Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Total Security, Windows Police Pro, and Personal Guard


  • Please log in to reply
14 replies to this topic

#1 Liz_Burton

Liz_Burton

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 21 September 2009 - 08:17 PM

Hello,

My name is Liz. I am not much of a techie person, but I will try to describe my situation as clear as I can. Please let me know if you need me to explain anything.

Over the last few days, I have had either Total Security, Windows Police Pro, and Personal Guard "pop-up" on my computer. I have run through your very helpful removal instructions step-by-step and ran your Malwarebytes' Anti-Malware program. It seemed to fix things.....for a while.

I would think things were alright and get back on the internet using Microsoft Internet Explorer. Suddenly, one of the above mentioned "programs" would "pop-up" and warn me of a virus and urge me to buy their program.

On Saturday, I removed Windows Police Pro and thought things were alright. But they were not. Total Security seemed to "install itself".

I just ran the Malwarebytes Anti-Malware this evening to remove Total Security. I need to make sure I get rid of this for good.

Thank you for your help.

Here is the DDS I ran this evening after getting rid of Total Security:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Liz Burton at 20:07:39.34 on Mon 09/21/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.573 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Liz Burton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = search.yahoo.com/web?fr=yfp-t-501
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [igndlm.exe] c:\games\simtheme park\download manager\DLM.exe /windowsstart /startifwork
uRun: [Steam] "c:\games\steam\Steam.exe" -silent
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [<NO NAME>]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\lizbur~1\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\liz burton\local settings\temp\{76d84470-d3ca-438d-b869-7d880940da2c}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
Trusted Zone: turbotax.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {988E213A-89C7-4C4E-B15F-5B7EDA2C34C0} - hxxp://www.shockwave.com/content/butterflyescape/sis/GenimoWebGamesControl.cab
DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://gianteagle.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.33.7/ttinst.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\ c:\windows\ c:\windows\system32\redivegi.dll ,huginoke.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: webogomim - {ae06dd61-acf2-4ccf-8cd1-3390a1c34444} - c:\windows\system32\redivegi.dll
STS: mujuzedij: {ae06dd61-acf2-4ccf-8cd1-3390a1c34444} - c:\windows\system32\redivegi.dll
LSA: Notification Packages = scecli zukogulu.dll

============= SERVICES / DRIVERS ===============

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090918.003\NAVENG.sys [2009-9-18 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090918.003\NAVEX15.sys [2009-9-18 1323568]

=============== Created Last 30 ================

2009-09-20 11:18 <DIR> --d----- c:\program files\Enigma Software Group
2009-09-20 06:18 <DIR> a-d----- c:\windows\system32\images
2009-09-19 11:36 <DIR> --d----- c:\docume~1\lizbur~1\applic~1\Malwarebytes
2009-09-19 11:36 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 11:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-19 11:36 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-19 11:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 05:38 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-21 17:57 50,176 a--sh--- c:\windows\system32\fuzuhefu.dll
2009-09-21 17:56 38,400 a--sh--- c:\windows\system32\yubiliyu.dll
2009-09-19 21:45 50,688 a--sh--- c:\windows\system32\depopuho.dll
2009-09-19 21:44 39,424 a--sh--- c:\windows\system32\sunotadi.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-21 17:57 50,176 a--sh--- c:\windows\system32\huginoke.dll
2009-06-21 17:57 50,176 a--sh--- c:\windows\system32\sihowedo.dll
2009-06-21 17:57 50,176 a--sh--- c:\windows\system32\zukogulu.dll

============= FINISH: 20:09:03.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 21 September 2009 - 10:50 PM

Hi, welcome to the BC Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:
  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.
I'm looking over your logs now, I will get back to you ASAP.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 Liz_Burton

Liz_Burton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 23 September 2009 - 08:13 AM

Hi Raktor,

Thanks for looking into this.

I am all too aware that an absence of symptoms does not mean that the computer is clean. Everytime I thought I was free of these issues, another one would show up.

I will not run anymore scans or fixes on my own, as I know that it will not solve the problem and might just end up making it worse.

However, just this morning, "Total Security" was back. I was in Internet Explorer (on Facebook) and tried to follow a link. A window opened that appeared to be doing a scan opened. (see attached for a sample screenshot) Also, a small pop-up appeared at the lower right of the screen that stated, "WARNING Application cannot be executed. The file Rtvscan.exe is infected. Please activate your antivirus software"

I quickly shut the computer down.

