Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit and Vundo


  • This topic is locked This topic is locked
24 replies to this topic

#1 jayhawk85

jayhawk85

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 29 September 2009 - 10:46 PM

Hi,

I was referred to this forum by another thread by a helper. He suggested that my machine was infected with rootkit and that I run DDS.

Here is the link to the other thread http://www.bleepingcomputer.com/forums/t/261178/malware-found-chkdsk-problems/

I have a Dell inspiron 9300. Have had it for about 4-5 years. Recently started slowing down quite a bit, so I ran some scans with Avast and Malwarebytes. The Malwarebytes scan came back with quite a few infections (including rootkit and vundo). It asked me to clean the infections, which i opted to do, and it suggested it needs to restart the computer for the malware to be completely removed.

Once it restarted, windows started to load, and it gave me a blue screen that was running CHKDSK. Stage 1 of 3 completed just fine, but in stage 2 when checking indexes, the computer automatically restarts after reaching about 15-17%. So then i decided to restart with the last working configuration, and it boots up, but i am getting popups and the machine is very slow.



The DDS Log:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Kumail at 22:31:20.48 on Tue 09/29/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.550 [GMT -5:00]

AV: avast! antivirus 4.8.1356 [VPS 090929-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kumail\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://home.peoplepc.com/search
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: X1IEHook Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\x1IEBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: ZeroBar: {f5735c15-1fb2-41fe-ba12-242757e69dde} - c:\program files\netzero\toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\kumail\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: []
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [dudajiyag] Rundll32.exe "c:\windows\system32\viyezoya.dll",a
mRun: [11622504] c:\documents and settings\all users\application data\11622504\11622504.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: Display All Images with Full Quality - "c:\program files\netzero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\netzero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: setulame.dll c:\windows\system32\viyezoya.dll
SSODL: ruwelebug - {42f2b1c3-0651-4f91-9ddb-a31819041963} - c:\windows\system32\viyezoya.dll
STS: kupuhivus: {42f2b1c3-0651-4f91-9ddb-a31819041963} - c:\windows\system32\viyezoya.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJAsTjH
LSA: Notification Packages = scecli kunisulu.dll jenavode.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-29 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-29 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-29 138680]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-10-9 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-10-9 122368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-15 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-29 254040]
S2 szkg5;szkg;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-29 352920]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2006-12-12 16194]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-9-7 245760]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\drivers\wg511nd5.sys --> c:\windows\system32\drivers\wg511nd5.sys [?]

