Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

viriuses reported and nsrbgxod.bak keeps reappearing


  • This topic is locked This topic is locked
4 replies to this topic

#1 LarryDys

LarryDys

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 23 September 2009 - 04:34 PM

message "your computer is infected" appears
Run McAfee, Ad-Aware and Malwarebytes
problem appears fixed, but then several hour4s later we are back where we started.
(I also have a ComboFix log)

DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Owner at 17:17:37.12 on Wed 09/23/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.72 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\HP_Owner\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SmileboxTray] "c:\documents and settings\hp_owner\application data\smilebox\SmileboxTray.exe"
uRun: [calc] rundll32.exe c:\docume~1\hp_owner\protect.dll,_IWMPEvents@0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
StartupFolder: c:\documents and settings\hp_owner\start menu\programs\startup\scandisk.dll
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mups.lnk - c:\program files\belkin bulldog plus\MUPS.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: plaxo.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} - hxxp://www.pqpc.com/plugin/axversion/1410/printquick1410.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://66.242.36.104/app/view22RTE.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\ti05nt6w.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XULRunner: {1AE68458-9ECF-4288-A20E-7E4E4E1BD465} - c:\documents and settings\hp_owner\local settings\application data\{1AE68458-9ECF-4288-A20E-7E4E4E1BD465}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-21 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-22 207656]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-22 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-22 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-22 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-22 35240]
S2 mrtRate;mrtRate; [x]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-22 605512]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-22 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-22 40488]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]

=============== Created Last 30 ================

2009-09-23 16:19 22,528 a--sh--- c:\documents and settings\hp_owner\protect.dll
2009-09-23 16:16 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-09-23 16:16 50,176 a------- c:\windows\system32\proquota.exe
2009-09-23 16:03 229,888 a------- c:\windows\PEV.exe
2009-09-23 16:03 161,792 a------- c:\windows\SWREG.exe
2009-09-23 16:03 98,816 a------- c:\windows\sed.exe
2009-09-23 10:56 <DIR> --dsh--- c:\windows\ftpcache
2009-09-22 18:16 22,528 a--sh--- c:\windows\system32\calc.dll
2009-09-22 08:26 <DIR> --d-h--- c:\docume~1\hp_owner\applic~1\Malwarebytes
2009-09-21 21:48 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 21:48 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-21 21:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-21 21:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 21:44 14,554 a------- c:\docume~1\alluse~1\applic~1\jokeqiwuta.dat
2009-09-21 21:44 12,236 a------- c:\windows\system32\cebis.db
2009-09-21 21:44 11,581 a------- c:\windows\ujykeheva.com
2009-09-21 21:41 <DIR> --d----- c:\program files\Trend Micro
2009-09-21 15:01 16,166 a------- c:\windows\fuzad._sy
2009-09-21 14:56 0 a------- c:\windows\Mbumak.bin
2009-09-21 14:56 120 a------- c:\windows\Ddenoceqozuzeq.dat
2009-09-21 10:23 49,152 a------- C:\hwdgqmcw.exe
2009-09-21 10:23 90,624 a------- C:\vhlyrkv.exe
2009-09-21 10:23 6,656 a------- C:\rhjdpc.exe
2009-09-21 10:23 143,368 -------- C:\mdnsq.exe
2009-09-09 20:12 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-22 22:31 87,552 a--sh--- c:\windows\system32\vepufini.dll
2009-09-22 10:32 88,064 a--sh--- c:\windows\system32\lelimafu.dll
2009-09-21 22:31 49,152 a--sh--- c:\windows\system32\tirowefa.dll
2009-09-21 21:44 14,535 a------- c:\program files\common files\vifum.db
2009-09-21 15:25 104,201 a------- c:\windows\hpoins04.dat
2009-09-21 15:01 17,896 a------- c:\program files\common files\sucerih.lib
2009-09-21 15:01 11,035 a------- c:\program files\common files\ynyca.db
2009-09-21 10:43 15,688 a------- c:\windows\system32\lsdelete.exe
2009-09-21 10:33 88,576 a--sh--- c:\windows\system32\yusonafi.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 12:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-02-06 19:43 71,832 a---h--- c:\docume~1\hp_owner\applic~1\GDIPFONTCACHEV1.DAT
2006-02-05 09:17 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-29 10:03 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

============= FINISH: 17:18:48.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:53 AM

Posted 24 September 2009 - 03:30 AM

Hi,

Open My Computer. Click Tools >> Folder Options >> View, then ensure "Show hidden files and folders" is selected. Next, navigate to this folder:
c:\documents and settings\hp_owner\local settings\application data

Right click on this folder:
{1AE68458-9ECF-4288-A20E-7E4E4E1BD465}
and select Send To >> Compressed (zipped) Folder

Please submit that .zip we just created to this page:
http://www.bleepingcomputer.com/submit-mal....php?channel=72


Please post the log from ComboFix (C:\ComboFix.txt) so I can see what was removed.

