Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vgrundo trojans- how to remove?


  • This topic is locked This topic is locked
7 replies to this topic

#1 buggie78

buggie78

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 May 2009 - 09:03 PM

Hi all- I'm sure this is a common topic but I'm having trouble finding information on removal that starts from the beginning, and I'm completely inexperienced with malware removal.

McAfee VirusScan has been detecting and removing vgrundo trojans in C:\WINDOWS\system32. I have the usual symptoms of browser pop ups opening one after another. The popup windows appear to be opening in Firefox, but the process that's running is IE.

I ran hijackthis and researched the suspicious files, and I think I have identified those that are causing problems. I can't, however, remove them with hijackthis or delete the files. Here is the hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:02 PM, on 5/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Duke VPN\Duke Client\cvpnd.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6df6a067-643d-4567-9c1c-06ef4523f406} - C:\WINDOWS\system32\sohagale.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [184ce20f] rundll32.exe "C:\WINDOWS\system32\tevinuki.dll",b
O4 - HKLM\..\Run: [vulerosika] Rundll32.exe "C:\WINDOWS\system32\lajowezi.dll",s
O4 - HKLM\..\Run: [CPM1b7fd193] Rundll32.exe "c:\windows\system32\kezunira.dll",a
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [vulerosika] Rundll32.exe "C:\WINDOWS\system32\lajowezi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [vulerosika] Rundll32.exe "C:\WINDOWS\system32\lajowezi.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Duke University Duke VPN Client.lnk = C:\Program Files\Duke VPN\Duke Client\vpngui.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\metefovu.dll c:\windows\system32\kezunira.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kezunira.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kezunira.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Duke VPN\Duke Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9785 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:37 AM

Posted 25 May 2009 - 03:39 PM

Hi buggie78,

My name is Syler and I will be helping you to clean you computer. Please
follow the next step then post back here with the required logs.

Thanks


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.
  • Then post back with DDS.txt.
  • Also please attach, Attach.txt in your next reply.
Then please post back here with the following
  • MBAM log
  • DDS.txt
  • Attach.txt (attach this)

unite.jpg


#3 buggie78

buggie78
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 27 May 2009 - 06:36 AM

thank you Syler. Here are the logs, also attached with the Attach file. An infection seems to remain after following the steps so far.

Malwarebytes' Anti-Malware 1.37
Database version: 2183
Windows 5.1.2600 Service Pack 2

5/27/2009 7:08:12 AM
mbam-log-2009-05-27 (07-08-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167828
Time elapsed: 3 hour(s), 15 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 17
Registry Keys Infected: 30
Registry Values Infected: 10
Registry Data Items Infected: 4
Folders Infected: 3
Files Infected: 60

