Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit/Trojan/Monder/C4DLMedia


  • Please log in to reply
5 replies to this topic

#1 necrodeity

necrodeity

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 30 July 2009 - 11:23 AM

I was told by boopme to post here since I have tried everything he/she has told me to do to remove the infection but none has completely worked. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/243901/help-been-trying-to-remove-infections-trojan-random-sounds-google-redirects-for-days-and-nothing-has-worked/ ~ OB So this was the problem/symptoms last week 7/20:

I got infected on 7/20 and I have been trying since then to remove all infections. I have performed various scans (AVG, Trend Micro OfficeScan and housecall, Kaspersky) and they all detected infections. I think I have removed some of them but Kaspersky still detects 15 infected objects and I don't know how to remove them. My computer won't allow me to install any antispyware/malware programs (e.g. superantispyware, malwarebytes, spybot search and destroy, spywaredoctor, smitfraudfix, hijackthis). When I click on the icon to start installing the program, a window pops up and asks me if I want to run it, so I hit run and then nothing happens. The set-up or installation window doesn't appear after hitting "Run." Also, when I try to access the sites that offer free download of some antispyware/adware/malware programs it says connection interrupted (I'm using Mozilla. When I launch Internet Explorer, a tab for some ad appears along with a tab of the home page). I tried going on safe mode to install SuperAntiSpyware but it still doesn't work. Other symptoms of infection include: pop-ups of ads (around 10 when I leave computer on overnight), random sounds (ads, sound effects, etc. which appear as iexplorer.exe in task manager), google redirecting me to other ad sites when I click on google results, and my computer has become noticeably slower. I don't know what to do. This has become so stressful for me. I need help badly. =[ PLEASE HELP ME REMOVE ALL THE INFECTIONS!

Since then the symptoms don't seem to bug me anymore but I know my computer is still infected as shown by the Kaspersky scan I ran today:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 30, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 30, 2009 08:14:42
Records in database: 2563187


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Elline\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 58784
Threat name 4
Infected objects 18
Suspicious objects 0
Duration of the scan 01:12:51

File name Threat name Threats count
C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll Infected: Trojan.Win32.C4DLMedia.a 1

C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\bewudogi.dll Infected: Packed.Win32.Mondera.c 1

C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\foleleza.dll Infected: Trojan.Win32.Monder.cnfb 1

C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\hejigeri.dll Infected: Packed.Win32.Mondera.c 1

C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\higewomu.dll Infected: Packed.Win32.Mondera.c 1

C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\husaleno.dll Infected: Trojan.Win32.Monder.cnfb 1

C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\satakasu.dll Infected: Packed.Win32.Mondera.c 1

C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\vurofope.dll Infected: Packed.Win32.Mondera.b 1

C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\yemumeki.dll Infected: Packed.Win32.Mondera.c 1

C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\yutepuwa.dll Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\Downloaded Program Files\ijjiNotify2.exe Infected: Trojan.Win32.C4DLMedia.a 1

C:\WINDOWS\Downloaded Program Files\ijjiPreNotify2.exe Infected: Trojan.Win32.C4DLMedia.a 1

C:\WINDOWS\Downloaded Program Files\ijjiPreStarter2.exe Infected: Trojan.Win32.C4DLMedia.a 1

C:\WINDOWS\Downloaded Program Files\ijjiSetup1010.dll Infected: Trojan.Win32.C4DLMedia.a 1

C:\WINDOWS\Downloaded Program Files\ijjistarter2.exe Infected: Trojan.Win32.C4DLMedia.a 1

C:\WINDOWS\system32\ijjiChannelingPlugin.dll Infected: Trojan.Win32.C4DLMedia.a 1

C:\WINDOWS\system32\ijjiPlugin2.dll Infected: Trojan.Win32.C4DLMedia.a 1

C:\WINDOWS\system32\ijjiSetup.exe Infected: Trojan.Win32.C4DLMedia.a 1

The selected area was scanned.

Here is the DDS log boopme told me to post:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Elline at 2:39:28.82 on Thu 07/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1304 [GMT -4:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {E2FFB03B-9268-47A6-9B13-3A163670767E}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\IE94B1.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\SUPERAntiSpyware\c1e3dee4-2278-4b2c-89b3-34049495ef34.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\Downloaded Program Files\purplebean.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Elline\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CSolidBrowserObj Object: {bd08a9d5-0e5c-4f42-99a3-c0cb5e860557} - c:\windows\system32\solidstatenetworks\solidstateion\solidax.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\c1e3dee4-2278-4b2c-89b3-34049495ef34.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [KeyAccess] c:\windows\keyacc32.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [V0400Cfg.exe] V0400Cfg.exe /d:3
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\elline\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\elline\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} - hxxp://www.playwhat.com/solidPlugin/solidstateion.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15107/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: KATRACK.DLL c:\windows\system32\tifakapu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2007-12-2 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2007-12-2 36368]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-12-2 88192]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-9-2 100352]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-12-2 338960]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2007-12-2 488768]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-12-2 652552]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-4-28 33808]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-07-24 00:10 463,403 a------- c:\documents and settings\elline\Desktop.zip
2009-07-23 22:55 --d----- c:\documents and settings\elline\Pavark
2009-07-23 22:40 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-23 22:40 --d----- c:\program files\SUPERAntiSpyware
2009-07-23 22:40 --d----- c:\docume~1\elline\applic~1\SUPERAntiSpyware.com
2009-07-23 16:53 --d----- c:\docume~1\elline\applic~1\Malwarebytes
2009-07-23 16:13 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-23 16:13 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 19:28 --d----- c:\documents and settings\elline\.housecall6.6
2009-07-22 03:15 --d----- c:\program files\AVG
2009-07-22 03:15 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-22 03:02 --d----- c:\docume~1\elline\applic~1\AVG8
2009-07-21 00:53 --d----- c:\docume~1\alluse~1\applic~1\12093284
2009-07-04 23:48 --dsh--- c:\documents and settings\elline\IECompatCache
2009-07-04 23:48 --dsh--- c:\documents and settings\elline\PrivacIE
2009-07-04 23:46 --dsh--- c:\documents and settings\elline\IETldCache
2009-07-01 15:55 --d----- c:\docume~1\elline\applic~1\LimeWire

