Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something . HELP please


  • This topic is locked This topic is locked
3 replies to this topic

#1 dmyers

dmyers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 07 October 2009 - 07:50 AM

Good Morning,
I have a nasty little infection, my trend office scan says it is cryp_vundo-28, but, other scanners aren't picking it up.
I read the Preparation guide and ran DDS. It did not run as it should have and the report was all gibberish (crazy dingbats and stuff. Maybe whatever i have has is messing it up?)
This infection is re-routing me to weird websites, popping up windows, DL'ing fake virus removal tools. It won't let me run Malware bytes (changes the name so i can't start it) I have been fighting it for a couple of days now. I think i get rid of it, then if i restart my machine, its back.

I have posted a combofix log (because DDS is not acting right), as well as the RootRepeal log.


Any help i can get with this would be greatly appreciated !!!!! Thanks alot !!

COMBOFIX


ComboFix 09-10-06.04 - davidm 10/07/2009 8:10.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.643 [GMT -4:00]
Running from: c:\documents and settings\davidm\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {D6045BE8-5191-450E-A009-04A138634B0C}
.
The following files were disabled during the run:
c:\windows\system32\limereju.dll

ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - explorer.exe: deleted 132 bytes in 1 streams.
ADS - netcfgx.dll: deleted 100 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1298620630-2820091393-1048497475-500
c:\windows\Installer\26e21.msp
c:\windows\system32\dowuvedo.dll
c:\windows\system32\yunizapa.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-07 11:35 . 2009-10-07 11:35 -------- d-----w- c:\program files\jimmy
2009-10-07 11:27 . 2009-10-07 11:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 11:21 . 2009-10-07 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\60112212
2009-10-06 18:42 . 2009-10-06 18:42 -------- d-----w- C:\VundoFix Backups
2009-10-06 17:52 . 2009-10-06 17:52 -------- d-----w- c:\documents and settings\davidm\Application Data\Malwarebytes
2009-10-06 17:52 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-06 17:52 . 2009-10-06 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-06 17:52 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-06 17:52 . 2009-10-06 17:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 11:54 . 2009-10-07 11:51 10752 ----a-w- c:\windows\DCEBoot.exe
2009-10-05 11:46 . 2009-10-05 11:54 -------- d-----w- c:\documents and settings\davidm\Application Data\8307579025
2009-09-15 20:30 . 2009-09-15 20:30 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-11 13:35 . 2009-10-05 11:46 -------- d-----w- c:\program files\PowerArchiver
2009-09-11 13:35 . 2006-12-29 00:19 56360 ----a-w- c:\windows\system32\WBHELP2.DLL
2009-09-10 11:50 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 12:23 . 2009-09-09 12:23 -------- d-----w- c:\documents and settings\davidm\Local Settings\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 11:27 . 2007-07-24 20:24 -------- d-----w- c:\program files\Java
2009-10-07 11:21 . 2007-08-13 15:03 -------- d-----w- c:\program files\ERPlite
2009-09-29 19:42 . 2008-02-29 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-10 18:24 . 2007-07-24 20:28 -------- d-----w- c:\program files\Google
2009-08-05 09:11 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 08:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 10:37 . 2009-07-06 10:37 51712 --sha-w- c:\windows\system32\dalusulo.dll.tmp
2009-07-06 10:36 . 2009-07-06 10:36 1047587 --sha-w- c:\windows\system32\kojofaba.exe
2009-07-07 11:22 . 2009-07-07 11:22 51712 --sha-w- c:\windows\system32\lojaloke.dll
2009-07-07 11:21 . 2009-07-07 11:21 1050659 --sha-w- c:\windows\system32\negonuze.exe
2009-07-06 10:37 . 2009-07-06 10:37 51712 --sha-w- c:\windows\system32\nevoputo.dll.tmp
2009-07-06 10:36 . 2009-07-06 10:36 51712 --sha-w- c:\windows\system32\rekomeve.dll
2009-07-07 11:21 . 2009-07-07 11:21 51712 --sha-w- c:\windows\system32\seniyuro.dll
2009-07-06 10:37 . 2009-07-06 10:37 51712 --sha-w- c:\windows\system32\vekukedu.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-09-25 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-09-25 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-09-25 94208]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-04-13 331552]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-10-31 714024]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-07 149280]
"zotoyubuf"="c:\windows\system32\limereju.dll" [2009-07-07 89088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{2fac2beb-77ee-47bc-a85b-80a850130591}"= "c:\windows\system32\limereju.dll" [2009-07-07 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"muvapotaw"= {2fac2beb-77ee-47bc-a85b-80a850130591} - c:\windows\system32\limereju.dll [2009-07-07 89088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/24/2007 4:28 PM 540448]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [7/3/2008 4:59 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [7/3/2008 4:59 PM 36368]
S1 klmc;KLMC driver;c:\windows\system32\drivers\klmc.sys --> c:\windows\system32\drivers\klmc.sys [?]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/3/2008 4:59 PM 652552]
.
Contents of the 'Scheduled Tasks' folder

