Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Worst infection I have seen. Not sure what it is.

  • This topic is locked This topic is locked
3 replies to this topic

#1 X-Files


  • Members
  • 4 posts
  • Local time:04:43 AM

Posted 31 July 2009 - 10:32 AM

I do not know if anyone can help with this one and I am not sure where to start.

1. Cannot boot to Safe mode.
2. Cannot run most spyware programs. (hijackthis, Malwarebytes, windows defender, McafeeRootkitDetective etc) The only one that has run is SUPERAntiSpyware
3. It is not rustock.
4. Combofix sort of runs but does nothing.
5. Installed recovery console and it will not start.

These files are gone and do not run.
uWindows: load=c:\windows\system32\msoxaiy.exe
uWindows: run=c:\windows\system32\mssjux.exe

Is my only option reinstall.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 11:27:20.42 on Fri 07/31/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.418 [GMT -4:00]

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061029
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: TaskMan=c:\recycler\s-1-5-21-3875590850-9765660224-743314077-8931\hdav.exe
uWindows: load=c:\windows\system32\msoxaiy.exe
uWindows: run=c:\windows\system32\mssjux.exe
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [reader_s] c:\documents and settings\administrator\reader_s.exe
uRun: [mswindows restore service] c:\docume~1\admini~1\locals~1\temp\onwo5.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {3CBA13C3-58C7-47F1-9758-D4B255A50D52} - file://d:\data\index\ses_ocx\sessearch.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli mlvcfp.dll

============= SERVICES / DRIVERS ===============

R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 72944]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2006-2-14 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2006-6-8 29184]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-11-1 116864]
S1 8c969f02;8c969f02;c:\windows\system32\drivers\8c969f02.sys --> c:\windows\system32\drivers\8c969f02.sys [?]
S1 caa0d1f0;caa0d1f0;c:\windows\system32\drivers\caa0d1f0.sys [2009-7-30 0]
S1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-11-1 58464]
S3 59eC;59eC;c:\windows\system32\59eC.sys [2009-7-31 54624]
S3 754e1;754E1;c:\windows\system32\754E1.sys [2009-7-31 54624]
S3 a6220;a6220;c:\windows\system32\a6220.sys [2009-7-31 54624]
S3 e8bE;e8bE;c:\windows\system32\e8bE.sys [2009-7-31 54624]
S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
S3 Vmover.exe;Quest Resource Updating Agent;c:\windows\system32\Vmover.exe [2008-12-5 983040]
S4 antippro2009_12;AntipyPro_12;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]