==================== Find3M ====================

2008-12-24 12:25 6,339 a--sh--- c:\windows\system32\buduwito.dll
2008-12-20 20:43 6,257 a--sh--- c:\windows\system32\diwihimo.dll
2008-12-24 13:10 6,231 a--sh--- c:\windows\system32\fabadeji.dll
2008-12-23 22:33 6,236 a--sh--- c:\windows\system32\fisewihu.dll
2008-12-21 23:28 6,212 a--sh--- c:\windows\system32\fozamulo.dll
2008-12-24 09:14 6,174 a--sh--- c:\windows\system32\gerakuku.dll
2008-12-24 09:14 6,260 a--sh--- c:\windows\system32\gukujoju.dll
2008-12-24 12:47 6,355 a--sh--- c:\windows\system32\hufubebe.dll
2008-12-24 09:14 6,167 a--sh--- c:\windows\system32\jerahasu.dll
2008-12-24 12:47 6,277 a--sh--- c:\windows\system32\logiyiwe.dll
2008-12-23 22:33 6,299 a--sh--- c:\windows\system32\mepolude.dll
2008-12-20 20:43 6,243 a--sh--- c:\windows\system32\meyopoli.dll
2008-12-24 10:53 6,272 a--sh--- c:\windows\system32\natosupi.dll
2008-12-24 13:10 6,165 a--sh--- c:\windows\system32\nejujate.dll
2008-12-23 09:51 6,291 a--sh--- c:\windows\system32\nimidiki.dll
2008-12-23 22:11 6,387 a--sh--- c:\windows\system32\nufejuva.dll
2008-12-23 09:51 6,253 a--sh--- c:\windows\system32\ridevalu.dll
2008-12-24 10:53 6,192 a--sh--- c:\windows\system32\sarilova.dll
2008-12-24 12:25 6,288 a--sh--- c:\windows\system32\siditesu.dll
2008-12-23 09:51 6,220 a--sh--- c:\windows\system32\sihajono.dll
2008-12-22 11:29 6,254 a--sh--- c:\windows\system32\sofifowo.dll
2008-12-24 10:53 6,250 a--sh--- c:\windows\system32\tipepuja.dll
2008-12-24 12:47 6,155 a--sh--- c:\windows\system32\vibosepe.dll
2008-12-23 22:11 6,265 a--sh--- c:\windows\system32\wekimedo.dll
2008-12-24 12:25 6,227 a--sh--- c:\windows\system32\wulitamu.dll
2008-12-21 23:28 6,150 a--sh--- c:\windows\system32\yazadule.dll
2008-12-22 11:29 6,254 a--sh--- c:\windows\system32\yebusofu.dll
2008-12-23 22:33 6,316 a--sh--- c:\windows\system32\yesubowe.dll
2008-12-24 13:10 6,356 a--sh--- c:\windows\system32\yopuhehi.dll
2008-12-23 22:11 6,280 a--sh--- c:\windows\system32\zakulapa.dll
2008-12-21 23:28 6,183 a--sh--- c:\windows\system32\zenanori.dll
2008-12-31 09:18 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008123120090101\index.dat

============= FINISH: 2:40:50.78 ===============

Edited by Orange Blossom, 30 July 2009 - 04:47 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:17 PM

Posted 31 July 2009 - 04:39 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 necrodeity

necrodeity
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 03 August 2009 - 12:34 AM

hi sam. sorry i haven't been on. i will do what u have suggested to me tomorrow morning. sorry for making you wait and i really appreciate your time.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:17 PM

Posted 03 August 2009 - 10:09 AM

No worries. I'm happy to work at your pace. :thumbup2:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 necrodeity

necrodeity
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 05 August 2009 - 12:39 AM

I downloaded ComboFix.exe but I can't run it. When I double click it, it asks me if I want to Run it so I click Run but nothing happens...

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:17 PM

Posted 05 August 2009 - 03:27 PM

It happens sometimes if there's a rootkit involved. Let's see if we can work around it.

First delete combofix.exe from your desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users