Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I beg for mercy

  • This topic is locked This topic is locked
9 replies to this topic

#1 Zodiac


  • Members
  • 26 posts
  • Local time:10:37 AM

Posted 12 May 2009 - 02:05 PM

Regarding a help topic i posted on May 6th: http://www.bleepingcomputer.com/forums/t/224974/internet-browsers-extremelly-slow-and-popups/

My computer which originally was only riddled by pop ups has gotton worse every day since making that post. It is now to the point where I can no longer turn on my computer as it goes into an infinte loop of restarting since it has problems starting windows. I am trying to be patient and I know you guys are busy but I am conerned that with no computer access at all, I will receive no help and my topic will be closed as I cannot even check my own topic for help. I am currently typing this at a friend's computer but could I get some advice on how to at least be able to get on my computer?

Please, I am so very bored at home now without basking in the glory of digitual freedom. Feel free to close this topic but at least give me an extension on the 5 days till close on my thread.

Hi BleepingComputers

When using firefox, I get occasional popups and in general it is just very slow. It crashes often and lags excessively when streaming videos. Edit: Pop ups just recently started popping up at an annoyingly fast face today even when I do not have the browsers up. I do not know the full effects yet but it seems like after turning on the computer today, the problems got a lot worse. Any help is appreciated.

This is my DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Eric Lo at 15:08:28.25 on Wed 05/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.367 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\LG Software\Battery Miser\batterymiser.exe
C:\Program Files\LG Software\On Screen Display\HotKey.exe
C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Eric Lo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {a0f8f613-292e-4980-843c-f588bac036a9} - c:\windows\system32\biyuhepe.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [batterymiser] "c:\program files\lg software\battery miser\batterymiser.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [KeybdUtility] "c:\program files\lg software\on screen display\HotKey.exe"
mRun: [LG Intelligent Update] "c:\program files\lg_swupdate\autoupdate.exe" Gilautouc
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [OmniPass] c:\program files\softex\omnipass\scureapp.exe
mRun: [LG Direct Media Button Service] LGDMEBTN.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IPO3] "c:\program files\lg software\ip operator 2005\IP Operator.exe" -aUtOsTaRtFrOmReG
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mozorowapa] Rundll32.exe "c:\windows\system32\pawebehe.dll",s
mRun: [2cf56492] rundll32.exe "c:\windows\system32\nesavina.dll",b
mRun: [CPM2fc6570e] Rundll32.exe "c:\windows\system32\boyimeta.dll",a
dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842}
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} - hxxp://asp.mathxl.com/applets/PearsonInstallAsst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - hxxp://asp.mathxl.com/books/_Players/EconPlayer.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
AppInit_DLLs: c:\windows\system32\humerago.dll c:\windows\system32\boyimeta.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\boyimeta.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\boyimeta.dll
SEH: BatteryMiser PSAP Class: {26f5978f-6493-4ee3-b114-c0c3accf9d4d} - c:\windows\system32\bmpsap.dll
LSA: Notification Packages = scecli c:\windows\system32\humerago.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ericlo~1\applic~1\mozilla\firefox\profiles\8q77x5ep.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll

============= SERVICES / DRIVERS ===============

R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\srs labs\wowxt and tsxt driver\SRS_PostInstaller.exe [2006-2-9 31744]
R3 AGR1310_51;Agere Systems ET-13xx PCI-E Ethernet Adapter XP Driver;c:\windows\system32\drivers\AGR1310_51.sys [2006-1-23 75648]
R3 LGDMEBTN;LG Direct Media Button Device Driver;c:\windows\system32\drivers\LGDMEBTN.sys [2006-2-11 15616]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2006-2-9 20608]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-2-11 36352]
S3 lgodd_filter;lgodd_filter;c:\windows\system32\drivers\lgodd_filter.sys --> c:\windows\system32\drivers\lgodd_filter.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 XDva037;XDva037;\??\c:\windows\system32\xdva037.sys --> c:\windows\system32\XDva037.sys [?]