I had been keeping my online activity to a minimum, and had actually vistited Facebook briefly yesterday with no problems. I'm not sure what happened this morning. Is it anything to do with Facebook?

I know if I try to do any work on the computer, these windows will continue to pop-up and I may not be able to access the applications I need. If you have finished reviewing my logs and have a solution, please let me know. If you still have more to review, is there any way you could offer a "quick fix" so I can access applications and stop the pop-ups?

Thanks for any advice,
Liz

Attached Files



#4 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 27 September 2009 - 02:41 AM

Liz,

Please read through the instructions to familiarize yourself with what to expect when the tool runs.

Please download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link:How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts. Close all browsers/windows first.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#5 Liz_Burton

Liz_Burton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 28 September 2009 - 05:58 PM

Hi Raktor,

Thanks for all your help, I would never figure all of this out on my own. I just ran Combofix. Here is the log:

ComboFix 09-09-27.05 - Liz Burton 09/28/2009 18:21.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.699 [GMT -4:00]
Running from: c:\documents and settings\Liz Burton\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\17747034
c:\documents and settings\All Users\Application Data\17747034\17747034
c:\documents and settings\All Users\Application Data\17747034\17747034.exe
c:\documents and settings\All Users\Application Data\17747034\pc17747034ins
c:\documents and settings\Liz Burton\My Documents\ZbThumbnail.info
c:\windows\system32\bihofiye.dll
c:\windows\system32\bubopoyu.dll
c:\windows\system32\devopaha.exe
c:\windows\system32\foromogu.dll
c:\windows\system32\furihepi.dll
c:\windows\system32\guzanuyo.dll
c:\windows\system32\hewigaga.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\jikonidi.dll
c:\windows\system32\jobagiyu.dll
c:\windows\system32\kipilopa.exe
c:\windows\system32\kowogepu.exe
c:\windows\system32\kudafane.dll
c:\windows\system32\lesugeti.dll
c:\windows\system32\limevifo.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\ludimeda.dll
c:\windows\system32\medidobu.dll
c:\windows\system32\nejifayo.dll
c:\windows\system32\neletato.dll
c:\windows\system32\nikijaja.dll
c:\windows\system32\pedewovo.dll
c:\windows\system32\seyinese.dll
c:\windows\system32\sunotadi.dll
c:\windows\system32\tezukebe.exe
c:\windows\system32\tiyupotu.exe
c:\windows\system32\vefofodi.exe
c:\windows\system32\wipakave.dll
c:\windows\system32\yesigoju.dll
c:\windows\system32\yubiliyu.dll
c:\windows\system32\yuwegiju.exe
c:\windows\system32\zikedama.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))
.

