Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Computer


  • This topic is locked This topic is locked
14 replies to this topic

#1 lacduflam

lacduflam

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 08 October 2009 - 07:35 PM

Win XP, Home Edition, ver 2002, service pack 2

I'm not sure how I got this, but my computer is being taken over. There seemed to be two different things running. One was Antivirus Pro 2010 and the other is called Security Tool. Fake security alerts keep popping up telling me about infections and trying to get me to buy some program. My web browsing was also being rerouted pretty heavily (often to a site called thefeedyard.com). It also has disabled my task manager - it says I don't have permission. The same thing happens when I try to run programs like Malwarebytes or Hijack This. At one point I was able to run IObit Security 360 and Spyware Doctor. After that Antivirus Pro 2010 doesn't seem to be running anymore (at least I can't see it in the tray or in pop ups anymore), but Security Tool is still going crazy.
Any speedy help would be greatly appreciated as the computer I have infected is my brother's.

This was my result from an earlier post http://www.bleepingcomputer.com/forums/t/262967/infected-compuer/

Your system is infected with a new rootkit variant that has become quite pervasive as evidenced by these entries:
CODE
Mount point destination : \Device\__max++>\^
[1] 2004-08-04 06:00:00 61952 C:\WINDOWS\SYSTEM32\eventlog.dll ()


I tried to run dds.scr and RootRepeal. When I run dds, it says it is "not a valid win32 application". RootRepeal starts to scan for about 30 seconds then the program just closes.

Here are some logs from my earlier post

Win32kDiag.txt -

Running from: C:\Documents and Settings\Rachel\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Rachel\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\History\History.IE5\History.IE5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\5a0d771158cfd69be5ddd26d8f58c73b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\DUMPREP.EXE

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\dumprep.exe (Microsoft Corporation)

[1] 2004-08-04 06:00:00 10752 C:\WINDOWS\SYSTEM32\DUMPREP.EXE ()

[1] 2004-08-04 06:00:00 10752 C:\i386\DUMPREP.EXE (Microsoft Corporation)



Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 06:00:00 61952 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2004-08-04 06:00:00 55808 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 06:00:00 55808 C:\i386\EVENTLOG.DLL (Microsoft Corporation)



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!




Log.txt -

Volume in drive C has no label.
Volume Serial Number is CCEF-4C6A

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SYSTEM32

08/04/2004 06:00 AM 180,224 SCECLI.DLL

Directory of C:\WINDOWS\SYSTEM32

08/04/2004 06:00 AM 407,040 NETLOGON.DLL

Directory of C:\WINDOWS\SYSTEM32

08/04/2004 06:00 AM 61,952 eventlog.dll
3 File(s) 649,216 bytes

Total Files Listed:
6 File(s) 1,293,824 bytes
0 Dir(s) 29,767,045,120 bytes free

Thank You in advance for any and all help.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:47 PM

Posted 09 October 2009 - 04:02 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 lacduflam

lacduflam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 09 October 2009 - 07:45 PM

Hi Sam.

Thank you for your help.

When I run combofix, it says there is a real time scanner still active (Symantec Antivirus Corporate Edition). I can't find what is running. There is nothing in the tray in the lower right of my screen, and I can't find any processes that go to Symantec. When I open the Symantec program, it looks like it is not loaded.

Should I run combofix anyway?

Thanks again.