=============== Created Last 30 ================

2009-09-29 18:28 --d----- c:\docume~1\alluse~1\applic~1\11622504
2009-09-29 00:27 6,144 a------- c:\windows\system32\kbd101b.dll
2009-09-29 00:27 6,144 a------- c:\windows\system32\dllcache\kbd101b.dll
2009-09-28 21:33 2,701,702,884 -------- c:\documents and settings\kumail\My Documents.zip
2009-09-28 21:28 --d----- C:\Backup
2009-09-28 20:40 --d----- c:\program files\Cobian Backup 8
2009-09-28 20:09 54,016 a------- c:\windows\system32\drivers\aggry.sys
2009-09-28 19:29 --d----- c:\windows\system32\NtmsData
2009-09-28 19:05 54,016 a------- c:\windows\system32\drivers\lmgmgv.sys
2009-09-28 01:30 54,016 a------- c:\windows\system32\drivers\lvfq.sys
2009-09-28 01:03 57 -------- C:\xcrashdump.dat
2009-09-27 23:27 54,016 a------- c:\windows\system32\drivers\lntsnubv.sys
2009-09-27 23:10 --d----- c:\docume~1\kumail\applic~1\Malwarebytes
2009-09-27 23:09 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-27 22:36 1,816 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-09-27 22:36 2,184 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-27 22:25 --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-27 22:23 --d----- c:\program files\common files\iS3
2009-09-27 22:23 --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-27 22:13 0 a------- c:\windows\system32\41.exe
2009-09-27 22:11 19,999 a------- c:\windows\ogiquty._sy
2009-09-27 22:11 18,378 a------- c:\windows\system32\werumoj.bat
2009-09-27 22:11 16,481 a------- c:\windows\system32\waxuzew.inf
2009-09-27 22:11 16,335 a------- c:\windows\etomynu.bat
2009-09-27 22:11 15,859 a------- c:\windows\yrix.reg
2009-09-27 22:11 14,355 a------- c:\windows\ulodev._sy
2009-09-27 22:11 10,632 a------- c:\windows\aryhuj.lib
2009-09-27 22:11 10,307 a------- c:\windows\ufygutyp.reg
2009-09-27 22:11 10,286 a------- c:\windows\apavuqyco._dl
2009-09-27 22:11 16,372 -------- c:\docume~1\kumail\applic~1\uderiwo.dat
2009-09-27 22:11 16,260 -------- c:\docume~1\kumail\applic~1\ufabuxymez.scr
2009-09-27 22:11 14,458 -------- c:\docume~1\alluse~1\applic~1\nidub.pif
2009-09-27 22:11 10,792 -------- c:\docume~1\kumail\applic~1\ravimuc.dll
2009-09-27 22:06 46 -------- C:\p2hhr.bat
2009-09-27 22:04 5,632 -------- C:\rlswn.exe
2009-09-08 19:47 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-29 18:28 1,082,916 a--sh--- c:\windows\system32\sudinasu.exe
2009-09-29 18:27 91,136 a--sh--- c:\windows\system32\viyezoya.dll
2009-09-29 18:27 39,424 a--sh--- c:\windows\system32\tukuhegu.dll
2009-09-28 18:41 52,736 a--sh--- c:\windows\system32\vovuhinu.dll
2009-09-28 18:40 88,576 -------- c:\windows\system32\penimuku.dll
2009-09-27 22:12 46,080 a--sh--- c:\windows\system32\zitotela.exe
2009-09-27 22:11 16,475 a------- c:\program files\common files\ruzaqez.dl
2009-09-27 22:11 12,658 a------- c:\program files\common files\zagowyfygo.db
2009-09-27 22:11 11,486 a------- c:\program files\common files\vyhukyc.dl
2009-08-13 10:16 512,000 a------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 08:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 08:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 08:42 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2008-01-07 00:25 6,026,816 a------- c:\program files\Firefox Setup 2.0.0.11.exe
2007-08-21 20:30 51,592 -------- c:\docume~1\kumail\applic~1\GDIPFONTCACHEV1.DAT
2008-08-07 23:37 56 ---shr-- c:\windows\system32\30A606CA93.sys
2008-12-15 22:05 1,428 a--sh--- c:\windows\system32\GjPqttwa.ini2
2008-12-16 00:17 4,815 a--sh--- c:\windows\system32\HjTsAJlm.ini2
2009-06-28 18:41 52,736 a--sh--- c:\windows\system32\jenavode.dll
2008-08-07 23:37 1,890 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-06-28 18:41 52,736 a--sh--- c:\windows\system32\setulame.dll

============= FINISH: 22:33:45.26 ===============

Attached are the attach.txt and ark.txt files.

Thank you for your help

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 05 October 2009 - 09:34 PM

Hello jayhawk85,

Let's clear out your temp files first

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


Now let's see what else is in the PC

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it combo-fix.exe
  • Disable your Avast AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    AVAST will cause BSOD unless you disable it like this:
    Posted Image
    (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by SifuMike, 05 October 2009 - 09:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jayhawk85

jayhawk85
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 05 October 2009 - 11:42 PM

Thank you for taking the time to help me, I really appreciate it.

I followed your directions, and here is the log:

ComboFix 09-10-04.01 - Kumail 10/05/2009 23:17.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.652 [GMT -5:00]
Running from: c:\documents and settings\Kumail\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091005-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\aziseqy.dl
c:\documents and settings\All Users\Application Data\nidub.pif
c:\documents and settings\All Users\Documents\pafazytyxy.inf
c:\documents and settings\All Users\Documents\pywigu.vbs
c:\documents and settings\Kumail\Application Data\ravimuc.dll
c:\documents and settings\Kumail\Application Data\reviry.dl
c:\documents and settings\Kumail\Application Data\ufabuxymez.scr
c:\documents and settings\Kumail\Local Settings\Application Data\omyl.com
c:\documents and settings\Kumail\Local Settings\Application Data\wota.scr
c:\documents and settings\Kumail\Local Settings\Temporary Internet Files\wurodaze.reg
C:\p2hhr.bat
c:\program files\Common Files\ruzaqez.dl
c:\program files\Common Files\vyhukyc.dl
c:\windows\apavuqyco._dl
c:\windows\etomynu.bat
c:\windows\system32\41.exe
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\gasfkyxtdhmeyn.sys
c:\windows\system32\farodfrh.ini
c:\windows\system32\fedakawu.dll
c:\windows\system32\gapiyivi.dll
c:\windows\system32\gasfkyackjrtoj.dat
c:\windows\system32\gasfkydovnvtrf.dat
c:\windows\system32\gasfkykxfonpgl.dll
c:\windows\system32\gasfkymtnxvnps.dll
c:\windows\system32\gasfkyuiuapklq.dll
c:\windows\system32\ghhytyih.ini
c:\windows\system32\gidogiso.exe
c:\windows\system32\GjPqttwa.ini
c:\windows\system32\GjPqttwa.ini2
c:\windows\system32\HjTsAJlm.ini
c:\windows\system32\HjTsAJlm.ini2
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\jopibuva.dll
c:\windows\system32\laweviri.dll
c:\windows\system32\lemirifo.dll
c:\windows\system32\midjntbg.ini
c:\windows\system32\retileve.dll
c:\windows\system32\ridevalu.dll
c:\windows\system32\waxuzew.inf
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\werumoj.bat
c:\windows\ufygutyp.reg
c:\windows\yrix.reg
C:\xcrashdump.dat

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyvrylkutc
-------\Legacy_gasfkyvrylkutc