2009-09-20 15:18 . 2009-09-20 15:18 -------- d-----w- c:\program files\Enigma Software Group
2009-09-19 15:36 . 2009-09-19 15:36 -------- d-----w- c:\documents and settings\Liz Burton\Application Data\Malwarebytes
2009-09-19 15:36 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 15:36 . 2009-09-19 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 15:36 . 2009-09-19 15:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 15:36 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 09:38 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 21:58 . 2009-06-28 21:58 87552 --sha-w- c:\windows\system32\logibeja.dll
2009-09-28 01:56 . 2009-06-28 01:56 87552 --sha-w- c:\windows\system32\tezepugi.dll
2009-09-27 13:56 . 2009-06-27 13:56 88576 --sha-w- c:\windows\system32\bezayedo.dll
2009-09-26 23:53 . 2009-06-26 23:53 88064 --sha-w- c:\windows\system32\yozezuna.dll
2009-09-25 23:53 . 2009-06-25 23:52 49664 --sha-w- c:\windows\system32\zuyunado.dll
2009-09-21 21:57 . 2009-06-21 21:56 50176 --sha-w- c:\windows\system32\fuzuhefu.dll
2009-09-20 11:26 . 2006-07-07 18:09 67928 ----a-w- c:\documents and settings\Liz Burton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 01:45 . 2009-06-20 01:44 50688 --sha-w- c:\windows\system32\depopuho.dll
2009-09-01 00:05 . 2009-07-25 00:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\games\Steam\Steam.exe" [2009-06-11 1217784]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-06-04 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"juyipekad"="c:\windows\system32\tezepugi.dll" [2009-09-28 87552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-7-27 82026]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{073d5713-c9ec-4deb-a99a-488d54aa831b}"= "c:\windows\system32\tezepugi.dll" [2009-09-28 87552]
"{71b0562a-dc0d-4a5a-a47e-a313f5c80956}"= "c:\windows\system32\tezepugi.dll" [2009-09-28 87552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rugugisel"= {073d5713-c9ec-4deb-a99a-488d54aa831b} - c:\windows\system32\tezepugi.dll [2009-09-28 87552]
"fanotinen"= {71b0562a-dc0d-4a5a-a47e-a313f5c80956} - c:\windows\system32\tezepugi.dll [2009-09-28 87552]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo! Games\\Inspector Parker\\Parker.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.yahoo.com/web?fr=yfp-t-501
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
Trusted Zone: turbotax.com
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {988E213A-89C7-4C4E-B15F-5B7EDA2C34C0} - hxxp://www.shockwave.com/content/butterflyescape/sis/GenimoWebGamesControl.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{7fed055d-722d-403e-9534-90f8ede9f71f} - jikonidi.dll
HKCU-Run-igndlm.exe - c:\games\SimTheme Park\Download Manager\DLM.exe
HKLM-Run-17747034 - c:\documents and settings\All Users\Application Data\17747034\17747034.exe
HKLM-Run-lanubesota - pedewovo.dll
SharedTaskScheduler-{ae06dd61-acf2-4ccf-8cd1-3390a1c34444} - c:\windows\system32\redivegi.dll
SharedTaskScheduler-{369d0be8-6e08-4e89-9e88-5e28df8a6179} - c:\windows\system32\jotumumu.dll
SharedTaskScheduler-{00cd7a2c-0fa8-4ce7-8a52-3c60f18cb767} - c:\windows\system32\dijuboru.dll
SharedTaskScheduler-{a0cc4c43-49b5-4941-855a-910bdc70330c} - c:\windows\system32\dijuboru.dll
SharedTaskScheduler-{62d5ba1b-ca26-4fbb-9c6e-b9a55a758ce6} - c:\windows\system32\dijuboru.dll
SharedTaskScheduler-{3d18323b-8d94-4500-9864-531b4f1bdd61} - c:\windows\system32\sehaniju.dll
SharedTaskScheduler-{e3e7f805-62ce-4442-a9d3-b933f6e1f1eb} - c:\windows\system32\dijuboru.dll
SharedTaskScheduler-{8d671caf-05ae-4acc-a958-f5b1a2075251} - c:\windows\system32\sehaniju.dll
SharedTaskScheduler-{e119bca8-bf4c-4434-ba2c-b54b34e2d9a5} - c:\windows\system32\dijuboru.dll
SharedTaskScheduler-{9f466cc4-b674-4a3b-a923-cd09e25e049a} - c:\windows\system32\dijuboru.dll
SSODL-webogomim-{ae06dd61-acf2-4ccf-8cd1-3390a1c34444} - c:\windows\system32\redivegi.dll
SSODL-gipalowig-{369d0be8-6e08-4e89-9e88-5e28df8a6179} - c:\windows\system32\jotumumu.dll
SSODL-himewomom-{00cd7a2c-0fa8-4ce7-8a52-3c60f18cb767} - c:\windows\system32\dijuboru.dll
SSODL-vadupegub-{a0cc4c43-49b5-4941-855a-910bdc70330c} - c:\windows\system32\dijuboru.dll
SSODL-mefuzebok-{62d5ba1b-ca26-4fbb-9c6e-b9a55a758ce6} - c:\windows\system32\dijuboru.dll
SSODL-pegikodin-{3d18323b-8d94-4500-9864-531b4f1bdd61} - c:\windows\system32\sehaniju.dll
SSODL-wirafuyaf-{e3e7f805-62ce-4442-a9d3-b933f6e1f1eb} - c:\windows\system32\dijuboru.dll
SSODL-yiyubedep-{8d671caf-05ae-4acc-a958-f5b1a2075251} - c:\windows\system32\sehaniju.dll
SSODL-yadokibog-{e119bca8-bf4c-4434-ba2c-b54b34e2d9a5} - c:\windows\system32\dijuboru.dll
SSODL-hehididel-{9f466cc4-b674-4a3b-a923-cd09e25e049a} - c:\windows\system32\dijuboru.dll
AddRemove-Download Manager - c:\games\SimTheme Park\Download Manager\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 18:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-1682526488-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:76,ca,ca,5e,91,98,15,ed,ec,45,14,f9,3e,b7,93,da,b5,46,e7,f7,82,
5d,ea,e1,b0,a3,a2,a6,d7,a5,a4,3a,01,ee,ef,0d,fb,f2,2a,87,8a,48,49,e8,23,0c,\
"rkeysecu"=hex:13,94,27,57,7d,9f,6a,a1,a9,37,89,d3,a8,bd,af,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2852)
c:\windows\system32\tezepugi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\windows\system32\FlashRenHelper.dll
c:\program files\Common Files\Symantec Shared\SSC\vpshell2.dll
c:\progra~1\Creative\SHARED~1\CtCmeCtx.dll
c:\windows\system32\MSCOMCTL.OCX
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-28 18:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-28 22:45

