Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PE_Magistr.B.Dam and all kinds of other problems


  • This topic is locked This topic is locked
11 replies to this topic

#1 bigjeepzz

bigjeepzz

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 June 2009 - 09:01 PM

My problems started back in March and I started getting help but I ran into some major problems. I originally posted this message when the problems started;

http://www.bleepingcomputer.com/forums/ind...p;#entry1166753

I was in the process of being helped by SifuMike when some unexpected problems occurred. I was unable to get the computer to boot up and this of course stopped everything. I was finally able to get the computer started and tried running the MalwareBytes Anti-Malware software as directed by SifuMike. The computer would not finish the scan and would then stop working all together. Since then I have been able to get the computer to operate somewhat again so I am now back at it.

The computer has given the following problems:

Blue screen stating Page_Fault_In_Nonpaged_Area, then starts physical memory dump

Error loading C:\WINDOWS\system32\fshqnpnc.dll

and just now I got a virus warning for PE_Magistr.B.Dam

To recap, problems all started when my wife was surfing the internet and watching a movie online when she got the blue screen stating error message Driver_IRQL_Not_Less_or_EQUAL

After this happened the computer would take about 15mins to start up and was completly unusable because it was overloaded with popup messages. Since all the problems have been happening the pop ups as somewhat undercontrol but the wireless card has been disabled somehow and I cannot get on the internet any longer. I was able to get on the internet once and the home page was changed. I was unable to get the info off of the page, sorry. I am using my other laptop to communicate on the board and to download any software I may need to install on the busted machine. I would definately appreciate any help I could receive because I don't want her to mess my laptop up either, LOL

Here is a copy of the DDS log I just received from the busted machine.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Ann at 21:27:30.52 on Tue 06/23/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.255.75 [GMT -4:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k sys
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\3361\svchost.exe -sysrun
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Documents and Settings\Ann\Desktop\dds.scr
C:\WINDOWS\System32\inf\rundll33.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0..1:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {144ea9ea-4193-487e-ba39-5f3cbd9edec5} - c:\windows\system32\dikiyoka.dll
BHO: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
BHO: {ed314e4f-aa63-43e9-826f-4ea57ef7788c} - c:\windows\system32\qoMeFyyV.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [comidle] "c:\documents and settings\ann\application data\comidle\comidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [reader_s] c:\documents and settings\ann\reader_s.exe
uRun: [Windows System Recover!] c:\docume~1\ann\locals~1\temp\winlogon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.5\masqform.exe -RunOnce
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [gijimukodo] Rundll32.exe "c:\windows\system32\vudijema.dll",s
mRun: [Explorer] c:\windows\system32\msrstart.exe
mRun: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
mRun: [c84f6a8d] rundll32.exe "c:\windows\system32\fshqnpnc.dll",b
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [services] c:\windows\services.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Radio-TV adverts] c:\windows\temp\rtv_winupd.exe
mRun: [Radio-TV adverts] c:\windows\temp\rtv_winupd.exe
mRun: [sysldtray] c:\windows\ld10.exe
mRunOnce: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
dRun: [comidle] "c:\documents and settings\ann\application data\comidle\comidle.exe" 61A847B5BBF728103B9D3B466188719AB689201522886B092CBD44BD8689220221DD3257
dRun: [reader_s] c:\documents and settings\ann\reader_s.exe
dRun: [services] c:\windows\services.exe
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090131a.dll xccd16
mExplorerRun: [services] c:\windows\services.exe
dExplorerRun: [services] c:\windows\services.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - c:\program files\partygaming\partybingo\RunBingo.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: geBssppM - geBssppM.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\wuyiyage.dll wjnmbz.dll
STS: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBssppM.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMeFyyV
LSA: Notification Packages = scecli c:\windows\system32\wuyiyage.dll

============= SERVICES / DRIVERS ===============


============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-06-23 21:16 --d----- c:\program files\sys
2009-06-23 21:16 2 a------- c:\windows\010112010146118114.dat
2009-06-23 21:16 0 a------- c:\windows\system32\9.tmp
2009-06-23 21:16 34,816 ----h--- c:\windows\ld10.exe