=============== Created Last 30 ================

2009-07-31 10:26 715,264 a------- c:\windows\system32\a37D.tmp
2009-07-31 10:26 128,352 a------- c:\windows\system32\59eC.dll
2009-07-31 10:26 54,624 a------- c:\windows\system32\59eC.sys
2009-07-31 10:26 2,335,270 a------- c:\windows\system32\60dB.mht
2009-07-31 10:17 388,608 a------- c:\windows\system32\CF8896.exe
2009-07-31 10:17 <DIR> --ds---- C:\CF
2009-07-31 10:16 388,608 a------- c:\windows\system32\CF8752.exe
2009-07-31 10:09 <DIR> --dshr-- C:\cmdcons
2009-07-31 10:09 <DIR> --d----- c:\windows\setup.pss
2009-07-31 10:02 388,608 a------- c:\windows\system32\CF6045.exe
2009-07-31 10:02 <DIR> --ds---- C:\Fix
2009-07-31 10:02 388,608 a------- c:\windows\system32\CF5960.exe
2009-07-31 10:01 388,608 a------- c:\windows\system32\CF5794.exe
2009-07-31 09:49 219,648 a------- c:\windows\PEV.exe
2009-07-31 09:49 161,792 a------- c:\windows\SWREG.exe
2009-07-31 09:49 98,816 a------- c:\windows\sed.exe
2009-07-31 09:49 <DIR> --ds---- C:\ComboFix
2009-07-31 09:49 388,608 a------- c:\windows\system32\CF3344.exe
2009-07-31 09:31 715,264 a------- c:\windows\system32\9ffF.tmp
2009-07-31 09:31 128,352 a------- c:\windows\system32\e8bE.dll
2009-07-31 09:31 54,624 a------- c:\windows\system32\e8bE.sys
2009-07-31 09:31 2,335,270 a------- c:\windows\system32\390D.mht
2009-07-31 09:27 <DIR> --d----- C:\Rustbfix
2009-07-31 09:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-31 09:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-31 09:07 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-07-31 09:07 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-31 09:00 341,368 a------- c:\windows\system32\TBDE5.tmp
2009-07-31 09:00 128,352 a------- c:\windows\system32\754E1.dll
2009-07-31 09:00 715,264 a------- c:\windows\system32\586E2.tmp
2009-07-31 09:00 54,624 a------- c:\windows\system32\754E1.sys
2009-07-31 08:59 2,335,270 a------- c:\windows\system32\f88BD.mht
2009-07-31 08:58 <DIR> --d----- c:\windows\ms
2009-07-31 08:50 128,352 a------- c:\windows\system32\a6220.dll
2009-07-31 08:50 715,264 a------- c:\windows\system32\6f121.tmp
2009-07-31 08:50 54,624 a------- c:\windows\system32\a6220.sys
2009-07-31 08:50 2,335,270 a------- c:\windows\system32\d011F.mht
2009-07-31 08:27 4,128 a------- C:\INFCACHE.1
2009-07-30 12:09 <DIR> --d----- c:\program files\MB
2009-07-30 12:08 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-30 12:08 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-30 12:08 <DIR> --d----- c:\program files\Malwarebytes
2009-07-30 11:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-30 11:48 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-30 11:43 <DIR> --d----- c:\program files\Trend Micro
2009-07-30 11:17 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-07-30 10:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-30 10:07 4 a------- c:\windows\system32\bincd32.dat
2009-07-30 09:00 120 a------- c:\windows\Llejutewotevigu.dat
2009-07-30 08:51 1,382 a------- c:\windows\system32\onhelp.htm
2009-07-30 08:39 8,550 a------- c:\windows\system32\wispex.html
2009-07-30 08:39 <DIR> a-d----- c:\windows\system32\images
2009-07-30 08:34 36 a------- c:\windows\system32\sysnet.dat
2009-07-30 08:34 64 a------- c:\windows\ppp4.dat
2009-07-30 08:34 1 a------- c:\windows\ppp3.dat
2009-07-30 08:33 95 a------- c:\windows\system32\sonhelp.htm
2009-07-30 08:29 0 a------- c:\windows\system32\drivers\caa0d1f0.sys
2009-07-30 08:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\15977034
2009-07-30 08:19 24,576 a------- c:\windows\system32\tapi.nfo
2009-07-30 08:13 0 a------- c:\windows\system32\drivers\glaide32.sys
2009-07-30 08:12 26,112 a------- c:\windows\system32\logon.exe

==================== Find3M ====================

2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll

============= FINISH: 11:27:44.07 ===============

Attached Files

Edited by X-Files, 31 July 2009 - 10:39 AM.

BC AdBot (Login to Remove)



#2 X-Files

  • Topic Starter

  • Members
  • 4 posts
  • Local time:04:43 AM

Posted 31 July 2009 - 11:08 AM

Fixed recovery console.

Hello X-Files,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.


The weatherman

Edited by The weatherman, 31 July 2009 - 06:02 PM.

#3 Buckeye_Sam


    Malware Expert

  • Members
  • 17,382 posts
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:43 AM

Posted 01 August 2009 - 10:31 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Download Dr.Web CureIt to the desktop:
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32

Please post the contents of the log from DrWeb in your next reply.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


#4 Buckeye_Sam


    Malware Expert

  • Members
  • 17,382 posts
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:43 AM

Posted 09 August 2009 - 04:49 PM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users