Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Badly infected computer, heres my logs


  • This topic is locked This topic is locked
2 replies to this topic

#1 RealTalk

RealTalk

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 08 October 2009 - 06:01 PM

http://www.bleepingcomputer.com/forums/t/262465/advanced-virus-scanner-has-taken-over-my-laptop-major-infection/

Most likely, the computer was infected from what happened to this computer, on the same network ^^

Started with this for MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/8/2009 12:57:51 PM
mbam-log-2009-10-08 (12-57-51).txt

Scan type: Quick Scan
Objects scanned: 130552
Time elapsed: 16 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 16
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\karezabu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\notevotu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{40002942-fba7-4f53-97bd-b42f779fc122} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iman.riemon (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iman.riemon.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IRISm (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\irssyncd (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\TDPer.exe (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\febabulal (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\53547933 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{40002942-fba7-4f53-97bd-b42f779fc122} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\joyapusay (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\karezabu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\karezabu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\53547933 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\DriveCleaner 2006 Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\karezabu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\53547933\53547933.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\53547933\53547933.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rolububo.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mom\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mom\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\notevotu.dll (Trojan.Vundo) -> Delete on reboot.


after 5 consecutive scans, im down to this, but this 1 file has been present by itself in the past 2 scans


Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3

10/8/2009 4:20:51 PM
mbam-log-2009-10-08 (16-20-51).txt

Scan type: Quick Scan
Objects scanned: 131506
Time elapsed: 20 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


=========================

Win32kdiag:


Running from: C:\Documents and Settings\Dad\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Dad\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\$NtUninstallKB824141_RTM$\sysmain.sdb

[1] 2009-03-27 02:33:14 1203922 C:\WINDOWS\$hf_mig$\KB923561\SP3QFE\sysmain.sdb ()

[1] 2006-10-04 10:06:21 1197294 C:\WINDOWS\$NtServicePackUninstall$\sysmain.sdb ()

[1] 2002-10-08 16:19:18 1053822 C:\WINDOWS\$NtUninstallKB824141_RTM$\sysmain.sdb ()

[1] 2008-04-13 20:15:28 1202774 C:\WINDOWS\$NtUninstallKB923561$\sysmain.sdb ()

[1] 2004-08-04 04:02:14 1190796 C:\WINDOWS\$NtUninstallKB926239$\sysmain.sdb ()

[1] 2001-08-18 08:00:00 1026828 C:\WINDOWS\$NtUninstallQ319580$\sysmain.sdb ()

[1] 2002-03-25 15:02:38 1052752 C:\WINDOWS\$NtUninstallQ328310_RTM$\sysmain.sdb ()

[1] 2002-12-20 16:54:14 1055610 C:\WINDOWS\$NtUninstallQ814995$\sysmain.sdb ()

[1] 2002-11-01 15:13:00 1080070 C:\WINDOWS\$xpsp1hfm$\Q328310\sysmain.sdb ()

[1] 2009-03-27 02:58:38 1203922 C:\WINDOWS\AppPatch\sysmain.sdb ()

[1] 2008-04-13 20:15:28 1202774 C:\WINDOWS\ServicePackFiles\i386\sysmain.sdb ()

[1] 2009-03-27 02:58:38 1203922 C:\WINDOWS\system32\dllcache\sysmain.sdb ()



Cannot access: C:\WINDOWS\$NtUninstallKB824141_RTM$\user32.dll

[1] 2005-03-02 14:19:56 577024 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll (Microsoft Corporation)

[1] 2007-03-08 11:48:36 578048 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll (Microsoft Corporation)

[1] 2007-03-08 11:36:28 577536 C:\WINDOWS\$NtServicePackUninstall$\user32.dll (Microsoft Corporation)

[1] 2002-11-01 16:26:46 528896 C:\WINDOWS\$NtUninstallKB824141$\user32.dll (Microsoft Corporation)

[1] 2002-11-22 13:16:00 528896 C:\WINDOWS\$NtUninstallKB824141_RTM$\user32.dll ()

[1] 2004-08-04 03:56:46 577024 C:\WINDOWS\$NtUninstallKB890859$\user32.dll (Microsoft Corporation)

[1] 2005-03-02 14:09:30 577024 C:\WINDOWS\$NtUninstallKB925902$\user32.dll (Microsoft Corporation)

[1] 2002-08-29 06:41:18 560128 C:\WINDOWS\$NtUninstallQ328310$\user32.dll (Microsoft Corporation)

[1] 2001-08-18 08:00:00 561152 C:\WINDOWS\$NtUninstallQ328310_RTM$\user32.dll (Microsoft Corporation)

[1] 2003-09-25 12:49:02 560128 C:\WINDOWS\$xpsp1hfm$\KB824141\user32.dll (Microsoft Corporation)

[1] 2002-11-01 16:26:46 528896 C:\WINDOWS\$xpsp1hfm$\Q328310\user32.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:08 578560 C:\WINDOWS\ServicePackFiles\i386\user32.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:08 578560 C:\WINDOWS\system32\user32.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB824141_RTM$\win32k.sys