Pre-Run: 76,218,388,480 bytes free
Post-Run: 76,639,698,944 bytes free

220 --- E O F --- 2009-09-09 11:00

#6 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 29 September 2009 - 07:56 PM

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/259337/infected-with-total-security-windows-police-pro-and-personal-guard/
    
    Collect::
    c:\windows\system32\logibeja.dll
    c:\windows\system32\tezepugi.dll
    c:\windows\system32\bezayedo.dll
    c:\windows\system32\yozezuna.dll
    c:\windows\system32\zuyunado.dll
    c:\windows\system32\fuzuhefu.dll
    c:\windows\system32\depopuho.dll
    
    Registry:: 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "juyipekad"=-
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
    "{073d5713-c9ec-4deb-a99a-488d54aa831b}"=-
    "{71b0562a-dc0d-4a5a-a47e-a313f5c80956}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "rugugisel"=-
    "fanotinen"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#7 Liz_Burton

Liz_Burton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 30 September 2009 - 05:01 AM

Thanks again. I ran the program as instructed, but before ComboFix ran, it prompted me that there was an updated version and gave me the option to download it. I clicked "yes". Let me know if this was a mistake! (and sorry if it was...)

Anyway, here is the log:

ComboFix 09-09-29.02 - Liz Burton 09/30/2009 5:40.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.724 [GMT -4:00]
Running from: c:\documents and settings\Liz Burton\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Liz Burton\Desktop\CFScript.txt

file zipped: c:\windows\system32\bezayedo.dll
file zipped: c:\windows\system32\depopuho.dll
file zipped: c:\windows\system32\fuzuhefu.dll
file zipped: c:\windows\system32\logibeja.dll
file zipped: c:\windows\system32\tezepugi.dll
file zipped: c:\windows\system32\yozezuna.dll
file zipped: c:\windows\system32\zuyunado.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bezayedo.dll
c:\windows\system32\depopuho.dll
c:\windows\system32\fuzuhefu.dll
c:\windows\system32\logibeja.dll
c:\windows\system32\tezepugi.dll
c:\windows\system32\yozezuna.dll
c:\windows\system32\zuyunado.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-20 15:18 . 2009-09-20 15:18 -------- d-----w- c:\program files\Enigma Software Group
2009-09-19 15:36 . 2009-09-19 15:36 -------- d-----w- c:\documents and settings\Liz Burton\Application Data\Malwarebytes
2009-09-19 15:36 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 15:36 . 2009-09-19 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 15:36 . 2009-09-19 15:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 15:36 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 09:38 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 11:26 . 2006-07-07 18:09 67928 ----a-w- c:\documents and settings\Liz Burton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 00:05 . 2009-07-25 00:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\games\Steam\Steam.exe" [2009-06-11 1217784]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-06-04 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-7-27 82026]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo! Games\\Inspector Parker\\Parker.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.yahoo.com/web?fr=yfp-t-501
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
Trusted Zone: turbotax.com
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {988E213A-89C7-4C4E-B15F-5B7EDA2C34C0} - hxxp://www.shockwave.com/content/butterflyescape/sis/GenimoWebGamesControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 05:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-1682526488-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:76,ca,ca,5e,91,98,15,ed,ec,45,14,f9,3e,b7,93,da,b5,46,e7,f7,82,
5d,ea,e1,b0,a3,a2,a6,d7,a5,a4,3a,01,ee,ef,0d,fb,f2,2a,87,8a,48,49,e8,23,0c,\
"rkeysecu"=hex:13,94,27,57,7d,9f,6a,a1,a9,37,89,d3,a8,bd,af,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1376)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
.
**************************************************************************
.
Completion time: 2009-09-30 5:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 09:54
ComboFix2.txt 2009-09-28 22:46