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 LarryDys

LarryDys
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 24 September 2009 - 07:07 AM

I think I replied, but I'm not sure (new at this). In case not, I'll try again.
I may surrender to this virus and take it to a tech.

ComboFix 09-09-22.03 - HP_Owner 09/23/2009 16:06.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.155 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\divyh.reg
c:\documents and settings\All Users\Application Data\iboj.lib
c:\documents and settings\All Users\Application Data\ubyrit.dll
c:\documents and settings\All Users\Documents\amaraxe.ban
c:\documents and settings\All Users\Documents\odofoce.reg
c:\documents and settings\All Users\documents\setup.exe
c:\documents and settings\All Users\Documents\yratejox.dl
c:\documents and settings\HP_Owner\Application Data\bimygo.dll
c:\documents and settings\HP_Owner\Application Data\bugu.bat
c:\documents and settings\HP_Owner\Application Data\ewufasi.lib
c:\documents and settings\HP_Owner\Application Data\inizut.lib
c:\documents and settings\HP_Owner\Application Data\togyqu.bat
c:\documents and settings\HP_Owner\Cookies\ahyrahirur.bin
c:\documents and settings\HP_Owner\Local Settings\Application Data\adovy.bin
c:\documents and settings\HP_Owner\Local Settings\Application Data\nowu.dl
c:\documents and settings\HP_Owner\Local Settings\Application Data\odefal.exe
c:\documents and settings\HP_Owner\Local Settings\Application Data\onucu.vbs
c:\documents and settings\HP_Owner\Local Settings\Application Data\ruzenarok.com
c:\documents and settings\HP_Owner\Local Settings\Application Data\tepuboxo._sy
c:\documents and settings\HP_Owner\Local Settings\Application Data\xixadyjel.pif
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\agov._sy
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\kehocexypy.reg
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\natyxubiny.scr
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\piruqihigo.vbs
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\ycityqyz.bat
c:\documents and settings\HP_Owner\protect.dll
c:\program files\Common Files\bepesuf.bin
c:\program files\Common Files\qequ.vbs
c:\program files\Mozilla Firefox\AccessibleMarshal.dll
c:\program files\Mozilla Firefox\Components\browserdirprovider.dll
c:\program files\Mozilla Firefox\Components\brwsrcmp.dll
c:\program files\Mozilla Firefox\xpcom.dll
c:\program files\Mozilla Firefox\xul.dll
c:\recycler\S-1-5-21-1028236362-1211313215-538023345-1003
c:\windows\egalu.pif
c:\windows\esen.reg
c:\windows\gubolaq.bat
c:\windows\ifodary.ban
c:\windows\Installer\6ffaf72b.msp
c:\windows\iqevujum.sys
c:\windows\odyfavo.sys
c:\windows\system32\doletode.dll
c:\windows\system32\goleji._dl
c:\windows\system32\huhotiru.dll
c:\windows\system32\karuwuc.pif
c:\windows\system32\kerodaru.dll
c:\windows\system32\malubeje.dll
c:\windows\system32\ps2.bat
c:\windows\system32\romakovi.dll
c:\windows\system32\sonoduyo.dll
c:\windows\system32\tigifofi.dll
c:\windows\system32\tuwojaga.dll
c:\windows\system32\UACamfqoeprme.log
c:\windows\system32\vumivunu.exe
c:\windows\system32\wbem\proquota.exe
c:\windows\viassary-hp.reg
D:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-23 20:16 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-23 20:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-23 14:56 . 2009-09-23 14:56 -------- d-sh--w- c:\windows\ftpcache
2009-09-22 22:16 . 2009-09-23 16:52 22528 --sha-w- c:\windows\system32\calc.dll
2009-09-22 12:26 . 2009-09-22 12:26 -------- d--h--w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-09-22 01:48 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 01:48 . 2009-09-22 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 01:48 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-22 01:48 . 2009-09-22 12:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 01:44 . 2009-09-22 01:44 11581 ----a-w- c:\windows\ujykeheva.com
2009-09-22 01:41 . 2009-09-22 01:41 -------- d-----w- c:\program files\Trend Micro
2009-09-21 18:56 . 2009-09-21 18:56 0 ----a-w- c:\windows\Mbumak.bin
2009-09-21 18:56 . 2009-09-21 21:18 120 ----a-w- c:\windows\Ddenoceqozuzeq.dat
2009-09-21 18:56 . 2009-09-21 18:56 -------- d--h--w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{1AE68458-9ECF-4288-A20E-7E4E4E1BD465}
2009-09-21 14:23 . 2009-09-21 14:23 49152 ----a-w- C:\hwdgqmcw.exe
2009-09-21 14:23 . 2009-09-21 14:24 6656 ----a-w- C:\rhjdpc.exe
2009-09-21 14:23 . 2009-09-21 14:23 90624 ----a-w- C:\vhlyrkv.exe
2009-09-21 14:23 . 2009-09-21 14:24 143368 ------w- C:\mdnsq.exe
2009-09-10 00:12 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 16:55 . 2005-04-02 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-23 11:39 . 2005-04-02 23:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-23 02:31 . 2009-06-23 02:31 87552 --sha-w- c:\windows\system32\vepufini.dll
2009-09-22 14:32 . 2009-06-22 14:31 88064 --sha-w- c:\windows\system32\lelimafu.dll
2009-09-22 12:28 . 2008-06-12 14:24 -------- d--h--w- c:\documents and settings\HP_Owner\Application Data\U3
2009-09-22 02:31 . 2009-06-22 02:30 49152 --sha-w- c:\windows\system32\tirowefa.dll
2009-09-22 01:44 . 2009-09-22 01:44 14554 ----a-w- c:\documents and settings\All Users\Application Data\jokeqiwuta.dat
2009-09-22 01:44 . 2009-09-22 01:44 14535 ----a-w- c:\program files\Common Files\vifum.db
2009-09-21 19:25 . 2004-08-07 20:42 104201 ----a-w- c:\windows\hpoins04.dat
2009-09-21 19:01 . 2009-09-21 19:01 17896 ----a-w- c:\program files\Common Files\sucerih.lib
2009-09-21 19:01 . 2009-09-21 19:01 11035 ----a-w- c:\program files\Common Files\ynyca.db
2009-09-21 18:51 . 2008-10-22 19:47 -------- d-----w- c:\program files\McAfee
2009-09-21 14:43 . 2009-02-21 16:04 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-21 14:33 . 2009-06-21 14:33 88576 --sha-w- c:\windows\system32\yusonafi.dll
2009-08-05 09:01 . 2004-08-07 18:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-18 12:13 . 2004-11-15 00:46 72224 ---ha-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:01 . 2004-08-07 18:46 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-07 18:47 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-07 18:47 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-07 18:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-07 18:46 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-22 02:31 . 2009-06-22 02:31 49152 --sha-w- c:\windows\system32\fenozano.dll.tmp
2009-06-22 02:31 . 2009-06-22 02:31 49152 --sha-w- c:\windows\system32\gimujuri.dll.tmp
2006-02-05 13:17 . 2005-12-27 14:32 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-22 02:31 . 2009-06-22 02:31 49152 --sha-w- c:\windows\system32\tewovuza.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SmileboxTray"="c:\documents and settings\HP_Owner\Application Data\Smilebox\SmileboxTray.exe" [2009-06-08 266888]
"calc"="c:\docume~1\HP_Owner\protect.dll" [2009-09-23 22528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-09 282624]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"calc"="c:\windows\system32\calc.dll" [2009-09-23 22528]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
scandisk.dll [2009-9-22 22528]
scandisk.lnk - c:\windows\system32\rundll32.exe [2004-8-7 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MUPS.lnk - c:\program files\Belkin Bulldog Plus\MUPS.exe [2004-12-27 49152]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-8-7 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/21/2009 11:43 AM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1028432]
S2 mrtRate;mrtRate; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 10:53 AM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 14:43]

