Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am infected with Antivirus Pro 2010


  • This topic is locked This topic is locked
7 replies to this topic

#1 Cdoyral

Cdoyral

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 19 September 2009 - 09:31 PM

Hello! Thank you so much for your attention!! I became infected with "Antivirus Pro 2010" 2 days ago and I have been going around in cicles ever since. I have a feeling I am infected with other things now as my computer is getting prgressively worse with an abundance of "scareware" screens and pop ups telling me to download various virus removers. When I log on to the internet I get random pop ups as well. Please Help!!!! Once again....thanks so much for your consideration!!


DDS (Ver_09-07-30.01) - NTFSx86
Run by blah at 20:51:25.53 on Sat 09/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.287 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\SCARDS32.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\blah\LOCALS~1\Temp\login.exe
C:\DOCUME~1\blah\LOCALS~1\Temp\win16.exe
C:\DOCUME~1\blah\LOCALS~1\Temp\drweb.exe
C:\WINDOWS\system32\wscsvc32.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\blah\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop&parm1=seconduser
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com
mWinlogon: Shell=Explorer.exe rundll32.exe tftp.nfo beforegllav
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: c:\windows\system32\nzfiu3h78di.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\nzfiu3h78di.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [WIndows Rescue Disk] c:\docume~1\blah\locals~1\temp\login.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincin~1.lnk - c:\program files\sandisk\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\carrie\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coupons.smartsource.com/download/cscmv5X.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://hgtv2.view22.com/view22/app/view22rte.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxp://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://f:\games\WebDriverFullInstall.exe
TCP: {1AAE4499-AF8F-41C6-A912-9A3785835ECE} = 68.87.68.162,68.87.64.196
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: mchwmi - mchwmi.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: peyumama.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\nzfiu3h78di.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\nzfiu3h78di.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll scecli scecli juteruno.dll

============= SERVICES / DRIVERS ===============

R0 TwkMs;CHIPDRIVE Mouse Adapter;c:\windows\system32\drivers\TWKMS.SYS [2005-9-19 4828]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 TwkPCSC;CHIPDRIVE PC/SC Drivers;c:\windows\system32\drivers\TWKPCSC.SYS [2005-9-19 11676]
R2 TWKSCARDSRV;CHIPDRIVE SCARD Service;c:\windows\SCARDS32.EXE [2005-9-19 264192]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
S2 CWMonitor;Symantec Crimeware Protection Driver;\??\c:\program files\common files\symantec shared\coshared\cw\1.0\monitor.sys --> c:\program files\common files\symantec shared\coshared\cw\1.0\Monitor.sys [?]
S2 TWKUSB;CHIPDRIVE USB driver;c:\windows\system32\drivers\TWKUSB.SYS [2005-9-19 12906]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 172032]