Pre-Run: 76,624,592,896 bytes free
Post-Run: 76,588,720,128 bytes free

122 --- E O F --- 2009-09-09 11:00

#8 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 30 September 2009 - 05:14 PM

1) MBAM
You already have Malwarebytes' Anti-Malware installed.
  • Open MBAM
  • Go to the updates tab, and click Update to update to the latest version
  • Once the program has updated, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
2) ESET
You can use either Internet Explorer or Mozilla FireFox for this scan.
  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
3) What You Will Need To Post:[list]
[*]MBAM log
[*]ESET log
[*]Contents of C:\Qoobox\Add-Remove Programs.txt
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#9 Liz_Burton

Liz_Burton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 01 October 2009 - 04:28 AM

Thanks again Raktor. Here are the logs:

(I've attached the txt files as well)

MBAM log

Malwarebytes' Anti-Malware 1.41
Database version: 2879
Windows 5.1.2600 Service Pack 3

9/30/2009 7:28:37 PM
mbam-log-2009-09-30 (19-28-37).txt

Scan type: Quick Scan
Objects scanned: 93310
Time elapsed: 7 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET log

C:\Qoobox\Quarantine\[4]-Submit_2009-09-30_05.40.15.zip multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\17747034\17747034.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\devopaha.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\foromogu.dll.vir a variant of Win32/Adware.Virtumonde.NFM application
C:\Qoobox\Quarantine\C\WINDOWS\system32\guzanuyo.dll.vir a variant of Win32/Kryptik.ACU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\hewigaga.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\jobagiyu.dll.vir a variant of Win32/Kryptik.ACU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\kipilopa.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\kowogepu.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\kudafane.dll.vir a variant of Win32/Adware.Virtumonde.NFM application
C:\Qoobox\Quarantine\C\WINDOWS\system32\limevifo.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\ludimeda.dll.vir a variant of Win32/Adware.Virtumonde.NFM application
C:\Qoobox\Quarantine\C\WINDOWS\system32\neletato.dll.vir a variant of Win32/Kryptik.ACU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\sunotadi.dll.vir Win32/KillAV.NFM trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\tezukebe.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\tiyupotu.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\vefofodi.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wipakave.dll.vir a variant of Win32/Kryptik.ACU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\yesigoju.dll.vir a variant of Win32/Adware.Virtumonde.NFM application
C:\Qoobox\Quarantine\C\WINDOWS\system32\yubiliyu.dll.vir a variant of Win32/Kryptik.AOD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\yuwegiju.exe.vir a variant of Win32/Kryptik.ALW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\zikedama.dll.vir a variant of Win32/Kryptik.ACU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip a variant of Win32/Kryptik.APE trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1078\A0093786.dll a variant of Win32/Kryptik.AOD trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1078\A0093787.dll a variant of Win32/Kryptik.AOD trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1080\A0094898.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1080\A0094899.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1080\A0094907.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1080\A0094908.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1080\A0094909.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1081\A0098953.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1081\A0098955.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1082\A0101984.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0102189.exe a variant of Win32/Kryptik.APE trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103166.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103167.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103168.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103352.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103355.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103356.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103358.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103360.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103362.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103363.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103364.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103365.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103367.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103370.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103373.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103377.dll Win32/KillAV.NFM trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103378.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103379.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103380.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103381.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103382.dll a variant of Win32/Adware.Virtumonde.NFM application
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103383.dll a variant of Win32/Kryptik.AOD trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103384.exe a variant of Win32/Kryptik.ALW trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1083\A0103385.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1085\A0103614.dll a variant of Win32/Kryptik.ACU trojan
C:\System Volume Information\_restore{4998C1D0-7B58-48C8-9788-2269108DA623}\RP1085\A0103615.dll a variant of Win32/Kryptik.ACU trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2BZNM52H\static_[1].stdc a variant of Win32/Kryptik.AEX trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6O4ASF1K\load[1].exe a variant of Win32/Kryptik.UW trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8QOODE91\main_[1].exe a variant of Win32/Kryptik.AJB trojan