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nihidabe.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\levivepa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sohagale.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lajowezi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\metefovu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\sokawuge.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\vikeliwo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nofiteza.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\kanavuwo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\turakana.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\kefafoli.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jobimimi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\miwikira.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jahinepa.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\wegaheba.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\savigifu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\risefuke.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6df6a067-643d-4567-9c1c-06ef4523f406} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6df6a067-643d-4567-9c1c-06ef4523f406} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6df6a067-643d-4567-9c1c-06ef4523f406} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vulerosika (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\184ce20f (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1b7fd193 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\levivepa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\metefovu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\metefovu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Lauri\Application Data\FunWebProducts (Adware.MyWay) -> Quarantined and deleted successfully.
c:\documents and settings\Lauri\application data\funwebproducts\Data (Adware.MyWay) -> Quarantined and deleted successfully.
c:\documents and settings\Lauri\application data\funwebproducts\Data\Lauri (Adware.MyWay) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lajowezi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nihidabe.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\levivepa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sohagale.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\metefovu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sokawuge.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\vikeliwo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nofiteza.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\kanavuwo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\turakana.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\kefafoli.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jobimimi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\miwikira.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jahinepa.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\wegaheba.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\savigifu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\risefuke.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\documents and settings\Lauri\local settings\Temp\e.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\documents and settings\Lauri\local settings\temporary internet files\Content.IE5\2O1SD6W3\load[1].php (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\documents and settings\Lauri\local settings\temporary internet files\Content.IE5\QEX3QEJB\srm_free_setup[1].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
c:\program files\trend micro\hijackthis\backups\backup-20090519-211220-203.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\program files\trend micro\hijackthis\backups\backup-20090520-194754-657.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\program files\trend micro\hijackthis\backups\backup-20090519-203328-261.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\trend micro\hijackthis\backups\backup-20090519-203456-103.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\program files\trend micro\hijackthis\backups\backup-20090519-203532-881.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1394\A0115371.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1395\A0115384.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1395\A0115385.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1395\A0115386.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1397\A0115418.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1397\A0115419.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\bunijufu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\buzedetu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dilifale.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gavasojo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gimujewa.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\golosewi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\jonusosi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\kafadogi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\moviyema.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tevinuki.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\varamipe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dayavuhe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\fobivili.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\kezunira.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\poliwape.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\at.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mahipuye.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\marehisa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wavotiri.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\kumutaje.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\layosuro.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\letituya.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tusejinu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tuzajudi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\documents and settings\Lauri\application data\funwebproducts\Data\Lauri\avatar.dat (Adware.MyWay) -> Quarantined and deleted successfully.
c:\documents and settings\Lauri\application data\funwebproducts\Data\Lauri\register.dat (Adware.MyWay) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yavayusa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jolujara.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\birakuze.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

----------------------------------------------------------------


DDS (Ver_09-05-14.01) - NTFSx86
Run by Lauri at 7:28:38.64 on Wed 05/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.120 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Duke VPN\Duke Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lauri\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/myway
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {6df6a067-643d-4567-9c1c-06ef4523f406} - c:\windows\system32\pitolibi.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [CPM1b7fd193] Rundll32.exe "c:\windows\system32\yavalogi.dll",a
mRun: [vulerosika] Rundll32.exe "c:\windows\system32\mopapude.dll",s
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dukeun~1.lnk - c:\program files\duke vpn\duke client\vpngui.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: c:\windows\system32\yavalogi.dll,c:\windows\system32\pidokofu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yavalogi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\yavalogi.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\pidokofu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lauri\applic~1\mozilla\firefox\profiles\2t6xvinh.default user\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-8-26 58048]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-8-26 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-9-22 28672]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-8-26 108256]
S3 Sockblkd;Sockblkd;c:\windows\system32\drivers\sockblkd.sys --> c:\windows\system32\drivers\Sockblkd.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-11 189792]