=============== Created Last 30 ================

2009-05-06 14:46 1,424,643 ---sh--- c:\windows\system32\anivasen.ini
2009-05-06 01:24 1,424,643 ---sh--- c:\windows\system32\atifehey.ini
2009-05-05 13:24 1,424,630 ---sh--- c:\windows\system32\esajizaj.ini
2009-05-04 18:36 1,424,630 ---sh--- c:\windows\system32\ibopipad.ini
2009-05-01 00:21 118,272 a------- c:\windows\system32\SX5363S.DLL
2009-05-01 00:21 102,400 a------- c:\windows\system32\RV32RTP.dll
2009-05-01 00:21 40 a------- c:\windows\system32\Sx5363.ini
2009-05-01 00:10

--d----- c:\program files\SubaGames
2009-04-30 21:14 --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-04-30 21:14 --d----- c:\program files\Pando Networks
2009-04-27 20:19 5,632 a------- c:\windows\system32\ptpusb.dll
2009-04-27 20:19 159,232 a------- c:\windows\system32\ptpusd.dll
2009-04-19 00:51 --d----- C:\Nexon

==================== Find3M ====================

2009-05-06 14:46 86,528 a--sh--- c:\windows\system32\boyimeta.dll
2009-05-06 14:46 79,872 a--sh--- c:\windows\system32\nesavina.dll
2009-05-06 01:24 49,664 a--sh--- c:\windows\system32\sunimuju.dll
2009-05-06 01:24 78,848 -------- c:\windows\system32\yehefita.dll
2009-05-05 13:24 49,152 a--sh--- c:\windows\system32\pododome.dll
2009-05-05 13:23 79,360 -------- c:\windows\system32\jazijase.dll
2009-05-04 18:36 79,872 a--sh--- c:\windows\system32\dapipobi.dll
2009-05-04 18:36 51,200 a--sh--- c:\windows\system32\lizigeyo.exe
2009-03-22 00:26 68,434 a------- c:\windows\War3Unin.dat
2009-03-06 10:00 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:14 668,160 a------- c:\windows\system32\wininet.dll
2009-02-20 04:14 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 06:20 1,847,424 a------- c:\windows\system32\win32k.sys
2009-02-09 06:01 728,576 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:01 617,984 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:01 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:01 715,264 a------- c:\windows\system32\ntdll.dll
2009-02-06 06:29 2,142,720 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:22 110,592 a------- c:\windows\system32\services.exe
2009-02-06 05:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:49 2,020,864 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 01:24 49,664 a--sh--- c:\windows\system32\pawebehe.dll
2009-02-06 01:24 49,664 a--sh--- c:\windows\system32\humerago.dll
2009-02-06 01:24 49,664 a--sh--- c:\windows\system32\biyuhepe.dll
2008-10-09 06:55 15,264 a------- c:\docume~1\alluse~1\applic~1\yvopyxeh.reg
2008-09-26 13:08 23,200 a------- c:\docume~1\ericlo~1\applic~1\GDIPFONTCACHEV1.DAT

Added the old topic, closed the old topic to avoid confusion and getting replied by two helpers.


Edited by farbar, 12 May 2009 - 03:30 PM.

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:37 PM

Posted 12 May 2009 - 03:21 PM

Hi Zodiac,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, running tools, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

It looks the computer is in pretty bad shape. We need to boot the computer in any mode to be able to run our tools.
  • First tell me if you have a Windows installation CD.

  • Second: Disable automatic restart, to do that:
    • During the rebooting process, repeatedly press the F8 key to enter Windows Advance Options Menu.
    • Use the up and down arrow keys to select Disable automatic restart on system failure and then press the Enter key.
    • Use up and down arrow keys to select the operating system to start (if more than one OS is installed).
    • Press the Enter key.
    • Windows should start. It should show a STOP or error message, please note down and post the error.
  • Using your friends computer download the following applications and save it to a USB stick or a flash drive in case we needed them.

#3 Zodiac

  • Topic Starter

  • Members
  • 26 posts
  • Local time:10:37 AM

Posted 12 May 2009 - 06:35 PM

Hi farbar. I cannot thank you enough for assisting me.
I currently am on my own computer. I was hasty in making this topic because this morning when I turned on my computer it would not load windows. However after coming back home I realized there is a 10 second option at the beginning where it tells me that windows could not load due to software changes and I could pick an option to load windows through the last working configuration. After picking this option, I was able to get back on windows.

However here is an update on whats been going on with my computer ever since my first post.