2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-10-05 c:\windows\Tasks\Microsoft Office Access 2007.job
- c:\documents and settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Access 2007.lnk [2007-09-10 11:00]

2009-10-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\davidm\Application Data\Mozilla\Firefox\Profiles\zplnqofg.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.tentonstudios.com/forum/index.php|https://www.fedex.com/fcl/?appName=fclmfx&locale=us_en&step3URL=https%3A%2F%2Fwww.fedex.com%2Fmyfedex%2Fgo%2Ffclstep3%3Fcc%3DUS%26language%3Den&returnurl=https%3A%2F%2Fwww.fedex.com%2Fmyfedex%2Fgo%2Fhome%3Fcc%3DUS%26language%3Den&programIndicator=
FF - plugin: c:\documents and settings\davidm\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{cd3e8a63-5087-46b1-b67e-67df7f86cff1} - (no file)
SharedTaskScheduler-{a04fd491-8ea8-442b-ae99-f804413da447} - (no file)
SSODL-mulemihog-{cd3e8a63-5087-46b1-b67e-67df7f86cff1} - (no file)
SSODL-wedetehuw-{a04fd491-8ea8-442b-ae99-f804413da447} - (no file)
Notify-NavLogon - (no file)
AddRemove-LifeGlobe Sharks - c:\program files\Prolific Publishing
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 08:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\limereju.dll

- - - - - - - > 'explorer.exe'(1260)
c:\windows\system32\limereju.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\Crypserv.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\temp\PA92EC.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-10-07 8:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-07 12:19

Pre-Run: 32,344,825,856 bytes free
Post-Run: 33,010,921,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

187 --- E O F --- 2009-09-10 15:04



ROOTREPEAL

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 08:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF7994000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF760C000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9FFA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AEC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7AF4000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA98B4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\davidm\Local Settings\Temp\PDFC\Job
Status: Locked to the Windows API!

Path: \\?\C:\Documents and Settings\davidm\Local Settings\Temp\PDFC\Job\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\Documents and Settings\davidm\Application Data\Mozilla\Firefox\Profiles\zplnqofg.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

==EOF==

BC AdBot (Login to Remove)

 


#2 dmyers

dmyers
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 07 October 2009 - 08:00 AM

I got Hijackthis to run and here is the log for that as well.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:07 AM, on 10/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\PA92EC.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [zotoyubuf] Rundll32.exe "c:\windows\system32\limereju.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jormac.com
O17 - HKLM\Software\..\Telephony: DomainName = jormac.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jormac.com
O20 - AppInit_DLLs: c:\windows\system32\limereju.dll
O21 - SSODL: muvapotaw - {2fac2beb-77ee-47bc-a85b-80a850130591} - c:\windows\system32\limereju.dll
O22 - SharedTaskScheduler: kupuhivus - {2fac2beb-77ee-47bc-a85b-80a850130591} - c:\windows\system32\limereju.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kavsvc.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 9094 bytes

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:40 PM

Posted 24 October 2009 - 06:18 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:40 PM

Posted 29 October 2009 - 05:30 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users