Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Automatic Updates keep turning Off


  • This topic is locked This topic is locked
2 replies to this topic

#1 Micky Williamson

Micky Williamson

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 28 July 2009 - 12:45 PM

DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 11:40:57.84 on Tue 07/28/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2200 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\USBToolbox\Res.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CPV: {15421b84-3488-49a7-ad18-cbf84a3efaf6} - c:\program files\wwshow\WWShow.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Jcore class: {d88e1558-7c2d-407a-953a-c044f5607cea} - c:\program files\jcore\Jcore2.dll
BHO: {f784c5c1-fd54-4fa8-9318-03500b652f47} - c:\windows\system32\vowuzehu.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [gStart] c:\garmin\gStart.exe
uRun: [GetPrimo] c:\program files\getprimo\GetPrimo.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [USB Storage Toolbox] c:\program files\usbtoolbox\Res.EXE
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [<NO NAME>]
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [736b4716] rundll32.exe "c:\windows\system32\divozate.dll",b
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [CPM7058748a] Rundll32.exe "c:\windows\system32\fozadidi.dll",a
mRun: [mafotewuvu] Rundll32.exe "c:\windows\system32\lipegamu.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdback~1.lnk - c:\program files\my book\wd backup\uBBMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} - file://f:\win\setup\iaieplay.dll
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1242162102390
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file://f:\win\setup\iamce.dll
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\fozadidi.dll,c:\windows\system32\soluwale.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fozadidi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\fozadidi.dll
LSA: Notification Packages = scecli c:\windows\system32\fazarago.dll c:\windows\system32\soluwale.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-27 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-27 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-27 298776]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2008-11-25 384896]
S3 78e89f3c-81a5-401b-8195-bfd645d3df93;78e89f3c-81a5-401b-8195-bfd645d3df93;\??\f:\player\cds300.dll --> f:\player\cds300.dll [?]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\HCWTVS~1.EXE [2008-11-25 815104]

=============== Created Last 30 ================

2009-07-28 11:26 <DIR> --d----- c:\program files\Trend Micro
2009-07-28 00:26 268,288 -------- c:\windows\system32\dllcache\httpext.dll
2009-07-28 00:25 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-28 00:25 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-27 19:11 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-27 19:07 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-27 19:07 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-27 19:07 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-27 19:06 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-27 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-27 19:06 <DIR> --d----- c:\program files\AVG
2009-07-27 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-27 19:03 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\AVG8
2009-07-27 18:51 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\GetPrimo
2009-07-27 18:51 <DIR> --d----- c:\program files\iPrimo
2009-07-27 18:51 <DIR> --d----- c:\program files\GetPrimo
2009-07-26 16:17 2,713 ---sh--- c:\windows\system32\dolivowa.exe
2009-07-18 22:33 <DIR> --d----- c:\windows\system32\NtmsData
2009-07-17 14:37 2,713 ---sh--- c:\windows\system32\pifeyuru.exe
2009-07-10 16:39 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-07-10 16:39 <DIR> --d----- c:\program files\MSECACHE
2009-07-10 15:17 1,406,527 ---sh--- c:\windows\system32\etazovid.ini

==================== Find3M ====================

2009-07-28 01:13 3,308 a------- c:\windows\bthservsdp.dat
2009-07-27 19:19 190,976 a--sh--- c:\windows\system32\zahuzihi.dll
2009-07-27 19:19 190,976 a--sh--- c:\windows\system32\hurasivi.dll
2009-07-10 15:17 49,152 a--sh--- c:\windows\system32\yogoginu.dll
2009-06-16 08:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 08:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 08:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-16 08:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-11 14:40 2,713 ---sh--- c:\windows\system32\pigagoza.exe
2009-06-10 20:38 2,713 ---sh--- c:\windows\system32\rozaniga.exe
2009-06-10 02:36 48,640 a--sh--- c:\windows\system32\dutofibo.dll
2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 13:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-29 14:28 2,713 ---sh--- c:\windows\system32\wahopetu.exe
2009-05-27 20:21 2,713 ---sh--- c:\windows\system32\hokeziko.exe
2009-05-26 08:17 2,713 ---sh--- c:\windows\system32\dezudesu.exe
2009-05-20 18:10 2,713 ---sh--- c:\windows\system32\repeseza.exe
2009-05-16 19:16 2,713 ---sh--- c:\windows\system32\hipolugi.exe
2009-05-16 01:14 2,713 ---sh--- c:\windows\system32\zefizapu.exe
2009-05-12 23:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-12 23:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 23:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-12 19:03 165,376 a------- c:\windows\system32\prnet.tmp
2009-05-12 13:21 93,511 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-12 13:19 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-05-12 13:19 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-05-07 09:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 09:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 15:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 15:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 15:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 15:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 15:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 05:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-03-01 17:16 3,258,368 a--sh--- c:\program files\ehthumbs.db
2007-11-06 09:51 96 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2006-12-27 12:30 6,148 ----h--- c:\program files\.DS_Store
2005-11-19 12:20 22 a--sh--- c:\windows\sminst\HPCD.sys
2009-04-27 19:19 190,976 a--sh--- c:\windows\system32\lipegamu.dll
2009-04-27 19:19 190,976 a--sh--- c:\windows\system32\soluwale.dll
2009-04-27 19:19 190,976 a--sh--- c:\windows\system32\vowuzehu.dll

============= FINISH: 11:41:31.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:02 AM

Posted 01 August 2009 - 09:46 AM

Hello Micky and welcome to BleepingComputer forums.

This system has a Vundo infection. I'll guide you to remove it.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not Micky Williamson and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

After that, also do this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop. Do NOT run it !!

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.


1. Close any open browsers.

2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

DDS::
mRun: [736b4716] rundll32.exe "c:\windows\system32\divozate.dll",b
mRun: [CPM7058748a] Rundll32.exe "c:\windows\system32\fozadidi.dll",a
mRun: [mafotewuvu] Rundll32.exe "c:\windows\system32\lipegamu.dll",s

Driver::
736b4716
CPM7058748a
mafotewuvu

File::
c:\windows\system32\soluwale.dll
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler
i:\recycler
C:\resycled
d:\resycled
e:\resycled
f:\resycled
g:\resycled
h:\resycled
i:\resycled


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=

Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


=
Posted Image

Next, see this topic in the AumHa Security forum and get the latest Java run-time
http://aumha.net/viewtopic.php?f=26&t=41464

=

Next, Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Posted Image Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

Reply back with copy of
  • C:\Combofix.txt
  • the MBAM scn log report,
  • the Kaspersky report
  • and, Tell me, How is your system now ?
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

Edited by Maurice Naggar, 01 August 2009 - 09:52 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:02 AM

Posted 09 August 2009 - 10:19 AM

Due to lack of response, this thread is closed.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users