Process list saved on 7:50:08 PM, on 10/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
1216 C:\WINDOWS\system32\csrss.exe 5.1.2600.2180 Microsoft Corporation
1244 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
1292 C:\WINDOWS\system32\services.exe 5.1.2600.3520 Microsoft Corporation
1304 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
1456 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1572 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1616 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1696 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1816 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
372 C:\WINDOWS\Explorer.EXE 6.0.2900.3156 Microsoft Corporation
536 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
968 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1488 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe 0.0.0.0 Cisco Systems, Inc.
1932 C:\WINDOWS\system32\drivers\KodakCCS.exe 1.1.5100.4 Eastman Kodak Company
1972 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
1980 C:\WINDOWS\system32\rundll32.exe 5.1.2600.2180 Microsoft Corporation
2024 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE 7.0.9466.0 Microsoft Corporation
344 C:\Program Files\Microsoft LifeCam\MSCamSvc.exe 1.10.148.0 Microsoft Corporation
540 C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_190007_37055e\Setup.exe 5.1.25.7 Eastman Kodak Company
608 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
624 C:\Program Files\Viewpoint\Common\ViewpointService.exe 2.0.0.54 Viewpoint Corporation
604 C:\WINDOWS\System32\WLTRYSVC.EXE
868 C:\WINDOWS\System32\bcmwltry.exe 3.40.67.0 Dell Computer Corporation
1756 C:\WINDOWS\System32\alg.exe 5.1.2600.2180 Microsoft Corporation
708 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1908 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe 2.0.0.54 Viewpoint Corporation
992 C:\Program Files\Mozilla Firefox\firefox.exe 1.8.20081.21709 Mozilla Corporation
2908 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.

Edited by lacduflam, 09 October 2009 - 07:53 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:47 PM

Posted 09 October 2009 - 10:01 PM

Go ahead and run Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 lacduflam

lacduflam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 10 October 2009 - 12:15 AM

I ran combofix. It said a rootkit was detected and asked me to write down this file - c:\windows\system32\twex.exe.
When my computer rebooted after combofix a window came up titled RUNDLL which said "Error loading c:\windows\system32\nogilini.dll The specified module could not be found."
Windows Security also popped up in the task bar saying I had no firewall, so I turned on the windows firewall.

Here is the log:

ComboFix 09-10-08.04 - Rachel 10/09/2009 23:48.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.73 [GMT -5:00]
Running from: c:\documents and settings\Rachel\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ikodycerys.inf
c:\documents and settings\All Users\Application Data\magi.vbs
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\teciceju.dl
c:\documents and settings\All Users\Application Data\uhugi.bat
c:\documents and settings\All Users\Application Data\ulasugami._sy
c:\documents and settings\All Users\Application Data\wuzybyhek._dl
c:\documents and settings\All Users\Documents\bidozoniwi.bat
c:\documents and settings\All Users\Documents\dowi.sys
c:\documents and settings\All Users\Documents\mymejyl.exe
c:\documents and settings\All Users\Documents\ocozotoxi._dl
c:\documents and settings\All Users\Documents\wasuta.dl
c:\documents and settings\All Users\Documents\wixot.reg
c:\documents and settings\All Users\Documents\xapyqe.bin
c:\documents and settings\All Users\Documents\ybuj.dll
c:\documents and settings\Rachel\Application Data\adewelohe.pif
c:\documents and settings\Rachel\Application Data\bupyhut.ban
c:\documents and settings\Rachel\Application Data\cubafatu._dl
c:\documents and settings\Rachel\Application Data\epuzuvev.exe
c:\documents and settings\Rachel\Application Data\goraj.vbs
c:\documents and settings\Rachel\Application Data\ibunihur.vbs
c:\documents and settings\Rachel\Application Data\iniasd.txt
c:\documents and settings\Rachel\Application Data\mypybiwom.scr
c:\documents and settings\Rachel\Application Data\oriloqato.sys
c:\documents and settings\Rachel\Application Data\pezejol.dll
c:\documents and settings\Rachel\Application Data\sakevex.vbs
c:\documents and settings\Rachel\Application Data\unib.bat
c:\documents and settings\Rachel\Application Data\yrysuqiba.dl
c:\documents and settings\Rachel\Cookies\cotydupik.db
c:\documents and settings\Rachel\Cookies\cupac.db
c:\documents and settings\Rachel\Cookies\enigo.db
c:\documents and settings\Rachel\Cookies\gilojug.bin
c:\documents and settings\Rachel\Cookies\iryluni.dll
c:\documents and settings\Rachel\Cookies\jimyw.scr
c:\documents and settings\Rachel\Cookies\lyzer._dl
c:\documents and settings\Rachel\Cookies\ofyzafy.dat
c:\documents and settings\Rachel\Cookies\xuzisi.pif
c:\documents and settings\Rachel\Cookies\yvib.dll
c:\documents and settings\Rachel\Cookies\ywufoxu.exe
c:\documents and settings\Rachel\Cookies\zejohew.db
c:\documents and settings\Rachel\Local Settings\Application Data\aroho.bin
c:\documents and settings\Rachel\Local Settings\Application Data\ehubyha._sy
c:\documents and settings\Rachel\Local Settings\Application Data\ihijezoh.bin
c:\documents and settings\Rachel\Local Settings\Application Data\ipaloc._dl
c:\documents and settings\Rachel\Local Settings\Application Data\jegusuke.dl
c:\documents and settings\Rachel\Local Settings\Application Data\ledajog._dl
c:\documents and settings\Rachel\Local Settings\Application Data\monowycequ.scr
c:\documents and settings\Rachel\Local Settings\Application Data\najyjegys.exe
c:\documents and settings\Rachel\Local Settings\Application Data\ryry.com
c:\documents and settings\Rachel\Local Settings\Application Data\ujanedogi.ban
c:\documents and settings\Rachel\Local Settings\Application Data\ydybyk._dl
c:\documents and settings\Rachel\Local Settings\Application Data\ynyloz.dll
c:\documents and settings\Rachel\Local Settings\Temporary Internet Files\arygyj.sys
c:\documents and settings\Rachel\Local Settings\Temporary Internet Files\dilozuxyl.com
c:\documents and settings\Rachel\Local Settings\Temporary Internet Files\eger.bin
c:\documents and settings\Rachel\Local Settings\Temporary Internet Files\icuzote.exe
c:\documents and settings\Rachel\Local Settings\Temporary Internet Files\jibuwolir.com
c:\documents and settings\Rachel\Local Settings\Temporary Internet Files\ofafuvor.exe
c:\documents and settings\Rachel\Local Settings\Temporary Internet Files\ypomo.dll
c:\documents and settings\Rachel\Local Settings\Temporary Internet Files\zasy.vbs
c:\documents and settings\Rachel\ntuser.dll
c:\documents and settings\Rachel\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Rachel\Start Menu\Programs\Startup\scandisk.lnk
c:\program files\Common Files\aquvityf.ban
c:\program files\Common Files\isyqotykar.bin
c:\program files\Common Files\mela.bin
c:\program files\Common Files\orusatu.sys
c:\program files\Common Files\vapibype.exe
c:\program files\Windows Police Pro
c:\windows\apyd.sys
c:\windows\bukupyjivy._sy
c:\windows\duvusimaty.inf
c:\windows\igef.bin
c:\windows\ipalejaxy.inf
c:\windows\odocebabut._dl
c:\windows\ozalo.bat
c:\windows\posyp.reg
c:\windows\rimoxehimo._sy
c:\windows\system32\akap.sys
c:\windows\system32\avinig.inf
c:\windows\system32\bidatemi.dll
c:\windows\system32\bincd32.dat
c:\windows\system32\calc.dll
c:\windows\system32\emoninibe.sys
c:\windows\system32\gufipato.dll
c:\windows\system32\hekewufu.exe
c:\windows\system32\hezaguga.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\jixod.ban
c:\windows\system32\lokegepe.dll
c:\windows\system32\modopise.dll
c:\windows\system32\nakuwiyi.dll
c:\windows\system32\nogilini.dll
c:\windows\system32\otyhenin.ban
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\twex.exe
c:\windows\system32\wispex.html
c:\windows\system32\xixoj.pif
c:\windows\system32\yejuhuwo.dll
c:\windows\system32\zavuvuhi.dll
c:\windows\system32\zysyr._dl
c:\windows\ujokemojat.reg
c:\windows\vemahek._dl
c:\windows\vepawukoge.vbs
c:\windows\waloxodafi.pif
c:\windows\win32k.sys
c:\windows\xedaz.vbs