=============== Created Last 30 ================

2009-09-19 20:09 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-09-19 20:01 <DIR> --d----- c:\windows\ERUNT
2009-09-19 19:56 <DIR> --d----- C:\SDFix
2009-09-19 19:42 <DIR> --d----- c:\program files\Trend Micro
2009-09-19 19:31 19,280 a------- c:\windows\ujinujypy.pif
2009-09-19 19:31 18,487 a------- c:\windows\tewa.vbs
2009-09-19 19:31 15,215 a------- c:\docume~1\alluse~1\applic~1\xykajaf.exe
2009-09-19 19:31 14,970 a------- c:\windows\system32\eqidecy.db
2009-09-19 19:31 13,585 a------- c:\windows\system32\ciferugad.com
2009-09-19 19:31 12,578 a------- c:\windows\vequk.pif
2009-09-19 19:30 <DIR> --d----- c:\docume~1\blah\applic~1\BitDefender
2009-09-19 19:24 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 19:24 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-19 19:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-19 19:06 19,191 a------- c:\windows\emedad.bat
2009-09-19 19:06 18,361 a------- c:\docume~1\alluse~1\applic~1\fyduzet.vbs
2009-09-19 19:06 13,302 a------- c:\windows\gowi.dll
2009-09-19 19:06 12,239 a------- c:\docume~1\alluse~1\applic~1\mekiqadi.vbs
2009-09-19 19:06 11,355 a------- c:\windows\iwubapugew.bat
2009-09-19 19:06 18,747 a------- c:\windows\cacoz.dat
2009-09-19 19:06 18,114 a------- c:\docume~1\alluse~1\applic~1\silinugih.pif
2009-09-19 19:06 16,469 a------- c:\windows\nenawuge.lib
2009-09-19 19:06 16,026 a------- c:\windows\eqyjafa.dll
2009-09-19 19:06 14,768 a------- c:\windows\ryxonir.vbs
2009-09-19 19:06 14,735 a------- c:\docume~1\alluse~1\applic~1\yjaj.sys
2009-09-19 19:06 11,198 a------- c:\program files\common files\olasy.com
2009-09-19 19:06 10,598 a------- c:\windows\system32\mide.scr
2009-09-19 19:05 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-09-19 18:53 <DIR> --dsh--- c:\documents and settings\blah\PrivacIE
2009-09-19 18:53 <DIR> --dsh--- c:\documents and settings\blah\IETldCache
2009-09-19 18:52 <DIR> --d----- c:\docume~1\blah\applic~1\Symantec
2009-09-19 18:52 <DIR> --d----- c:\documents and settings\blah\WINDOWS
2009-09-19 18:52 <DIR> --d----- c:\documents and settings\blah
2009-09-19 18:25 15,966 a------- c:\windows\system32\cogywalo.bin
2009-09-19 18:23 54,156 a---h--- c:\windows\QTFont.qfn
2009-09-19 18:23 1,409 a------- c:\windows\QTFont.for
2009-09-18 20:41 16,004 a------- c:\docume~1\alluse~1\applic~1\qehovog.dll
2009-09-18 20:41 19,121 a------- c:\docume~1\alluse~1\applic~1\exafobozo.com
2009-09-18 20:41 18,823 a------- c:\windows\oviput.exe
2009-09-18 20:41 18,498 a------- c:\windows\elyni.dl
2009-09-18 20:41 18,232 a------- c:\docume~1\alluse~1\applic~1\symoci.com
2009-09-18 20:41 17,620 a------- c:\windows\cozoxuw.db
2009-09-18 20:41 15,293 a------- c:\windows\igemywy.inf
2009-09-18 20:41 14,204 a------- c:\docume~1\alluse~1\applic~1\emucoqa.bin
2009-09-18 20:41 13,731 a------- c:\windows\idobifil.sys
2009-09-18 20:41 13,573 a------- c:\program files\common files\ajyv.pif
2009-09-18 20:41 12,263 a------- c:\windows\system32\edeq.reg
2009-09-18 20:37 831 a------- c:\windows\system32\critical_warning.html
2009-09-18 18:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 17:55 16,756 a------- c:\program files\common files\ybusofib.dll
2009-09-18 17:55 15,162 a------- c:\windows\ykot.bat
2009-09-18 17:55 13,853 a------- c:\windows\mujijyto.com
2009-09-18 17:55 19,232 a------- c:\windows\pahe.sys
2009-09-18 17:55 16,706 a------- c:\windows\itifijyra.pif
2009-09-18 17:55 11,881 a------- c:\windows\vysazazofa.vbs
2009-09-18 12:20 16,317 a------- c:\program files\common files\sihehukus.pif
2009-09-18 12:20 13,903 a------- c:\docume~1\alluse~1\applic~1\otugubono.exe
2009-09-18 12:20 18,151 a------- c:\windows\ryqedo.bin
2009-09-18 12:20 18,120 a------- c:\windows\ydymenuj.ban
2009-09-18 12:20 18,294 a------- c:\windows\system32\omoqyke.lib
2009-09-18 12:20 12,097 a------- c:\windows\odec.bat
2009-09-18 05:55 1,982 a------- c:\windows\system32\winhelper.dll
2009-09-18 01:31 121 a------- c:\windows\bdagent.INI
2009-09-17 19:41 1,982 a------- c:\windows\system32\wingenocx.dll
2009-09-17 19:40 <DIR> --d----- c:\program files\Protection System
2009-09-17 19:40 14,441 a------- c:\program files\common files\rynaf.sys
2009-09-17 19:40 11,754 a------- c:\program files\common files\cuhurij.reg
2009-09-17 19:40 19,923 a------- c:\windows\cenev.bin
