Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nebazifi.dll, kozibala, ... rootkit problems?


  • This topic is locked This topic is locked
4 replies to this topic

#1 evilmrrogers411

evilmrrogers411

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 06 May 2009 - 09:20 AM

I am unable to run superantispyware, combofix, and sdfix. Whenever I delete the registry entries for kozibala.dll, wovageku.dll, yofabutu.dll, and nebaifi.dll they just come back after a minute. Computer is 9inch notebook with a solid state hard drive so i am unable to hook it up to another machine to run scans. Any help will be greatly appreciated.



DDS (Ver_09-03-16.01) - NTFSx86
Run by Todd Forbes at 10:08:11.51 on Wed 05/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.607 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Registry Clean Expert\RCHelper.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Todd Forbes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.Yahoo.com
uDefault_Page_URL = hxxp://www.Yahoo.com
mDefault_Page_URL = hxxp://www.Yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: {7cf99ddb-9ab2-4eff-9c53-ef3cd0c39c5f} - c:\windows\system32\nebazifi.dll
TB: Mirar: {3eeeb21e-1664-4d9e-b38d-933f81c2d025} - c:\windows\system32\winei77.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegClean Expert Scheduler] "c:\program files\registry clean expert\RCHelper.exe" /startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [CPM0b5dcd65] Rundll32.exe "c:\windows\system32\kozibala.dll",a
mRun: [086efef9] rundll32.exe "c:\windows\system32\wovageku.dll",b
mRun: [bidabekudo] Rundll32.exe "c:\windows\system32\yofabutu.dll",s
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ttxgng.dll c:\windows\system32\kozibala.dll,c:\windows\system32\beziseno.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: HardwareDrivers - {3F00A127-B6C0-4F22-9385-55FA4884F07D} - c:\documents and settings\all users\application data\microsoft\media index\drivers\hdddriver.dll
SSODL: DriversLoad - {E0DD4AC4-52E0-4F51-BE72-BA4B4CA606D8} - c:\documents and settings\all users\application data\microsoft\media index\drivers\jqqylbinxt.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kozibala.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\kozibala.dll
LSA: Notification Packages = scecli c:\windows\system32\beziseno.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-4-23 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-23 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-23 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-23 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-23 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-23 298264]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-19 112128]
S2 mwmpupdate;Microsoft Windows Media player security update service;c:\program files\windows media player\wmplayer_up.exe [2009-4-19 69120]

=============== Created Last 30 ================

2009-05-06 09:35 <DIR> --d----- c:\program files\Registry Clean Expert
2009-04-23 14:13 1,407,225 ---sh--- c:\windows\system32\ukegavow.ini
2009-04-23 11:23 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-23 10:46 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-23 10:46 10,520 a------- c:\windows\system32\avgrsstx.dll.old
2009-04-23 10:46 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-04-23 10:46 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-23 10:46 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-23 10:46 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-23 10:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-21 23:21 <DIR> --d----- c:\program files\Malware Defender 2009
2009-04-21 22:27 1,399,323 ---sh--- c:\windows\system32\agezosih.ini
2009-04-21 22:11 <DIR> --d----- c:\windows\pss
2009-04-21 21:56 <DIR> --d----- C:\1Temp
2009-04-21 21:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-21 21:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-21 21:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-19 13:21 <DIR> --d----- c:\program files\AVG
2009-04-19 10:49 <DIR> --d----- C:\Drivers
2009-04-11 21:31 1,403,901 ---sh--- c:\windows\system32\aravawaw.ini

==================== Find3M ====================

2009-05-06 09:25 51,200 a--sh--- c:\windows\system32\lepopoka.dll
2009-04-23 14:12 89,088 a--sh--- c:\windows\system32\kozibala.dll
2009-04-23 14:12 81,920 a--sh--- c:\windows\system32\wovageku.dll
2009-04-23 14:12 47,616 a--sh--- c:\windows\system32\gitadodi.exe
2009-04-23 11:56 51,197 a------- c:\windows\spoolsystem.exe
2009-04-23 11:56 47,872 a------- c:\windows\syscert.exe
2009-04-23 11:56 38,352 a------- c:\windows\reged.exe
2009-04-23 11:56 33,149 a------- c:\windows\sysexplorer.exe
2009-04-23 11:56 28,320 a------- c:\windows\sys.com
2009-04-23 11:56 18,941 a------- c:\windows\vmreg.dll
2009-04-21 22:27 49,664 a--sh--- c:\windows\system32\hogumana.dll
2009-04-21 22:26 89,088 a--sh--- c:\windows\system32\genetoda.dll
2009-04-21 22:26 81,408 a--sh--- c:\windows\system32\hisozega.dll
2009-04-21 22:26 47,616 a--sh--- c:\windows\system32\kehitulo.exe
2009-04-11 21:30 54,272 a--sh--- c:\windows\system32\majubilu.exe
2009-03-26 10:21 118 a------- c:\docume~1\toddfo~1\applic~1\wklnhst.dat
2009-03-25 19:08 131,584 a------- c:\windows\uniyomebufebosuy.dll
2009-02-06 09:25 51,200 a--sh--- c:\windows\system32\yofabutu.dll
2009-02-06 09:25 51,200 a--sh--- c:\windows\system32\nebazifi.dll
2009-02-06 09:25 51,200 a--sh--- c:\windows\system32\beziseno.dll
2009-02-06 09:24 13,312 a--sh--- c:\windows\system32\jeziluku.exe
2009-02-06 09:24 7,168 a--sh--- c:\windows\system32\kusitozo.dll
2008-06-24 13:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 10:12:49.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 AM

Posted 10 May 2009 - 07:23 PM

Hello.

I'm Extremeboy and I will help you with your log.

Download and Run ComboFix (Rename Before Saving)


Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.


Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 evilmrrogers411

evilmrrogers411
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 11 May 2009 - 07:26 AM

I can not run combofix.
I am unable to load gmer.

I guess just don't worry about it. Everyone has already tried to get me to use tools I've already said I am unable to run. I appreciate the help but I think I will just break down and rebuild the customers system.

Edited by evilmrrogers411, 11 May 2009 - 11:47 AM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 AM

Posted 11 May 2009 - 02:27 PM

Okay then.

Thanks for letting me know then... Below are some prevention tips. I will close this topic afterwards.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 AM

Posted 11 May 2009 - 02:29 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users