((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-06 04:24 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-06 04:24 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-06 00:22 . 2009-10-06 00:22 -------- d-----w- c:\documents and settings\Kumail\Application Data\5623502143
2009-10-05 00:55 . 2009-10-05 00:55 54016 ----a-w- c:\windows\system32\drivers\obqijvt.sys
2009-10-03 00:17 . 2009-10-03 00:17 54016 ----a-w- c:\windows\system32\drivers\idxohc.sys
2009-10-03 00:06 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 00:06 . 2009-10-03 00:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 00:06 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 23:07 . 2009-10-02 23:21 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-09-29 05:35 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-29 05:35 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-29 05:35 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-29 05:35 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-29 05:35 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-29 05:35 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-29 05:35 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-29 05:35 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-29 05:35 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-29 05:27 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-09-29 05:27 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-29 02:33 . 2009-09-29 02:48 2701702884 ------w- c:\documents and settings\Kumail\My Documents.zip
2009-09-29 02:28 . 2009-09-29 02:33 -------- d-----w- C:\Backup
2009-09-29 01:40 . 2009-09-29 02:41 -------- d-----w- c:\program files\Cobian Backup 8
2009-09-29 01:09 . 2009-09-29 01:09 54016 ----a-w- c:\windows\system32\drivers\aggry.sys
2009-09-29 00:29 . 2009-09-29 02:57 -------- d-----w- c:\windows\system32\NtmsData
2009-09-29 00:05 . 2009-09-29 00:05 54016 ----a-w- c:\windows\system32\drivers\lmgmgv.sys
2009-09-28 06:30 . 2009-09-28 06:30 54016 ----a-w- c:\windows\system32\drivers\lvfq.sys
2009-09-28 04:27 . 2009-09-28 04:27 54016 ----a-w- c:\windows\system32\drivers\lntsnubv.sys
2009-09-28 04:10 . 2009-09-28 04:10 -------- d-----w- c:\documents and settings\Kumail\Application Data\Malwarebytes
2009-09-28 04:09 . 2009-09-28 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 03:25 . 2009-09-28 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-28 03:23 . 2009-09-28 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-28 03:23 . 2009-09-28 03:23 -------- d-----w- c:\program files\Common Files\iS3
2009-09-09 00:47 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 01:25 . 2008-12-16 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-03 21:49 . 2009-07-03 21:49 90624 --sha-w- c:\windows\system32\lefofafi.dll
2009-10-03 21:49 . 2009-07-03 21:49 38912 --sha-w- c:\windows\system32\juhijoye.dll
2009-10-02 23:05 . 2009-07-02 23:05 52224 --sha-w- c:\windows\system32\seyununu.dll
2009-10-02 23:05 . 2009-07-02 23:05 88576 ------w- c:\windows\system32\fibunewu.dll
2009-10-02 23:05 . 2009-07-02 23:05 38400 --sha-w- c:\windows\system32\yevalove.dll
2009-10-02 05:39 . 2009-07-02 05:39 38912 --sha-w- c:\windows\system32\gubekuku.dll
2009-09-30 22:50 . 2009-06-30 22:49 50688 --sha-w- c:\windows\system32\jepeyumu.dll
2009-09-29 05:35 . 2007-12-01 16:51 -------- d-----w- c:\program files\Alwil Software
2009-09-28 03:54 . 2009-09-28 03:36 1816 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-09-28 03:38 . 2009-09-28 03:36 2184 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-28 03:11 . 2009-09-28 03:11 16372 ------w- c:\documents and settings\Kumail\Application Data\uderiwo.dat
2009-09-28 03:11 . 2009-09-28 03:11 12658 ----a-w- c:\program files\Common Files\zagowyfygo.db
2009-09-22 00:49 . 2008-11-15 05:26 -------- d-----w- c:\documents and settings\Kumail\Application Data\Move Networks
2009-08-05 09:11 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-19 20:50 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2008-01-07 05:25 . 2008-01-07 05:24 6026816 ----a-w- c:\program files\Firefox Setup 2.0.0.11.exe
2008-08-08 04:37 . 2007-05-22 07:51 56 --sh--r- c:\windows\system32\30A606CA93.sys
2009-07-02 23:06 . 2009-07-02 23:06 52224 --sha-w- c:\windows\system32\gikowolo.dll
2008-08-08 04:37 . 2007-05-22 07:51 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-30 22:50 . 2009-06-30 22:50 50688 --sha-w- c:\windows\system32\kozopura.dll.tmp
2009-06-30 22:50 . 2009-06-30 22:50 50688 --sha-w- c:\windows\system32\tehizalu.dll.tmp
2009-06-30 22:50 . 2009-06-30 22:50 50688 --sha-w- c:\windows\system32\yugukube.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db201f89-15fe-47af-9c67-b8f5b001140f}]
2009-07-02 23:06 52224 --sha-w- c:\windows\system32\gikowolo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\documents and settings\Kumail\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-16 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-01-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-04 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-09-07 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"5623502143"="c:\documents and settings\Kumail\Application Data\5623502143\5623502143.exe" [2009-10-06 1048099]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-9-7 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-7 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Plus! Photo Story 2 LE\\PS2Trial.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/29/2009 12:35 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/29/2009 12:35 AM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/15/2007 12:09 AM 24652]
S2 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [12/12/2006 2:06 PM 16194]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg511nd5.sys --> c:\windows\system32\DRIVERS\wg511nd5.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-16 04:07]

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2500930771-1355840681-586886793-1005Core.job
- c:\documents and settings\Kumail\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 00:27]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2500930771-1355840681-586886793-1005UA.job
- c:\documents and settings\Kumail\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 00:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-dudajiyag - c:\windows\system32\lemirifo.dll
HKLM-Run-jupezajugu - laweviri.dll
SharedTaskScheduler-{cf348c6e-ff03-49d5-ac8d-386dd6858fa8} - c:\windows\system32\lemirifo.dll
SSODL-ziruwavop-{cf348c6e-ff03-49d5-ac8d-386dd6858fa8} - c:\windows\system32\lemirifo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 23:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\dllhost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-10-06 23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 04:34

Pre-Run: 46,431,903,744 bytes free
Post-Run: 46,766,284,800 bytes free

Current=2 Default=2 Failed=6 LastKnownGood=7 Sets=1,2,3,4,5,6,7
288 --- E O F --- 2009-09-10 00:04

Attached Files


Edited by SifuMike, 05 October 2009 - 11:48 PM.
inserted log for ease of reading


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 05 October 2009 - 11:49 PM

Did you install Recovery Console? I dont see it. :(

Please do not attach your logs, as that makes them hard to read.