----- BITS: Possible infected sites -----

hxxp://193.33.61.160
Infected copy of c:\windows\SYSTEM32\winlogon.exe was found and disinfected
Restored copy from - c:\i386\WINLOGON.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-10 00:29 . 2009-10-10 00:29 -------- d-----w- c:\program files\Trend Micro
2009-10-10 00:03 . 2009-10-10 00:03 -------- d-----w- c:\program files\Unlocker
2009-10-09 18:13 . 2009-10-09 18:12 37 ----a-w- c:\windows\system32\delete.bat
2009-10-09 14:54 . 2009-10-09 15:07 58 ----a-w- c:\windows\wf4.dat
2009-10-09 14:54 . 2009-10-09 15:07 1 ----a-w- c:\windows\wf3.dat
2009-10-09 14:54 . 2009-10-09 14:54 36 ----a-w- c:\windows\system32\skynet.dat
2009-10-09 14:53 . 2009-10-09 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\69703732
2009-10-08 16:54 . 2009-10-08 17:53 1011437 ----a-w- c:\windows\system32\dovedeho.exe
2009-10-08 06:31 . 2009-10-08 18:23 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-08 06:30 . 2009-10-08 18:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-10-08 06:29 . 2009-10-08 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-08 04:20 . 2009-10-08 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\67698844
2009-10-07 16:35 . 2009-10-07 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-07 14:56 . 2009-10-07 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\47103722
2009-10-07 05:00 . 2009-10-07 05:00 19487 ----a-w- c:\documents and settings\Rachel\Local Settings\Application Data\yzibuja.dat
2009-10-07 04:25 . 2009-10-07 04:25 17945 ----a-w- c:\windows\docinyvada.dat
2009-10-07 04:25 . 2009-10-07 04:25 11057 ----a-w- c:\windows\system32\esawume.com
2009-10-07 04:04 . 2009-10-08 18:28 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-07 02:35 . 2009-10-07 03:07 -------- d--h--w- c:\windows\PIF
2009-10-06 23:48 . 2009-10-06 23:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-10-06 23:47 . 2009-10-06 23:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-06 23:14 . 2009-10-06 23:14 15727 ----a-w- c:\windows\kitofana.com
2009-10-06 23:14 . 2009-10-06 23:14 15180 ----a-w- c:\windows\system32\naguhetak.com
2009-10-06 23:06 . 2009-10-07 18:16 -------- d-----w- c:\program files\Google
2009-10-06 22:15 . 2009-10-08 18:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-06 17:00 . 2009-10-06 17:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-06 06:35 . 2009-10-06 06:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-10-06 00:18 . 2009-10-06 00:18 -------- d-----w- c:\windows\ServicePackFiles
2009-10-01 21:50 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-10-01 21:44 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-10-01 21:42 . 2009-07-14 00:17 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-10-01 21:42 . 2009-07-14 00:17 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-10-01 21:42 . 2009-07-14 00:17 129784 ------w- c:\windows\system32\pxafs.dll
2009-10-01 21:42 . 2009-07-14 00:17 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-10-01 21:42 . 2009-07-14 00:17 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-10-01 21:39 . 2009-10-01 21:40 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-01 21:39 . 2009-10-01 21:42 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 00:17 . 2005-01-14 03:56 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-07 17:17 . 2008-09-18 02:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-07 17:17 . 2008-09-18 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 00:24 . 2004-08-04 11:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-04 11:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-01-15 19:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-04 11:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-04 11:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-04 11:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-08-04 11:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 00:17 . 2004-09-23 08:03 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-07-14 00:15 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-07-14 00:15 . 2009-07-14 00:15 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-07-14 00:15 . 2009-07-14 00:15 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-07-14 00:15 . 2009-07-14 00:15 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-07-14 00:15 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\DivX.dll
2009-03-17 12:06 . 2008-01-13 20:20 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-03-17 12:06 . 2008-01-13 20:20 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-17 12:06 . 2008-01-13 20:20 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-03-17 12:06 . 2008-01-13 20:20 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-03-17 12:06 . 2008-01-13 20:20 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-07-06 05:58 . 2009-07-06 05:58 1047665 --sha-w- c:\windows\SYSTEM32\boserote.exe
2009-07-08 17:42 . 2009-07-08 17:42 1011515 --sha-w- c:\windows\SYSTEM32\doyanavo.exe
2009-07-08 17:42 . 2009-07-08 17:42 39502 --sha-w- c:\windows\SYSTEM32\gavuzeyi.dll
2009-07-07 14:46 . 2009-07-07 14:46 39502 --sha-w- c:\windows\SYSTEM32\giyesewu.dll
2009-07-07 14:46 . 2009-07-07 14:46 1050225 --sha-w- c:\windows\SYSTEM32\jonanimo.exe
2009-07-06 05:58 . 2009-07-06 05:58 1048689 --sha-w- c:\windows\SYSTEM32\nipiluti.exe
2009-07-09 14:53 . 2009-07-09 14:53 194134 --sha-w- c:\windows\SYSTEM32\pemumimo.exe
2009-07-06 17:58 . 2009-07-06 17:58 52814 --sha-w- c:\windows\SYSTEM32\seyayewi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