==================== Find3M ====================

2009-06-23 21:28 11,919 a--sh--- c:\windows\system32\VyyFeMoq.ini2
2009-06-23 21:27 251,392 a------- c:\windows\xccdf32_090131a.dll
2009-04-26 22:02 61,440 a------- c:\windows\system32\30.tmp
2009-04-26 22:01 2,042,240 ----h--- c:\windows\system32\ntoskrnl.exe
2009-04-26 22:01 152,064 a------- c:\windows\system32\27.tmp
2009-04-26 22:01 184,361 -------- c:\windows\system32\VT100.EXE
2009-04-26 22:00 15,000 a------- c:\windows\system32\jksahfo93wjfkd.dll
2009-04-03 18:29 35,328 a------- c:\documents and settings\ann\reader_s.exe
2009-04-03 18:29 35,328 a------- c:\windows\system32\reader_s.exe
2009-04-03 15:57 23,444 a------- c:\windows\system32\emptyregdb.dat
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\dikiyoka.dll
2009-03-04 01:36 129,024 a--sh--- c:\windows\system32\fegovumi.dll
2009-03-04 01:36 79,872 a--sh--- c:\windows\system32\puzenupe.dll
2009-03-04 01:36 84,992 a--sh--- c:\windows\system32\seholima.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\vudijema.dll
2009-03-04 01:36 129,024 a--sh--- c:\windows\system32\wjnmbz.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\wuyiyage.dll

============= FINISH: 21:31:21.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:36 AM

Posted 27 June 2009 - 02:03 PM

Hello bigjeepzz and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 28 June 2009 - 08:39 PM

No problem sir, I completely understand the amount of work you guys have. I really appreciate what you guys do. Here is the second DDS log requested. Standing by for more instructions......


DDS (Ver_09-02-01.01) - NTFSx86
Run by Ann at 21:28:00.14 on Sun 06/28/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.255.25 [GMT -4:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0..1:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {144ea9ea-4193-487e-ba39-5f3cbd9edec5} - c:\windows\system32\hizupoye.dll
BHO: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
BHO: {d60904ca-abad-4d04-a1b0-3a81340574ea} - c:\windows\system32\qoMeFyyV.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [comidle] "c:\documents and settings\ann\application data\comidle\comidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [reader_s] c:\documents and settings\ann\reader_s.exe
uRun: [Windows System Recover!] c:\docume~1\ann\locals~1\temp\debug.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.5\masqform.exe -RunOnce
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [Explorer] c:\windows\system32\msrstart.exe
mRun: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [services] c:\windows\services.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Radio-TV adverts] c:\windows\temp\rtv_winupd.exe
mRun: [Radio-TV adverts] c:\windows\temp\rtv_winupd.exe
mRun: [sysldtray] c:\windows\ld10.exe
mRun: [CPMcb7c5911] Rundll32.exe "c:\windows\system32\kivigoru.dll",a
mRun: [c84f6a8d] rundll32.exe "c:\windows\system32\dabezoda.dll",b
mRun: [gijimukodo] Rundll32.exe "c:\windows\system32\diwunawo.dll",s
mRunOnce: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
dRun: [comidle] "c:\documents and settings\ann\application data\comidle\comidle.exe" 61A847B5BBF728103B9D3B466188719AB689201522886B092CBD44BD8689220221DD3257
dRun: [reader_s] c:\documents and settings\ann\reader_s.exe
dRun: [services] c:\windows\services.exe
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090131a.dll xccd16
mExplorerRun: [services] c:\windows\services.exe
dExplorerRun: [services] c:\windows\services.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - c:\program files\partygaming\partybingo\RunBingo.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: geBssppM - geBssppM.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll wjnmbz.dll c:\windows\system32\kivigoru.dll,c:\windows\system32\yuyobiso.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kivigoru.dll
STS: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\kivigoru.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBssppM.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMeFyyV
LSA: Notification Packages = scecli c:\windows\system32\yuyobiso.dll

============= SERVICES / DRIVERS ===============


============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-06-23 22:47 1,406,496 ---sh--- c:\windows\system32\adozebad.ini
2009-06-23 21:16 <DIR> --d----- c:\program files\sys
2009-06-23 21:16 2 a------- c:\windows\010112010146118114.dat
2009-06-23 21:16 0 a------- c:\windows\system32\9.tmp
2009-06-23 21:16 34,816 ----h--- c:\windows\ld10.exe