Edited by SifuMike, 05 October 2009 - 11:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 06 October 2009 - 12:01 AM

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
Your Operating System is Microsoft Windows XP Professional
Note: If you have SP3, use the SP2 package.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

Edited by SifuMike, 06 October 2009 - 12:02 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 jayhawk85

jayhawk85
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 06 October 2009 - 12:03 AM

Yes when it asked me to install recovery console I said yes. It started the process...and a few seconds later i received a message saying combo-fix had detected a rootkit, or something to that nature. And then it automatically rebooted.

I dont know if in that process the recovery console download was interrupted, but it did show the download as 100% complete.

Sorry about attaching the log, ill be sure to copy them from now onward.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 06 October 2009 - 12:05 AM

Pleaese read my Post #5 and install recovery console.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 jayhawk85

jayhawk85
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 06 October 2009 - 12:08 AM

On the microsoft website, it gives me options for windows xp home, and professional editions.

I have windows xp media edition. Should I download the xp home release?

Thank you

#9 jayhawk85

jayhawk85
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 06 October 2009 - 12:09 AM

Disregard last post. sorry

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 06 October 2009 - 12:11 AM

If you have Windows Media Edition then you will need to download the XP Pro setup package.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jayhawk85

jayhawk85
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 06 October 2009 - 12:55 AM

Im sorry when I tried following directions from the last post, combo fix started but my machine rebooted, and after the reboot i could not see my desktop.

I did notice on the reboot however, that before windows loaded I was given the option between windows xp or the recovery console. I dont know if that is of any importance or shows download of the recovery console, but it did show as an option.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 06 October 2009 - 10:23 AM

I did notice on the reboot however, that before windows loaded I was given the option between windows xp or the recovery console. I dont know if that is of any importance or shows download of the recovery console, but it did show as an option.



That is normal after you install Recovery Console.
You will normally chose Windows XP.
Recovey Console is a safety net and used if your computer is having major problems.

Please post the C:\ComboFix.txt in your next reply.

Edited by SifuMike, 06 October 2009 - 10:24 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jayhawk85

jayhawk85
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 06 October 2009 - 06:10 PM

Here is the log.

ComboFix 09-10-04.01 - Kumail 10/06/2009 17:57.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.595 [GMT -5:00]
Running from: c:\documents and settings\Kumail\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091005-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gubekuku.dll
c:\windows\system32\juhijoye.dll
c:\windows\system32\lefofafi.dll
c:\windows\system32\seyununu.dll
c:\windows\system32\yevalove.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-06 04:24 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-06 04:24 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-05 00:55 . 2009-10-05 00:55 54016 ----a-w- c:\windows\system32\drivers\obqijvt.sys
2009-10-03 00:17 . 2009-10-03 00:17 54016 ----a-w- c:\windows\system32\drivers\idxohc.sys
2009-10-03 00:06 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 00:06 . 2009-10-03 00:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 00:06 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 23:07 . 2009-10-02 23:21 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-09-29 05:35 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-29 05:35 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-29 05:35 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-29 05:35 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-29 05:35 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-29 05:35 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-29 05:35 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-29 05:35 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-29 05:35 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-29 05:27 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-09-29 05:27 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-29 02:33 . 2009-09-29 02:48 2701702884 ------w- c:\documents and settings\Kumail\My Documents.zip
2009-09-29 02:28 . 2009-09-29 02:33 -------- d-----w- C:\Backup
2009-09-29 01:40 . 2009-09-29 02:41 -------- d-----w- c:\program files\Cobian Backup 8
2009-09-29 01:09 . 2009-09-29 01:09 54016 ----a-w- c:\windows\system32\drivers\aggry.sys
2009-09-29 00:29 . 2009-09-29 02:57 -------- d-----w- c:\windows\system32\NtmsData
2009-09-29 00:05 . 2009-09-29 00:05 54016 ----a-w- c:\windows\system32\drivers\lmgmgv.sys
2009-09-28 06:30 . 2009-09-28 06:30 54016 ----a-w- c:\windows\system32\drivers\lvfq.sys
2009-09-28 04:27 . 2009-09-28 04:27 54016 ----a-w- c:\windows\system32\drivers\lntsnubv.sys
2009-09-28 04:10 . 2009-09-28 04:10 -------- d-----w- c:\documents and settings\Kumail\Application Data\Malwarebytes
2009-09-28 04:09 . 2009-09-28 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 03:25 . 2009-09-28 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-28 03:23 . 2009-09-28 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-28 03:23 . 2009-09-28 03:23 -------- d-----w- c:\program files\Common Files\iS3
2009-09-09 00:47 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 01:25 . 2008-12-16 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-30 22:50 . 2009-06-30 22:49 50688 --sha-w- c:\windows\system32\jepeyumu.dll
2009-09-29 05:35 . 2007-12-01 16:51 -------- d-----w- c:\program files\Alwil Software
2009-09-28 03:54 . 2009-09-28 03:36 1816 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-09-28 03:38 . 2009-09-28 03:36 2184 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-28 03:11 . 2009-09-28 03:11 16372 ------w- c:\documents and settings\Kumail\Application Data\uderiwo.dat
2009-09-28 03:11 . 2009-09-28 03:11 12658 ----a-w- c:\program files\Common Files\zagowyfygo.db
2009-09-22 00:49 . 2008-11-15 05:26 -------- d-----w- c:\documents and settings\Kumail\Application Data\Move Networks
2009-08-05 09:11 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-19 20:50 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2008-01-07 05:25 . 2008-01-07 05:24 6026816 ----a-w- c:\program files\Firefox Setup 2.0.0.11.exe
2008-08-08 04:37 . 2007-05-22 07:51 56 --sh--r- c:\windows\system32\30A606CA93.sys
2008-08-08 04:37 . 2007-05-22 07:51 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-30 22:50 . 2009-06-30 22:50 50688 --sha-w- c:\windows\system32\tehizalu.dll.tmp
2009-06-30 22:50 . 2009-06-30 22:50 50688 --sha-w- c:\windows\system32\yugukube.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-10-06_04.27.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-06 05:49 . 2009-10-06 05:49 16384 c:\windows\Temp\Perflib_Perfdata_81c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\documents and settings\Kumail\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-16 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-01-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-04 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-09-07 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-9-7 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-7 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Plus! Photo Story 2 LE\\PS2Trial.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/29/2009 12:35 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/29/2009 12:35 AM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/15/2007 12:09 AM 24652]
S2 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [12/12/2006 2:06 PM 16194]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg511nd5.sys --> c:\windows\system32\DRIVERS\wg511nd5.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-16 04:07]

