\system32\jesamude.dll c:\windows\system32\notosujo.dll c:\windows\system32\modubelo.dll c:\windows\system32\yuzepijo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\modubelo.dll
STS: c:\windows\system32\nhser43uhjnefr.dll: {c2ba40a2-74f3-42bd-f434-2604812c8954} - c:\windows\system32\nhser43uhjnefr.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\modubelo.dll
STS: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
LSA: Notification Packages = scecli dsadia.dll c:\windows\system32\notosujo.dll c:\windows\system32\jesamude.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stacia\applic~1\mozilla\firefox\profiles\c0q4i10b.default\
FF - plugin: d:\itunes\mozilla plugins\npitunes.dll

============= SERVICES / DRIVERS ===============

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2008-8-8 11264]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2008-7-31 25088]
S1 4d9f3622;4d9f3622;c:\windows\system32\drivers\4d9f3622.sys [2009-3-29 101998]
S2 ICF;ICF;c:\windows\system32\svchost.exe:ext.exe []
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-7-31 36864]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

=============== Created Last 30 ================

2009-04-27 08:45 1,433,650 ---sh--- c:\windows\system32\uhigibiz.ini
2009-04-26 21:47 0 a------- C:\2F.tmp
2009-04-26 21:47 0 a------- C:\2E.tmp
2009-04-26 21:47 0 a------- C:\2D.tmp
2009-04-26 21:46 54,784 a------- C:\29.tmp
2009-04-26 21:46 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-26 21:46 0 a------- C:\28.tmp
2009-04-26 21:45 0 a------- C:\21.tmp
2009-04-26 21:45 15,000 a------- c:\windows\system32\kjsdiowq8oikf.dll
2009-04-26 21:45 33,878 a------- C:\20.tmp
2009-04-26 21:45 0 a------- C:\1F.tmp
2009-04-26 21:44 0 a------- C:\1D.tmp
2009-04-26 21:44 0 a------- C:\1C.tmp
2009-04-26 21:44 0 a------- C:\1B.tmp
2009-04-26 21:44 0 a------- C:\1A.tmp
2009-04-26 21:43 0 a------- C:\19.tmp
2009-04-26 21:43 0 a------- C:\17.tmp
2009-04-26 21:43 0 a------- C:\16.tmp
2009-04-26 21:43 0 a------- C:\14.tmp
2009-04-26 21:43 0 a------- C:\13.tmp
2009-04-26 21:43 0 a------- C:\12.tmp
2009-04-26 21:43 0 a------- C:\11.tmp
2009-04-26 21:43 0 a------- C:\10.tmp
2009-04-26 21:43 0 a------- C:\F.tmp
2009-04-26 20:27 0 a------- C:\E.tmp
2009-04-26 20:27 0 a------- C:\D.tmp
2009-04-26 20:27 0 a------- C:\C.tmp
2009-04-26 20:27 0 a------- C:\B.tmp
2009-04-26 20:27 0 a------- C:\A.tmp
2009-04-26 13:47 <DIR> --d----- c:\program files\Yahoo!
2009-04-26 13:17 34 a------- c:\documents and settings\stacia\jagex_runescape_preferences.dat
2009-04-26 13:16 <DIR> --d----- c:\windows\.jagex_cache_32
2009-04-26 13:06 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-26 13:06 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-26 12:55 1,455,207 ---sh--- c:\windows\system32\uhiyozey.ini
2009-04-03 23:58 1,431,089 ---sh--- c:\windows\system32\ikalejak.ini
2009-04-03 15:00 686 a------- c:\windows\ojolilahacafofoc.dll
2009-04-03 14:58 686 a------- c:\windows\utamahohewazucoc.dll
2009-03-30 22:36 121 ---sh--- c:\windows\system32\iboviwah.ini