[1] 2005-03-01 21:11:25 1836160 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\win32k.sys (Microsoft Corporation)

[1] 2005-10-05 20:10:04 1839360 C:\WINDOWS\$hf_mig$\KB896424\SP2QFE\win32k.sys (Microsoft Corporation)

[1] 2007-03-08 09:49:49 1843968 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\win32k.sys (Microsoft Corporation)

[1] 2008-03-19 05:40:27 1845888 C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys (Microsoft Corporation)

[1] 2008-09-15 08:25:27 1846912 C:\WINDOWS\$hf_mig$\KB954211\SP3QFE\win32k.sys (Microsoft Corporation)

[1] 2009-02-09 07:08:53 1847552 C:\WINDOWS\$hf_mig$\KB958690\SP3QFE\win32k.sys (Microsoft Corporation)

[1] 2009-04-17 06:50:18 1847808 C:\WINDOWS\$hf_mig$\KB968537\SP3QFE\win32k.sys (Microsoft Corporation)

[1] 2008-03-19 05:47:00 1845248 C:\WINDOWS\$NtServicePackUninstall$\win32k.sys (Microsoft Corporation)

[1] 2002-10-23 09:55:02 1694336 C:\WINDOWS\$NtUninstallKB824141$\win32k.sys (Microsoft Corporation)

[1] 2002-10-21 18:45:24 1671168 C:\WINDOWS\$NtUninstallKB824141_RTM$\win32k.sys ()

[1] 2004-08-04 02:17:40 1835904 C:\WINDOWS\$NtUninstallKB890859$\win32k.sys (Microsoft Corporation)

[1] 2005-03-01 21:06:57 1836288 C:\WINDOWS\$NtUninstallKB896424$\win32k.sys (Microsoft Corporation)

[1] 2005-10-05 20:05:59 1839488 C:\WINDOWS\$NtUninstallKB925902$\win32k.sys (Microsoft Corporation)

[1] 2007-03-08 09:47:48 1843584 C:\WINDOWS\$NtUninstallKB941693$\win32k.sys (Microsoft Corporation)

[1] 2008-04-13 15:30:10 1845632 C:\WINDOWS\$NtUninstallKB954211$\win32k.sys (Microsoft Corporation)

[1] 2008-09-15 08:12:56 1846400 C:\WINDOWS\$NtUninstallKB958690$\win32k.sys (Microsoft Corporation)

[1] 2009-02-09 07:13:27 1846784 C:\WINDOWS\$NtUninstallKB968537$\win32k.sys (Microsoft Corporation)

[1] 2002-08-29 05:14:20 1813632 C:\WINDOWS\$NtUninstallQ328310$\win32k.sys (Microsoft Corporation)

[1] 2001-08-18 08:00:00 1799552 C:\WINDOWS\$NtUninstallQ328310_RTM$\win32k.sys (Microsoft Corporation)

[1] 2003-09-25 09:35:48 1796864 C:\WINDOWS\$xpsp1hfm$\KB824141\win32k.sys (Microsoft Corporation)

[1] 2002-10-23 09:55:02 1694336 C:\WINDOWS\$xpsp1hfm$\Q328310\win32k.sys (Microsoft Corporation)

[1] 2008-04-13 15:30:10 1845632 C:\WINDOWS\ServicePackFiles\i386\win32k.sys (Microsoft Corporation)

[1] 2009-04-17 08:26:40 1847168 C:\WINDOWS\system32\dllcache\win32k.sys (Microsoft Corporation)

[1] 2009-04-17 08:26:40 1847168 C:\WINDOWS\system32\win32k.sys (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828035_RTM$\msgsvc.dll

[1] 2004-08-04 03:56:43 33792 C:\WINDOWS\$NtServicePackUninstall$\msgsvc.dll (Microsoft Corporation)

[1] 2003-10-02 17:59:38 32256 C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll (Microsoft Corporation)

[1] 2001-08-18 08:00:00 34304 C:\WINDOWS\$NtUninstallKB828035_RTM$\msgsvc.dll ()

[1] 2003-10-03 19:18:56 32256 C:\WINDOWS\$xpsp1hfm$\KB828035\msgsvc.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:59 33792 C:\WINDOWS\ServicePackFiles\i386\msgsvc.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:59 33792 C:\WINDOWS\system32\msgsvc.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828035_RTM$\wkssvc.dll

[1] 2006-08-17 08:37:49 132096 C:\WINDOWS\$hf_mig$\KB924270\SP2QFE\wkssvc.dll (Microsoft Corporation)

[1] 2009-06-10 02:17:16 134144 C:\WINDOWS\$hf_mig$\KB971657\SP3QFE\wkssvc.dll (Microsoft Corporation)

[1] 2006-08-17 08:28:27 132096 C:\WINDOWS\$NtServicePackUninstall$\wkssvc.dll (Microsoft Corporation)

[1] 2003-10-02 17:59:39 120320 C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll (Microsoft Corporation)