Contents of C:\Qoobox\Add-Remove Programs.txt

Add-ons
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Premiere 6.0
Adobe Reader 8.1.2
Adobe Shockwave Player 11
Advanced Network Diagramming
Advanced Network Diagramming Help
Advanced RealMedia Export Plug-in for Premiere 6.0
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
ArcSoft PhotoImpression 2000
AudibleManager
Block Diagrams
Block Diagrams Help
Borders and Backgrounds
Borders and Backgrounds Help
CAD Drawing Display
Call of Duty® - World at War™
Callouts and Connectors
Callouts and Connectors Help
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CH Gameport Devices
Clip Art and Symbols
Clip Art and Symbols Help
Cool Edit 2000
Creative System Information
Creative ZEN
Custom Properties Editor
Database Design
Database Design Help
Database Wizard
Developing Visio Solutions Help
Directory Services
Directory Services Help
Disney's Toontown Online
Disney-Pixar WALL-E
DVD Ripper Platinum 4
EA Download Manager
EPSON Scan
Flash Renamer 5.3
Flowcharts
Flowcharts Help
Forms and Charts
Forms and Charts Help
Graphics Filters
Half-Life 2
Help for Visio 2000 (HTML Help)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hoyle Board Games
Hoyle Casino 2003
Inspector Parker
Internet Diagrams
Internet Diagrams Help
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Pro 8
LiveUpdate 1.7 (Symantec Corporation)
Malwarebytes' Anti-Malware
Maps
Maps Help
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft MapPoint North America 2004
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Office Converter Pack
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visio 2000
Microsoft Visual Studio Service Pack 3
MovieEdit Task
MyITLab ActiveX Installer 2.7.5.312
Nero Suite
Network Diagrams
Network Diagrams Help
Office Layout
Office Layout Help
Organization Charts
Organization Charts Help
Page Layout Wizard
PhotoStitch
Portal
PowerDVD
Program Files
Program Files Help
Program Files Professional
Program Files Professional Help
Project Schedules
Project Schedules Help
Property Reporting Wizard
Quicken 2006
QuickTime
RAW Image Task 1.2
Release Notes
Release Notes Professional
RemoteCapture Task 1.1
Save as HTML
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shape Explorer Help
Sierra Utilities
SimTheme Park
Software Design
Software Design Help
Solutions
Steam
Symantec AntiVirus Client
Synergy
The Rosetta Stone
Theme Park World Fix
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wpaiper
TurboTax 2008 wrapper
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VBA
Virtools 3D Life Player
Visio
Visio Core Files
Web Photos Pro 1.2.1
WebFldrs XP
WexTech AnswerWorks
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows XP Service Pack 3
XP Codec Pack
ZENcast Organizer

Attached Files



#10 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 03 October 2009 - 02:11 AM

1) Combofix
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File:: 
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2BZNM52H\static_[1].stdc
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6O4ASF1K\load[1].exe
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8QOODE91\main_[1].exe
    
    SkipFix::
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2) Update Java
Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

3) Update Adobe Reader
Your current version of Adobe Reader is out of date, and may contain security issues. Please uninstall the version you have now from Add/Remove programs, and then download and install the latest Adobe Reader.

4) What You Will Need To Post:
  • Combofix log
  • How the PC is performing now

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#11 Liz_Burton

Liz_Burton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 04 October 2009 - 02:31 PM

I ran the ComboFix again as recommended and posted the log below. For now, my computer is working fine. However, I tried to do a Windows Update and got the following message:

[Error number: 0x8007041D]
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.

For self-help options:
Frequently Asked Questions
Find Solutions
Windows Update Newsgroup

For assisted support options:
Microsoft Online Assisted Support (no-cost for Windows Update issues)
----------------

I am also having trouble logging into my banks website. This is the description I sent to my bank's website support line:

1. I go to my banks website
2. I enter my User ID
3. I click the "Log In" button.
4. Nothing happens. (Usually, I'm taken to a page which then requests I enter my password. After I enter my password, I'm taken to my account details.)

---------------------------

These problems might just be the options/settings on my Microsoft Internet Explorer. I've been making some changes to try to find one that works but haven't figured it out. Any advice?