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2500930771-1355840681-586886793-1005Core.job
- c:\documents and settings\Kumail\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 00:27]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2500930771-1355840681-586886793-1005UA.job
- c:\documents and settings\Kumail\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 00:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 18:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-06 18:07
ComboFix-quarantined-files.txt 2009-10-06 23:06
ComboFix2.txt 2009-10-06 04:35

Pre-Run: 46,715,297,792 bytes free
Post-Run: 46,673,481,728 bytes free

Current=8 Default=8 Failed=7 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
170 --- E O F --- 2009-09-10 00:04


Thank you

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 06 October 2009 - 07:30 PM

Hello jayhawk85,

Disable your Avast AntiVirus and AntiSpyware applications.
They may otherwise interfere with our tools.
AVAST will cause BSOD unless you disable it like this:
Posted Image


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\drivers\obqijvt.sys
c:\windows\system32\drivers\idxohc.sys
c:\windows\system32\drivers\lmgmgv.sys
c:\windows\system32\drivers\lvfq.sys
c:\windows\system32\drivers\lntsnubv.sys
c:\windows\system32\jepeyumu.dll
c:\windows\system32\drivers\kgpfr2.cfg
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\tehizalu.dll.tmp
c:\windows\system32\yugukube.dll.tmp


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 jayhawk85

jayhawk85
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 06 October 2009 - 10:29 PM

I disabled the other antivirus apps (Avast)...but if it is still causing an issue, do you think i should uninstall it?