=============== Created Last 30 ================

2009-05-26 21:18 <DIR> --d----- c:\docume~1\lauri\applic~1\Malwarebytes
2009-05-26 21:18 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 21:18 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-26 21:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-26 21:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-19 20:08 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-05-27 01:17 51,200 a--sh--- c:\windows\system32\zagibuwa.dll
2009-05-27 01:16 82,944 a--sh--- c:\windows\system32\yavalogi.dll
2009-05-27 01:16 82,432 a--sh--- c:\windows\system32\sogoyiyi.dll
2009-05-19 20:41 51,712 a------- c:\windows\system32\sohagale.dll.tmp
2009-05-16 01:11 82,432 a--sh--- c:\windows\system32\yefabesu.dll
2009-05-16 01:11 80,896 -------- c:\windows\system32\kivojide.dll
2009-05-15 13:11 83,456 a--sh--- c:\windows\system32\fozehiza.dll
2009-05-15 13:11 81,920 -------- c:\windows\system32\soluloza.dll
2009-05-15 01:10 82,944 a--sh--- c:\windows\system32\gazupefi.dll
2009-05-15 01:10 81,920 -------- c:\windows\system32\rojanodi.dll
2009-05-14 13:10 83,456 a--sh--- c:\windows\system32\wirahahe.dll
2009-05-14 01:10 83,456 a--sh--- c:\windows\system32\womaduzo.dll
2009-05-14 01:10 81,920 -------- c:\windows\system32\hojeyifo.dll
2009-05-13 13:09 82,944 a--sh--- c:\windows\system32\dekoyemu.dll
2009-05-13 01:09 83,456 a--sh--- c:\windows\system32\sorihade.dll
2009-05-13 01:09 80,896 -------- c:\windows\system32\yomoviya.dll
2009-05-11 19:08 83,456 a--sh--- c:\windows\system32\jenawijo.dll
2009-05-11 19:08 81,408 -------- c:\windows\system32\gipekuya.dll
2009-05-11 07:08 83,456 a--sh--- c:\windows\system32\kuyahere.dll
2009-05-11 07:08 81,408 a--sh--- c:\windows\system32\dowemuma.dll
2009-05-08 19:32 82,944 a--sh--- c:\windows\system32\fozugalu.dll
2009-05-08 19:32 81,920 a--sh--- c:\windows\system32\daravome.dll
2009-05-08 07:32 82,944 a--sh--- c:\windows\system32\jikifeba.dll
2009-05-07 19:32 83,456 a--sh--- c:\windows\system32\jayawata.dll
2009-05-07 19:32 81,408 -------- c:\windows\system32\junetiga.dll
2009-05-07 07:31 83,456 a--sh--- c:\windows\system32\zokokugi.dll
2009-05-07 07:31 81,408 -------- c:\windows\system32\lakabema.dll
2009-05-06 19:31 82,432 a--sh--- c:\windows\system32\pajaduvo.dll
2009-05-06 19:31 80,896 -------- c:\windows\system32\giwaporu.dll
2009-05-06 07:31 81,920 a--sh--- c:\windows\system32\yabikuse.dll
2009-05-06 07:31 82,944 a--sh--- c:\windows\system32\wunukuna.dll
2009-05-06 07:31 47,104 a--sh--- c:\windows\system32\sorusodi.exe
2009-05-05 19:31 82,432 a--sh--- c:\windows\system32\semefafu.dll
2009-05-05 19:31 81,408 -------- c:\windows\system32\sibatoyu.dll
2009-05-05 07:30 80,896 -------- c:\windows\system32\minabiru.dll
2009-05-05 07:30 82,432 a--sh--- c:\windows\system32\tozuzeni.dll
2009-05-04 19:30 81,408 -------- c:\windows\system32\yodofori.dll
2009-05-04 19:30 82,432 a--sh--- c:\windows\system32\vigedeho.dll
2009-05-04 07:30 82,944 a--sh--- c:\windows\system32\gikenusa.dll
2009-05-03 19:30 82,944 a--sh--- c:\windows\system32\hozoyaso.dll
2009-05-03 19:30 80,896 -------- c:\windows\system32\sepakada.dll
2009-05-03 07:29 82,432 a--sh--- c:\windows\system32\votaseko.dll
2009-05-03 07:29 81,408 -------- c:\windows\system32\ruzogajo.dll
2009-05-02 19:29 81,920 a--sh--- c:\windows\system32\lalevori.dll
2009-05-02 19:29 82,432 a--sh--- c:\windows\system32\bahikoda.dll
2009-05-02 19:29 47,104 a--sh--- c:\windows\system32\tasiyapi.exe
2009-05-02 07:29 81,920 -------- c:\windows\system32\hadoviwi.dll
2009-05-02 07:29 82,432 a--sh--- c:\windows\system32\pugewaho.dll
2009-05-01 19:29 83,456 a--sh--- c:\windows\system32\jupadupu.dll
2009-05-01 19:29 81,920 a--sh--- c:\windows\system32\mazerihu.dll
2009-05-01 07:28 82,944 a--sh--- c:\windows\system32\vipogofu.dll