Here is the ComboFix.txt log:

ComboFix 09-10-01.05 - Liz Burton 10/03/2009 6:29.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.686 [GMT -4:00]
Running from: c:\documents and settings\Liz Burton\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Liz Burton\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2BZNM52H\static_[1].stdc"
"c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6O4ASF1K\load[1].exe"
"c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8QOODE91\main_[1].exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2BZNM52H\static_[1].stdc
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6O4ASF1K\load[1].exe
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8QOODE91\main_[1].exe

.
((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-09-20 15:18 . 2009-09-20 15:18 -------- d-----w- c:\program files\Enigma Software Group
2009-09-19 15:36 . 2009-09-19 15:36 -------- d-----w- c:\documents and settings\Liz Burton\Application Data\Malwarebytes
2009-09-19 15:36 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 15:36 . 2009-09-19 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 15:36 . 2009-09-19 15:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 15:36 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 09:38 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 11:26 . 2006-07-07 18:09 67928 ----a-w- c:\documents and settings\Liz Burton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 00:05 . 2009-07-25 00:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\games\Steam\Steam.exe" [2009-06-11 1217784]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-06-04 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-7-27 82026]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo! Games\\Inspector Parker\\Parker.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.yahoo.com/web?fr=yfp-t-501
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
Trusted Zone: turbotax.com
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {988E213A-89C7-4C4E-B15F-5B7EDA2C34C0} - hxxp://www.shockwave.com/content/butterflyescape/sis/GenimoWebGamesControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 06:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-1682526488-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:76,ca,ca,5e,91,98,15,ed,ec,45,14,f9,3e,b7,93,da,b5,46,e7,f7,82,
5d,ea,e1,b0,a3,a2,a6,d7,a5,a4,3a,01,ee,ef,0d,fb,f2,2a,87,8a,48,49,e8,23,0c,\
"rkeysecu"=hex:13,94,27,57,7d,9f,6a,a1,a9,37,89,d3,a8,bd,af,7c
.
Completion time: 2009-10-03 6:34
ComboFix-quarantined-files.txt 2009-10-03 10:33
ComboFix2.txt 2009-09-30 09:54
ComboFix3.txt 2009-09-28 22:46

Pre-Run: 76,432,957,440 bytes free
Post-Run: 76,463,771,648 bytes free

103 --- E O F --- 2009-09-09 11:00

Edited by Liz_Burton, 04 October 2009 - 02:32 PM.


#12 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 08 October 2009 - 06:15 PM

  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

    Posted Image

    Posted Image
  • Click on go
  • Exit/Close Dial-A-Fix
Next please go to windows update and install all critical updates

http://www.windowsupdate.com

Reboot, and see if that solves your update issues and banking issues.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#13 Liz_Burton

Liz_Burton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 12 October 2009 - 04:40 AM

I had already fixed the banking issues, but this helped me run Windows Update.

So far, the computer is working perfect - no more problems.

Thanks!
:(

#14 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 14 October 2009 - 06:10 PM

Good job Liz, it's looking all clean. :(

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Posted Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

You may remove all of the programs and logs generated during the course of this fix - except MBAM. Keep that, and update and scan with it once a week as additional protection.

How to reduce your chances of infection in the future

Web Browsers
Internet Explorer does come pre-installed with all Windows machines - but this doesn't necessarily mean you have to use it! Because it is the most widely used browser, it is targeted by more malware writers, making you more susceptible to infection. There are many other free alternatives out there that offer better security, take one of these for a spin and see if it takes your fancy.
Mozilla Firefox
Google Chrome
Opera

WOT - Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go
Yellow for caution
Red to stop
WOT has an addon available for both Firefox and Internet Explorer.

If you want to keep Internet Explorer, follow these additional steps to make the browser more secure.
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Additional Security Measures
Keep your software up-to-date - You should be manually performing updates of your software once a week to ensure that you are current with anti-virus definitions and patched for any security vulnerabilities. This does not just apply to your anti-virus/anti-malware software; malware authors rely on exploiting commonly used software such as Java and Adobe Reader, which need to be kept up to date as well.

Keep Windows up-to-date - Use Windows Update regularly to stay current with security patches and service packs.

MVPS Hosts File - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

Firewalls - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient - but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.

What Not To Do
The Perils of P2P File Sharing - Even if a P2P application is on the 'safe' list, malware can still be downloaded through infected files - executables, zip files and even MP3s. It is just not worth the risk.

Fake Security/Optimization Software - Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Additional Reading
How to prevent Malware - I strongly recommend that you read Miekiemoses' good advice

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#15 Liz_Burton

Liz_Burton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 19 October 2009 - 09:27 PM

Thanks Raktor!

Sorry it took me so long to get back to you- meant to do so sooner.

I am one happy, satisfied camper here. There is so much I need to learn, and you guys are a fantastic source for information and assistance. I'll be stopping by this site again in the future and check out some of the tutorials...there is so much to learn out there.

Thanks again,
Liz Burton




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users