Here is the log:

ComboFix 09-10-04.01 - Kumail 10/06/2009 22:17.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.530 [GMT -5:00]
Running from: c:\documents and settings\Kumail\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Kumail\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091005-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\drivers\idxohc.sys"
"c:\windows\system32\drivers\kgpcpy.cfg"
"c:\windows\system32\drivers\kgpfr2.cfg"
"c:\windows\system32\drivers\lmgmgv.sys"
"c:\windows\system32\drivers\lntsnubv.sys"
"c:\windows\system32\drivers\lvfq.sys"
"c:\windows\system32\drivers\obqijvt.sys"
"c:\windows\system32\jepeyumu.dll"
"c:\windows\system32\tehizalu.dll.tmp"
"c:\windows\system32\yugukube.dll.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\idxohc.sys
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\drivers\kgpfr2.cfg
c:\windows\system32\drivers\lmgmgv.sys
c:\windows\system32\drivers\lntsnubv.sys
c:\windows\system32\drivers\lvfq.sys
c:\windows\system32\drivers\obqijvt.sys
c:\windows\system32\jepeyumu.dll
c:\windows\system32\tehizalu.dll.tmp
c:\windows\system32\yugukube.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-06 04:24 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-06 04:24 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-03 00:06 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 00:06 . 2009-10-03 00:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 00:06 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 23:07 . 2009-10-02 23:21 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-09-29 05:35 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-29 05:35 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-29 05:35 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-29 05:35 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-29 05:35 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-29 05:35 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-29 05:35 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-29 05:35 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-29 05:35 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-29 05:27 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-09-29 05:27 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-29 02:33 . 2009-09-29 02:48 2701702884 ------w- c:\documents and settings\Kumail\My Documents.zip
2009-09-29 02:28 . 2009-09-29 02:33 -------- d-----w- C:\Backup
2009-09-29 01:40 . 2009-09-29 02:41 -------- d-----w- c:\program files\Cobian Backup 8
2009-09-29 01:09 . 2009-09-29 01:09 54016 ----a-w- c:\windows\system32\drivers\aggry.sys
2009-09-29 00:29 . 2009-09-29 02:57 -------- d-----w- c:\windows\system32\NtmsData
2009-09-28 04:10 . 2009-09-28 04:10 -------- d-----w- c:\documents and settings\Kumail\Application Data\Malwarebytes
2009-09-28 04:09 . 2009-09-28 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 03:25 . 2009-09-28 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-28 03:23 . 2009-09-28 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-28 03:23 . 2009-09-28 03:23 -------- d-----w- c:\program files\Common Files\iS3
2009-09-09 00:47 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 01:25 . 2008-12-16 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-29 05:35 . 2007-12-01 16:51 -------- d-----w- c:\program files\Alwil Software
2009-09-28 03:11 . 2009-09-28 03:11 16372 ------w- c:\documents and settings\Kumail\Application Data\uderiwo.dat
2009-09-28 03:11 . 2009-09-28 03:11 12658 ----a-w- c:\program files\Common Files\zagowyfygo.db
2009-09-22 00:49 . 2008-11-15 05:26 -------- d-----w- c:\documents and settings\Kumail\Application Data\Move Networks
2009-08-05 09:11 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-19 20:50 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2008-01-07 05:25 . 2008-01-07 05:24 6026816 ----a-w- c:\program files\Firefox Setup 2.0.0.11.exe
2008-08-08 04:37 . 2007-05-22 07:51 56 --sh--r- c:\windows\system32\30A606CA93.sys
2008-08-08 04:37 . 2007-05-22 07:51 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-06_04.27.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-06 05:49 . 2009-10-06 05:49 16384 c:\windows\Temp\Perflib_Perfdata_81c.dat
+ 2008-09-04 00:34 . 2009-10-06 23:18 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\documents and settings\Kumail\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-16 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-01-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-04 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-09-07 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-9-7 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-7 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Plus! Photo Story 2 LE\\PS2Trial.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/29/2009 12:35 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/29/2009 12:35 AM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/15/2007 12:09 AM 24652]
S2 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [12/12/2006 2:06 PM 16194]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg511nd5.sys --> c:\windows\system32\DRIVERS\wg511nd5.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-16 04:07]

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2500930771-1355840681-586886793-1005Core.job
- c:\documents and settings\Kumail\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 00:27]

2009-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2500930771-1355840681-586886793-1005UA.job
- c:\documents and settings\Kumail\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 00:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 22:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-07 22:25
ComboFix-quarantined-files.txt 2009-10-07 03:24
ComboFix2.txt 2009-10-06 23:07
ComboFix3.txt 2009-10-06 04:35

Pre-Run: 46,793,715,712 bytes free
Post-Run: 46,770,819,072 bytes free

Current=8 Default=8 Failed=7 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
181 --- E O F --- 2009-09-10 00:04

Thank you for your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users