c:\documents and settings\Rachel\Start Menu\Programs\Startup\
delete.bat [2009-10-9 37]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rachel^Start Menu^Programs^Startup^..]
path=c:\documents and settings\Rachel\Start Menu\Programs\Startup\..
backup=c:\windows\pss\..Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rachel^Start Menu^Programs^Startup^scandisk.dll]
path=c:\documents and settings\Rachel\Start Menu\Programs\Startup\scandisk.dll
backup=c:\windows\pss\scandisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Rachel^Start Menu^Programs^Startup^scandisk.lnk]
path=c:\documents and settings\Rachel\Start Menu\Programs\Startup\scandisk.lnk
backup=c:\windows\pss\scandisk.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrt_Shell

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DefWatch"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\MSHTA.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Documents and Settings\\Rachel\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpSvc.exe"=

S0 TheStubwareDriver;TheStubware Driver; [x]
S1 ActiveMonitor;ActiveMonitor Driver; [x]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rachel\Application Data\Mozilla\Firefox\Profiles\srzzkhm9.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-sonenaguv - c:\windows\system32\nogilini.dll
SharedTaskScheduler-{8459093f-106b-446f-9415-d5719741108c} - c:\windows\system32\nogilini.dll
SSODL-hesubopok-{8459093f-106b-446f-9415-d5719741108c} - c:\windows\system32\nogilini.dll
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 23:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1248)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\SYSTEM32\DRIVERS\KodakCCS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamSvc.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\SYSTEM32\BCMWLTRY.EXE
c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_190007_37055e\Setup.exe
c:\windows\SYSTEM32\FXSSVC.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-10-10 0:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-10 05:06

Pre-Run: 29,981,011,968 bytes free
Post-Run: 30,022,647,808 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
364 --- E O F --- 2009-10-06 00:22



Thanks again for the help.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:47 PM

Posted 10 October 2009 - 08:22 AM

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


====================


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
TheStubwareDriver
ActiveMonitor