It is unbearably slow to the point of being unusable. This is a weak laptop that is outdated (getting a new computer next month ) and it originally was alrdy slow. However with the addition of rapid introduction of new trojans daily over the past week, I can barely log onto msn without a potential crash. It took me 10 minutes to load firefox and go to this page. Like stated before, there is many pop ups but there is also constant errors by windows. When I check my processes there is like 20 more processes than there should be and when I shut down there are a huge number of applications I have to manually close because they are not responding. Although rare, once every 5-6 hours, the computer will crash into a blue screen and automatically restart. There are a bunch of files I do not recognize in my c drive. Another problem is that the trojans prevent me from downloading any anti virus programs.

I have downloaded all the programs except for mbam-rules.exe. Nothing happens when I click on that link.

Edit: I dont know if any trojans do this.... or if there was some sort of advertisement music I didn't notice but my computer just suddenly started playing this random music for like 15 seconds. I only have firefox browser up and this is the only page I have on.

Edited by Zodiac, 12 May 2009 - 06:55 PM.

#4 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:37 PM

Posted 12 May 2009 - 07:07 PM

Please be patient and don't edit the post as I might miss it. If anything important comes up add a reply.

Please don't use the computer unless it is needed for disinfection.

It is too late here, I might not be able to see the log over tonight. If you run the application and you are not unable to run it let me now as soon as possible.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

#5 Zodiac

  • Topic Starter

  • Members
  • 26 posts
  • Local time:10:37 AM

Posted 12 May 2009 - 08:41 PM

Here is the log

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

5/12/2009 9:40:07 PM
mbam-log-2009-05-12 (21-40-07).txt

Scan type: Quick Scan
Objects scanned: 82622
Time elapsed: 1 hour(s), 12 minute(s), 50 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 2
Registry Keys Infected: 19
Registry Values Infected: 19
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 45

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Eric Lo\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\ld08.exe (Trojan.KoobFace) -> Unloaded process successfully.
C:\WINDOWS\pp06.exe (Trojan.KoobFace) -> Unloaded process successfully.
C:\WINDOWS\system32\3361\SVCHOST.EXE (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\tijeluzu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a0f8f613-292e-4980-843c-f588bac036a9} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a0f8f613-292e-4980-843c-f588bac036a9} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e5efa8f-9f53-418e-b78e-44866667a404} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_Antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC-Antispy (Rogue.PCAntispy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mozorowapa (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2cf56492 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2fc6570e (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg515-k641-55sf-n66p (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tijeluzu.dll -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dapipobi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ibopipad.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\duvazuge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eguzavud.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jazijase.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\esajizaj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tasasifu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ufisasat.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yitulewi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iwelutiy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tijeluzu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jkshfuiehi.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\218538\218538.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pomapedo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\viveveno.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yapadoyi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vuvotadi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy42.exe (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\msmark2.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2668f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2692f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2695f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\pp06.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3361\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-7294092550-2674743490-025271556-7808\service.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\azton.mt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric Lo\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\ld08.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcxool64.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Eric Lo\Local Settings\Temp\BN48.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sunimuju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sobamehu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\etc\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric Lo\Local Settings\Temp\4247076938.exe (Trojan.Downloader) -> Delete on reboot.

#6 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:37 PM

Posted 13 May 2009 - 08:45 AM

Hi Zodiac,

I'm afraid I've got bad news.

Your system is infected with one of the nastiest file infectors:

Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.


The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.

It's damage to the system is almost beyond repair as it disables Windows File Protection:

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


Therefore all those running processes are most probably now the virus agent.

There is a claim by Grisoft that the following tool can remove the infection:


This claim is hard to believe. Not only almost all the running processes are infected but also their copy in i386 folder and in the dll cache are patched.

Therefore the only fast and safe answer to the virus is reformatting and reinstalling windows. You may backup non-executable (data) files and reformat the entire hard drive.

#7 Zodiac

  • Topic Starter

  • Members
  • 26 posts
  • Local time:10:37 AM

Posted 13 May 2009 - 12:32 PM

That is most unfortunate but I appreciated your help. Guess I'll go reformat.

#8 Zodiac

  • Topic Starter

  • Members
  • 26 posts
  • Local time:10:37 AM

Posted 13 May 2009 - 12:35 PM

Would it be safe for me to transfer videos or other documents?

#9 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:37 PM

Posted 13 May 2009 - 02:23 PM

The files with .exe and .scr should not be backed up. But the documents, video's and data files of any type could be backed up.

#10 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:37 PM

Posted 15 May 2009 - 07:43 PM

This thread will now be closed.

If you should have a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users