2009-05-01 07:28 80,896 -------- c:\windows\system32\hafozayu.dll
2009-04-30 19:28 81,408 -------- c:\windows\system32\nufonami.dll
2009-04-30 19:28 82,432 a--sh--- c:\windows\system32\perugepe.dll
2009-04-30 19:28 47,104 a--sh--- c:\windows\system32\bodulava.exe
2009-04-30 07:29 49,664 a--sh--- c:\windows\system32\jemevevo.dll
2009-04-30 07:29 82,944 a--sh--- c:\windows\system32\tuyowile.dll
2009-04-30 07:29 46,592 a--sh--- c:\windows\system32\dinelute.exe
2009-04-30 07:29 81,408 -------- c:\windows\system32\pugiseka.dll
2009-04-29 19:27 83,456 a--sh--- c:\windows\system32\fezapuka.dll
2009-04-29 07:27 82,944 a--sh--- c:\windows\system32\pogavito.dll
2009-04-28 19:27 82,432 a--sh--- c:\windows\system32\pupezeri.dll
2009-04-28 19:27 80,896 -------- c:\windows\system32\runimuhu.dll
2009-04-28 06:26 82,944 a--sh--- c:\windows\system32\rufalube.dll
2009-04-28 06:26 81,920 -------- c:\windows\system32\tesifeke.dll
2009-04-28 06:26 46,080 a--sh--- c:\windows\system32\kifabibu.exe
2009-04-27 00:26 46,592 a--sh--- c:\windows\system32\bafepugi.exe
2009-04-27 00:26 82,432 a--sh--- c:\windows\system32\dewokawo.dll
2009-04-27 00:26 80,896 a--sh--- c:\windows\system32\jowemufu.dll
2009-04-26 12:25 46,592 a--sh--- c:\windows\system32\lurideyu.exe
2009-04-26 12:25 82,944 a--sh--- c:\windows\system32\yewojipa.dll
2009-04-26 00:25 82,944 a--sh--- c:\windows\system32\mihesohi.dll
2009-04-26 00:25 46,592 a--sh--- c:\windows\system32\vibabugo.exe
2009-04-25 12:26 2,098 ---sh--- c:\windows\system32\mivayali.exe
2009-04-25 12:26 2,098 ---sh--- c:\windows\system32\yipusipe.dll
2009-04-25 12:26 2,098 ---sh--- c:\windows\system32\losuruta.dll
2009-04-25 11:25 50,688 a--sh--- c:\windows\system32\fodevuna.dll
2009-04-24 23:25 2,098 ---sh--- c:\windows\system32\yevazani.dll
2009-04-24 23:25 2,098 ---sh--- c:\windows\system32\johabuji.exe
2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-06 10:44 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 19:52 1,495,552 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-27 01:17 51,200 a--sh--- c:\windows\system32\pitolibi.dll
2009-02-27 01:17 51,200 a--sh--- c:\windows\system32\pidokofu.dll
2009-02-27 01:17 51,200 a--sh--- c:\windows\system32\mopapude.dll

============= FINISH: 7:30:34.08 ===============

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:37 AM

Posted 27 May 2009 - 12:51 PM

Hi buggie78,


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 buggie78

buggie78
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 27 May 2009 - 10:28 PM

Hi syler- I can't seem to run combofix. I read all the instructions, disabled my firewall and antivirus software, closed all the applications I could find, and tried to run the file. After I click run, I get a little combofix status bar, but then nothing else happens. I don't get any additional prompts or windows. After about 10 or 15 minutes of nothing happening, it seems my McAfee On Access Scan has re-enabled itself and combofix isn't even showing up in my running processes in the task manager. I've rebooted and tried this several times with the same results. Any suggestions?

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:37 AM

Posted 28 May 2009 - 04:13 AM

Hi buggie78,

Could be that something is stopping it from running, please try this see if it works.
Delete the copy of Combofix you already have.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Edited by syler, 28 May 2009 - 03:17 PM.

unite.jpg


#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:37 AM

Posted 31 May 2009 - 08:49 AM

Hi buggie78, are you still their?

unite.jpg


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:37 AM

Posted 02 June 2009 - 09:00 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users