==================== Find3M ====================

2009-04-29 21:25 101,998 a------- c:\windows\system32\drivers\4d9f3622.sys
2009-04-27 08:45 46,592 a--sh--- c:\windows\system32\kewoboda.exe
2009-04-27 08:45 88,064 a--sh--- c:\windows\system32\yuzepijo.dll
2009-04-27 08:45 81,920 a--sh--- c:\windows\system32\zibigihu.dll
2009-04-26 12:55 88,576 a--sh--- c:\windows\system32\modubelo.dll
2009-04-26 12:54 46,592 a--sh--- c:\windows\system32\fedeyipu.exe
2009-04-25 14:25 50,688 a--sh--- c:\windows\system32\ropafapa.dll
2009-04-25 14:24 9,216 a------- c:\windows\instsp2.exe
2009-04-25 14:24 81,408 a--sh--- c:\windows\system32\nosifeya.dll
2009-04-25 14:24 88,064 a--sh--- c:\windows\system32\tiyunike.dll
2009-04-25 14:24 47,616 a--sh--- c:\windows\system32\desohuve.exe
2009-04-07 22:45 1,228 a------- c:\docume~1\stacia\applic~1\wklnhst.dat
2009-04-07 22:41 61,440 a--sh--- c:\windows\system32\zomisula.exe
2009-04-03 23:58 50,688 a--sh--- c:\windows\system32\tomavita.dll
2009-04-03 23:58 89,088 a--sh--- c:\windows\system32\gijotoda.dll.vir
2009-04-03 23:58 61,440 a--sh--- c:\windows\system32\jezemimu.exe
2009-04-03 23:58 81,408 -------- c:\windows\system32\kajelaki.dll
2009-04-01 08:48 89,088 a--sh--- c:\windows\system32\ribemago.dll
2009-04-01 08:48 61,440 a--sh--- c:\windows\system32\kozafuli.exe
2009-04-01 08:48 80,896 a--sh--- c:\windows\system32\norefose.dll
2009-03-30 22:36 89,088 a--sh--- c:\windows\system32\vamodimu.dll
2009-03-30 22:36 80,896 a--sh--- c:\windows\system32\hawivobi.dll
2009-03-30 22:36 61,440 a--sh--- c:\windows\system32\vafedewe.exe
2009-03-29 14:32 43,008 a------- C:\dxxrp.exe
2009-03-29 14:32 30,208 a------- c:\documents and settings\stacia\reader_s.exe
2009-03-29 14:31 7,680 a------- C:\ijmaxk.exe
2009-03-29 14:31 14,336 a------- c:\windows\system32\svchost.exe
2009-03-29 14:31 45,056 a------- C:\liymwuq.exe
2009-03-29 14:31 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-03-29 14:31 43,008 a------- C:\aoqckrns.exe
2009-03-29 14:31 30,208 a------- c:\windows\system32\reader_s.exe
2009-03-29 14:31 30,208 a------- C:\lxdwn.exe
2009-03-29 14:30 7,680 a------- C:\wicnin.exe
2009-03-29 14:30 15,000 a------- c:\windows\system32\nhser43uhjnefr.dll
2009-03-29 14:30 45,056 a------- C:\dmsiacq.exe
2009-03-29 14:30 81,408 a--sh--- c:\windows\system32\hakologe.dll
2009-03-29 14:29 88,576 a--sh--- c:\windows\system32\towuvela.dll.vir
2009-03-29 14:29 61,440 a--sh--- c:\windows\system32\mabemime.exe
2009-03-28 22:17 81,408 a--sh--- c:\windows\system32\dorizala.dll
2009-03-28 22:17 89,088 a--sh--- c:\windows\system32\kisijegu.dll
2009-03-28 22:17 61,440 a--sh--- c:\windows\system32\gisusuje.exe
2009-03-28 00:02 89,088 a--sh--- c:\windows\system32\bosurezo.dll
2009-03-28 00:02 61,440 a--sh--- c:\windows\system32\lupayusa.exe
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-05-07 04:34 15,523,560 a------- c:\program files\U1 Setup.exe
2009-01-25 14:26 50,688 a--sh--- c:\windows\system32\gutenadu.dll
2009-01-25 14:26 50,688 a--sh--- c:\windows\system32\jesamude.dll
2009-01-25 14:26 50,688 a--sh--- c:\windows\system32\nubinufu.dll

============= FINISH: 21:30:50.26 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 AM

Posted 01 May 2009 - 03:46 AM

Hi Cronus,

Bad news I'm afraid :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

This is a new infection and at present Bleeping Computer's expert advice is to completely reformat as this infection is potentially very damaging.

m0le
Posted Image
m0le is a proud member of UNITE

#5 Cronus

Cronus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 02 May 2009 - 02:49 PM

Bawwwww, allright. Thanks alot for the help ^-^
Reformatting it should easy, it's a small computer, not much to back up.
Thanks :thumbup2:

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:37 AM

Posted 08 May 2009 - 10:54 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users