2007-09-24 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-06-22 04:19]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-22 22:10]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-22 22:10]

2009-09-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-08 22:26]

2009-09-23 c:\windows\Tasks\User_Feed_Synchronization-{CE356040-B900-4C71-A5FE-AEEF03BA5890}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: plaxo.com\www
DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} - hxxp://www.pqpc.com/plugin/axversion/1410/printquick1410.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\ti05nt6w.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: XULRunner: {1AE68458-9ECF-4288-A20E-7E4E4E1BD465} - c:\documents and settings\HP_Owner\Local Settings\Application Data\{1AE68458-9ECF-4288-A20E-7E4E4E1BD465}
.
- - - - ORPHANS REMOVED - - - -

BHO-{7d643eeb-3e14-4081-83df-b6850d1504e1} - tigifofi.dll
HKLM-Run-kularusefa - sonoduyo.dll
AddRemove-NVIDIA GART Driver - c:\windows\system32\nvugart.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 16:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3948)
c:\windows\system32\WININET.dll
c:\windows\system32\calc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-09-23 16:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 20:31

Pre-Run: 131,016,716,288 bytes free
Post-Run: 131,111,452,672 bytes free

260 --- E O F --- 2009-09-10 07:04

#4 LarryDys

LarryDys
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 24 September 2009 - 10:56 AM

Decided this one was beyond me - sent it to a tech.
Thanks for your response, but it looks like the OS is corrupted too.

#5 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:53 AM

Posted 24 September 2009 - 12:36 PM

Shame, thanks for uploading that sample for me though. Hope the Tech works out for you.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users