2009-09-17 19:40 16,293 a------- c:\docume~1\alluse~1\applic~1\bafenusake.scr
2009-09-17 19:40 15,280 a------- c:\windows\esynimiwi.exe
2009-09-17 19:40 14,440 a------- c:\program files\common files\muteqala.pif
2009-09-17 19:40 13,336 a------- c:\windows\system32\otec.ban
2009-09-17 19:40 13,143 a------- c:\windows\system32\dipikekefe.dll
2009-09-17 19:40 11,322 a------- c:\windows\system32\rivo.exe
2009-09-17 19:40 11,301 a------- c:\windows\system32\jahelikehe.bat
2009-09-17 19:40 14,604 a------- c:\docume~1\alluse~1\applic~1\larar.sys
2009-09-17 19:39 <DIR> --d----- c:\program files\AdvancedVirusRemover
2009-09-17 19:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12108754
2009-09-17 19:33 1,011,712 a------- c:\windows\system32\wscsvc32.exe
2009-09-17 19:33 46 a------- C:\p2hhr.bat
2009-09-17 19:32 25,600 a------- c:\windows\system32\tftp.nfo
2009-09-17 19:32 <DIR> --dsh--- c:\windows\system32\lowsec
2009-09-17 19:32 49,152 a------- C:\vhlyrkv.exe
2009-09-17 19:32 15,000 a------- c:\windows\system32\nzfiu3h78di.dll
2009-09-17 19:32 155,136 a------- C:\ddbpu.exe
2009-09-17 19:32 201,328 a------- c:\windows\system32\wisdstr.exe
2009-09-17 19:32 22,016 a------- C:\ruptbvv.exe
2009-09-17 19:31 6,656 a------- C:\rhjdpc.exe
2009-09-17 19:02 0 a------- c:\windows\SCARDSRV.TMP
2009-09-09 05:37 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-19 19:57 81,984 a------- c:\windows\system32\bdod.bin
2009-09-19 19:31 19,659 a------- c:\program files\common files\ybaxado.dl
2009-09-19 19:31 16,246 a------- c:\program files\common files\azuginyni.dl
2009-09-19 19:31 16,166 a------- c:\program files\common files\eposinyji.lib
2009-09-19 19:06 11,202 a------- c:\program files\common files\eqyh.dl
2009-09-19 19:06 15,438 a------- c:\program files\common files\etigo.inf
2009-09-19 18:14 50,688 a--sh--- c:\windows\system32\vuzofafu.dll
2009-09-19 18:13 983,076 a--sh--- c:\windows\system32\jivuvomo.exe
2009-09-19 18:13 1,982 a--sh--- c:\windows\system32\hilemebu.dll
2009-09-19 18:13 37,376 a--sh--- c:\windows\system32\namiviko.dll
2009-09-18 20:49 983,076 a--sh--- c:\windows\system32\veyopiho.exe
2009-09-18 20:49 1,982 a--sh--- c:\windows\system32\muwesoli.dll
2009-09-18 20:49 38,400 a--sh--- c:\windows\system32\hanayupu.dll
2009-09-18 20:41 17,516 a------- c:\program files\common files\oqovi.dl
2009-09-18 17:55 13,788 a------- c:\program files\common files\uwix.dl
2009-09-18 12:18 50,176 a--sh--- c:\windows\system32\wogirubi.dll
2009-09-18 12:18 1,982 a--sh--- c:\windows\system32\gebojele.exe
2009-09-18 12:18 1,982 a--sh--- c:\windows\system32\wogirubi.exe
2009-09-18 12:18 1,982 a--sh--- c:\windows\system32\jadebaji.dll
2009-09-17 19:40 11,040 a------- c:\program files\common files\wixy._dl
2009-09-17 19:38 44,970 a--sh--- c:\windows\system32\wehebopa.exe
2009-09-17 19:38 37,376 a--sh--- c:\windows\system32\fipufola.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 08:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 12:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 12:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 12:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 12:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 12:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 12:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 12:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 12:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 12:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 12:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 06:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 03:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 03:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 03:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 03:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 03:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 06:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-22 01:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-06-19 18:14 50,688 a--sh--- c:\windows\system32\gikosiha.dll
2009-06-19 18:14 50,688 a--sh--- c:\windows\system32\juteruno.dll
2009-06-19 18:14 50,688 a--sh--- c:\windows\system32\peyumama.dll
2009-04-06 09:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040620090407\index.dat