==================== Find3M ====================

2009-06-28 21:29 5,688 a--sh--- c:\windows\system32\VyyFeMoq.ini2
2009-06-28 21:25 251,392 a------- c:\windows\xccdf32_090131a.dll
2009-06-23 23:28 2,042,240 ----h--- c:\windows\system32\ntoskrnl.exe
2009-06-23 22:47 48,640 a--sh--- c:\windows\system32\derasafe.dll
2009-06-23 22:47 87,552 a--sh--- c:\windows\system32\kivigoru.dll
2009-06-23 22:47 80,384 a--sh--- c:\windows\system32\dabezoda.dll
2009-04-26 22:02 61,440 a------- c:\windows\system32\30.tmp
2009-04-26 22:01 152,064 a------- c:\windows\system32\27.tmp
2009-04-26 22:00 15,000 a------- c:\windows\system32\jksahfo93wjfkd.dll
2009-04-03 18:29 35,328 a------- c:\documents and settings\ann\reader_s.exe
2009-04-03 18:29 35,328 a------- c:\windows\system32\reader_s.exe
2009-04-03 15:57 23,444 a------- c:\windows\system32\emptyregdb.dat
2009-03-23 22:48 48,640 a--sh--- c:\windows\system32\diwunawo.dll
2009-03-04 01:36 129,024 a--sh--- c:\windows\system32\fegovumi.dll
2009-03-23 22:48 48,640 a--sh--- c:\windows\system32\hizupoye.dll
2009-03-04 01:36 79,872 a--sh--- c:\windows\system32\puzenupe.dll
2009-03-04 01:36 84,992 a--sh--- c:\windows\system32\seholima.dll
2009-03-04 01:36 129,024 a--sh--- c:\windows\system32\wjnmbz.dll
2009-03-23 22:48 48,640 a--sh--- c:\windows\system32\yuyobiso.dll

============= FINISH: 21:31:10.98 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:36 AM

Posted 30 June 2009 - 05:55 PM

Hi bigjeepzz,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

-----------------------------------------------------------------------------------------------

You have a number of infections and we need to get them removed as quickly as possible. These infections will not want to go so this could take some time. If you have problems running any tools then let me know.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 30 June 2009 - 07:16 PM

mOle,

Thanks for the help thus far, I am fully confident you can help me out with this.

The busted computer will not connect to the internet so i have to use a thumb drive on a working machine to download any tools and then place them on the busted machine. I followed your instrutions and downloaded the combofix tool from the bleeping computer link you provided.

I placed combofix on the desktop of the busted machine and renamed the file as you stated. When I attempted to run combo-fix I got an error message saying:



Alert! It's not safe to continue

The contents of the Combo Fix package has been compromised
Please download a fresh copy from

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be be infected with a file patching virus 'Virut'



When you click OK, the message disappears and combo fix does not run.

I tried downloading combofix from the other two links provided but got the same result.

I would try to use the busted machine to download combofix from one of the links provided but I cannot get the computer to connect to the internet.

Any ideas on what I can do?

Thanks again, and I am ready to try the next thing.

Jake

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:36 AM

Posted 01 July 2009 - 07:02 AM

Hi Bigjeepzz,

Unfortunately I know exactly what that means. Bad news, mate, I'm afraid :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

If you have any questions then post a reply.
Posted Image
m0le is a proud member of UNITE

#7 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 01 July 2009 - 06:07 PM

mOle,

I read this last night on the web and I thought you were going to say exactly what you did. I know this is not your area of expertise but can you point me in a direction where I can get some help in reformatting and reinstalling the opreating system?

After I reformat, will the computer be fixed?

Is the computer completely unrepairable?

Also if I can get the computer fixed, can you recommend a good free antivirus program. I would appreciate any additional info you could provide.

Jake

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:36 AM

Posted 01 July 2009 - 06:36 PM

If you did reinstall and reformat then you would clear the infection completely.

Here is a good walkthrough

There are some security firms who say this can be cleaned though I and Bleeping Computer don't recommend it I will post the information for you.

--------------------------------------------------

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no guarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

----------------------------------------------------------------------------------------------------------------

I would recommend a good free antivirus with auto-updating such as Avast. Please read the part below for some great links.

Here's some advice on how you can keep your PC clean

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Hope this is useful for you.


m0le
Posted Image
m0le is a proud member of UNITE

#9 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 01 July 2009 - 06:55 PM

mOle,

I am in the process of completing the reformat right now. I really want you to know how much I appreciate your help. Can you send me a private message with a way I can send you a donation?

Thanks again, You are AWESOME!!!!!

Jake

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:36 AM

Posted 01 July 2009 - 07:01 PM

Sorry we couldn't clean the PC. :)

Thanks for the offer of a donation, bigjeepzz, but I (and Bleeping Computer) don't take donations. I appreciate your thanks though. :thumbup2:

If you need any further help then feel free to PM me.

Cheers,

m0le
Posted Image
m0le is a proud member of UNITE

#11 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 01 July 2009 - 08:42 PM

Well I sure do appreciate everything. I just now realized how much a pain this is going to be. I just got the computer back up on the internet. Thanks again

jake

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:36 AM

Posted 06 July 2009 - 02:16 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users