[1] 2001-08-18 08:00:00 120832 C:\WINDOWS\$NtUninstallKB828035_RTM$\wkssvc.dll ()

[1] 2004-08-04 03:56:46 132096 C:\WINDOWS\$NtUninstallKB924270$\wkssvc.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:09 132096 C:\WINDOWS\$NtUninstallKB971657$\wkssvc.dll (Microsoft Corporation)

[1] 2003-10-03 19:18:56 119808 C:\WINDOWS\$xpsp1hfm$\KB828035\wkssvc.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:09 132096 C:\WINDOWS\ServicePackFiles\i386\wkssvc.dll (Microsoft Corporation)

[1] 2009-06-10 02:14:49 132096 C:\WINDOWS\system32\dllcache\wkssvc.dll (Microsoft Corporation)

[1] 2009-06-10 02:14:49 132096 C:\WINDOWS\system32\wkssvc.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallQ328940$\reg00003



ERROR OCCURRED!

------------------------------

Windows Version: Windows XP SP3

Exception Code: 0xc0000005

Exception Address: 0x00402415

Attempt to write to address: 0x00000000



At this point, an error message popped up and it closed the program



=============


DDS (Ver_09-09-29.01) - NTFSx86
Run by Dad at 18:06:30.73 on Thu 10/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.406 [GMT -4:00]

AV: avast! antivirus 4.8.1351 [VPS 091008-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: SuperBar: {2a6fcf08-9f82-4369-8b2a-05848b9b2ebf} - c:\program files\superbar\SuperBar.Dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
TB: {196C3A46-4758-433D-A600-802C804AF39C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [Google Update] "c:\documents and settings\dad\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Musicmatch Jukebox Player] MUSICMATCH32.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: []
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\clear.exe" /runcleanupscript
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Search
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://gis.pinellascounty.org/ActiveX/ver6.5/mgaxctrl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxps://banner.usf.edu/forms/jinitiator/jinit.exe
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
AppInit_DLLs: simageme.dll c:\windows\system32\polekove.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: penoduwig - {741e2d28-0c47-4c94-ac80-919af916d23f} - c:\windows\system32\polekove.dll
STS: mujuzedij: {741e2d28-0c47-4c94-ac80-919af916d23f} - c:\windows\system32\polekove.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli notevotu.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-12 114768]
R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [2006-6-14 112835]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2007-4-30 138680]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MRTRATE.SYS [2003-2-15 36404]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [2006-6-14 5325]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2007-4-30 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2007-4-30 352920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-20 133104]
S2 HGIUYXGX;HGIUYXGX;\??\c:\windows\system32\hgiuyxgx.xdj --> c:\windows\system32\hgiuyxgx.xdj [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 aligp;USB Composite Device;c:\windows\system32\drivers\AliGP.sys [2006-6-14 8656]
S3 mbr;mbr;\??\c:\docume~1\admini~1\locals~1\temp\mbr.sys --> c:\docume~1\admini~1\locals~1\temp\mbr.sys [?]

=============== Created Last 30 ================

2009-10-08 13:04 --d----- c:\docume~1\dad\applic~1\Malwarebytes
2009-10-08 12:34 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 12:34 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-08 12:18 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 12:18 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-04 16:01 --d----- c:\docume~1\dad\applic~1\Kodak
2009-10-04 15:56 --d----- c:\program files\Kodak
2009-10-03 14:28 195,440 -------- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2007-05-09 21:31 169,416 a------- c:\docume~1\dad\applic~1\GDIPFONTCACHEV1.DAT
2007-02-04 22:58 800,272 a------- c:\documents and settings\dad\ppctl.dll
2004-04-10 15:48 30 a------- c:\program files\del py.bat
2009-07-08 01:02 37,888 a--sh--- c:\windows\system32\futajido.dll
2009-07-08 01:02 51,712 a--sh--- c:\windows\system32\gerogive.dll
2009-07-08 13:02 1,011,437 a--sh--- c:\windows\system32\hajifagu.exe
2009-07-07 13:03 37,888 a--sh--- c:\windows\system32\lakovazo.dll
2009-07-07 13:03 26,624 a--sh--- c:\windows\system32\muwatibi.dll
2009-07-08 01:03 51,712 a--sh--- c:\windows\system32\simageme.dll
2009-07-08 13:02 37,888 a--sh--- c:\windows\system32\vataguhi.dll
2009-07-08 01:03 51,712 a--sh--- c:\windows\system32\wibiragu.dll
2009-07-07 13:03 89,088 a--sh--- c:\windows\system32\wisahiri.dll
2008-08-30 13:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 18:07:03.76 ===============

Edited by RealTalk, 08 October 2009 - 06:02 PM.


BC AdBot (Login to Remove)

 


#2 RealTalk

RealTalk
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 October 2009 - 09:17 PM

nevermind he says hes got everything fixed, you can close this one, ill make a new post with new scans if anything else comes up

thanks for all the help on our 3 computers

Edited by RealTalk, 11 October 2009 - 09:20 PM.


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:54 PM

Posted 15 October 2009 - 06:10 PM

Thanks for letting us know.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users