============= FINISH: 20:53:50.40 ===============

Attached Files

  • Attached File  dds.txt   13.34KB   3 downloads
  • Attached File  ark.txt   14.08KB   5 downloads


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:43 PM

Posted 20 September 2009 - 12:44 AM

Hello, and :( to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :(
  • As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be two people helping you instead of just one, but responses may be somewhat delayed so please be patient!!!!
Please give me a little time to go through your logs. My instructions will be forthcoming.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#3 Cdoyral

Cdoyral
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 20 September 2009 - 02:13 PM

Thank You So Much!!! I don't know why you all even care to help poor computer illiterate people like me...but I am so glad you do!! I am here...I have been dealing with this for 3 days and I am sooo exhausted with it :( ...I will follow any instructions you are willing to offer...once again....thanks for your help!!!

Edited by Cdoyral, 20 September 2009 - 02:14 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:43 PM

Posted 22 September 2009 - 06:58 AM

Hello again Cdroyal. :(

Before we begin, please be advised of the following:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you wish to format and reinstall please stop here and let me know. If you wish to continue cleaning, read on and complete the following steps, but please acknowledge that you have read this in your next reply.

***************************************************

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt in your next reply so we can continue cleaning the system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
Acknowledgment that you have read and considered the backdoor warning above.
ComboFix.txt

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#5 Cdoyral

Cdoyral
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 22 September 2009 - 07:38 AM

ok....this is obviously more serious than I thought. I think I would like to reformat my entire hard drive based on the fact that I would never feel completely secure that my computer is clean, and I don't have very much saved on my hard drive short of pictures that I would worry about losing. The only problem is...I don't have my orginal windows XP disk, but I can get one. So once I have reformatted my HD, can I be confident that all of the infection is gone? And how do I prevent this from happening again? Because obviously I wasn't protected well enough in the first place b/c it happened this time? I use bitdefender virus protection....what more do you recommend? If you could give me some quick tips or link me to somewhere that helps me prevent this from happeneing again that would be greatly appreciated...

Thanks again!!!!

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:43 PM

Posted 22 September 2009 - 09:08 AM

Hello.

I think I would like to reformat my entire hard drive based on the fact that I would never feel completely secure that my computer is clean, and I don't have very much saved on my hard drive short of pictures that I would worry about losing.

In this situation I would say that's probably a wise decision. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action to take.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best sources of information on this are
Reformatting Windows XP
Michael Stevens Tech

***************************************************

2 guidelines when backing up:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do NOT backup any applications/installers and Do NOT backup any files with the following extensions
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Before you reformat, download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

***************************************************

And how do I prevent this from happening again?

Credit to Quietman7 for compiling the below information
Tips to protect yourself against malware and reduce the potential for re-infection:Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smrgsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:***************************************************

Hope that helps. Good Luck!

~Blade

Edited by Blade Zephon, 22 September 2009 - 09:08 AM.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#7 Cdoyral

Cdoyral
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 22 September 2009 - 11:07 AM

thanks again!!! Good luck in computer school.... :(

#8 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 23 September 2009 - 06:36 AM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users