File::
c:\windows\wf4.dat
c:\windows\wf3.dat
c:\windows\system32\skynet.dat
c:\documents and settings\Rachel\Local Settings\Application Data\yzibuja.dat
c:\windows\docinyvada.dat
c:\windows\system32\esawume.com
c:\windows\kitofana.com
c:\windows\system32\naguhetak.com
c:\windows\SYSTEM32\boserote.exe
c:\windows\SYSTEM32\doyanavo.exe
c:\windows\SYSTEM32\gavuzeyi.dll
c:\windows\SYSTEM32\giyesewu.dll
c:\windows\SYSTEM32\jonanimo.exe
c:\windows\SYSTEM32\nipiluti.exe
c:\windows\SYSTEM32\pemumimo.exe
c:\windows\SYSTEM32\seyayewi.dll

Folder::
c:\documents and settings\All Users\Application Data\69703732
c:\documents and settings\All Users\Application Data\~0
c:\documents and settings\All Users\Application Data\67698844
c:\documents and settings\All Users\Application Data\47103722

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Rachel^Start Menu^Programs^Startup^scandisk.dll]
[-HKLM\~\startupfolder\C:^Documents and Settings^Rachel^Start Menu^Programs^Startup^scandisk.lnk]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 lacduflam

lacduflam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 10 October 2009 - 11:31 AM

Sam -

I shut down my computer last night. When I booted it up this morning, the phony "Security Tool" program opened up displaying a window saying I have however many viruses. It won't let me run any programs (including win32kdiag or notepad). It had a icon in the system tray and when I tried to run anything it says "notepad.exe is infected with worm Lsas.Blaster.Keyoger. the worm is trying to send your credit card details". That example is for when I try to run notepad. It also blocked my taskmanager and Hijack This.
Once I began typing this post, I tried opening taskmanager again and it randomly worked. I ended the process 69703732.exe and the phony Security Tool closed. So I was finally able to get these logs:

Win32kdiag Log:

Running from: C:\Documents and Settings\Rachel\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Rachel\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Found mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\History\History.IE5\History.IE5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\History\History.IE5\History.IE5

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\SHARED\RES\RES

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MUI\MUI

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Recent\Recent

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\5a0d771158cfd69be5ddd26d8f58c73b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\5a0d771158cfd69be5ddd26d8f58c73b

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\SYSTEM32\DUMPREP.EXE

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\DUMPREP.EXE

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!




ComboFix Log:

ComboFix 09-10-08.04 - Rachel 10/10/2009 11:13.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.114 [GMT -5:00]
Running from: c:\documents and settings\Rachel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rachel\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\documents and settings\Rachel\Local Settings\Application Data\yzibuja.dat"
"c:\windows\docinyvada.dat"
"c:\windows\kitofana.com"
"c:\windows\SYSTEM32\boserote.exe"
"c:\windows\SYSTEM32\doyanavo.exe"
"c:\windows\system32\esawume.com"
"c:\windows\SYSTEM32\gavuzeyi.dll"
"c:\windows\SYSTEM32\giyesewu.dll"
"c:\windows\SYSTEM32\jonanimo.exe"
"c:\windows\system32\naguhetak.com"
"c:\windows\SYSTEM32\nipiluti.exe"
"c:\windows\SYSTEM32\pemumimo.exe"
"c:\windows\SYSTEM32\seyayewi.dll"
"c:\windows\system32\skynet.dat"
"c:\windows\wf3.dat"
"c:\windows\wf4.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\~0
c:\documents and settings\All Users\Application Data\~0\Ad-AwareAE.exe
c:\documents and settings\All Users\Application Data\~0\mia.lib
c:\documents and settings\All Users\Application Data\47103722
c:\documents and settings\All Users\Application Data\67698844
c:\documents and settings\All Users\Application Data\67698844\67698844.bat
c:\documents and settings\All Users\Application Data\67698844\67698844.exe
c:\documents and settings\All Users\Application Data\69703732
c:\documents and settings\All Users\Application Data\69703732\69703732.bat
c:\documents and settings\All Users\Application Data\69703732\69703732.exe
c:\documents and settings\Rachel\Local Settings\Application Data\yzibuja.dat
c:\documents and settings\Rachel\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Rachel\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\docinyvada.dat
c:\windows\kitofana.com
c:\windows\SYSTEM32\doyanavo.exe
c:\windows\system32\esawume.com
c:\windows\SYSTEM32\gavuzeyi.dll
c:\windows\SYSTEM32\giyesewu.dll
c:\windows\SYSTEM32\jonanimo.exe
c:\windows\system32\naguhetak.com
c:\windows\SYSTEM32\nipiluti.exe
c:\windows\SYSTEM32\pemumimo.exe
c:\windows\SYSTEM32\seyayewi.dll
c:\windows\system32\skynet.dat
c:\windows\wf3.dat
c:\windows\wf4.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-10 00:29 . 2009-10-10 00:29 -------- d-----w- c:\program files\Trend Micro
2009-10-10 00:03 . 2009-10-10 00:03 -------- d-----w- c:\program files\Unlocker
2009-10-09 18:13 . 2009-10-09 18:12 37 ----a-w- c:\windows\system32\delete.bat
2009-10-08 16:54 . 2009-10-08 17:53 1011437 ----a-w- c:\windows\system32\dovedeho.exe
2009-10-08 06:31 . 2009-10-08 18:23 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-08 06:29 . 2009-10-08 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-07 16:35 . 2009-10-07 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-07 04:04 . 2009-10-08 18:28 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-07 02:35 . 2009-10-10 16:03 -------- d--h--w- c:\windows\PIF
2009-10-06 23:48 . 2009-10-06 23:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-10-06 23:47 . 2009-10-06 23:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-06 23:06 . 2009-10-07 18:16 -------- d-----w- c:\program files\Google
2009-10-06 22:15 . 2009-10-08 18:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-06 17:00 . 2009-10-06 17:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-06 06:35 . 2009-10-06 06:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-10-06 00:18 . 2009-10-06 00:18 -------- d-----w- c:\windows\ServicePackFiles
2009-10-01 21:50 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-10-01 21:44 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-10-01 21:42 . 2009-07-14 00:17 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-10-01 21:42 . 2009-07-14 00:17 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-10-01 21:42 . 2009-07-14 00:17 129784 ------w- c:\windows\system32\pxafs.dll
2009-10-01 21:42 . 2009-07-14 00:17 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-10-01 21:42 . 2009-07-14 00:17 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-10-01 21:39 . 2009-10-01 21:40 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-01 21:39 . 2009-10-01 21:42 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 16:09 . 2005-01-14 03:56 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-07 17:17 . 2008-09-18 02:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-07 17:17 . 2008-09-18 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 00:24 . 2004-08-04 11:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-04 11:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-01-15 19:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-04 11:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-04 11:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-04 11:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-08-04 11:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 00:17 . 2004-09-23 08:03 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-07-14 00:15 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-07-14 00:15 . 2009-07-14 00:15 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-07-14 00:15 . 2009-07-14 00:15 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-07-14 00:15 . 2009-07-14 00:15 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-07-14 00:15 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\DivX.dll
2009-03-17 12:06 . 2008-01-13 20:20 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-03-17 12:06 . 2008-01-13 20:20 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-17 12:06 . 2008-01-13 20:20 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-03-17 12:06 . 2008-01-13 20:20 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-03-17 12:06 . 2008-01-13 20:20 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"VX1000"="c:\windows\vVX1000.exe" [2006-06-29 707376]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"sonenaguv"="c:\windows\system32\nogilini.dll" [BU]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 269104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]

c:\documents and settings\Rachel\Start Menu\Programs\Startup\
delete.bat [2009-10-9 37]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-2-11 1528880]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-1-4 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\MSHTA.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Documents and Settings\\Rachel\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpSvc.exe"=

S0 TheStubwareDriver;TheStubware Driver; [x]
S1 ActiveMonitor;ActiveMonitor Driver; [x]
S2 AntiPol;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 7:31 PM 24652]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 8:36 PM 173392]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rachel\Application Data\Mozilla\Firefox\Profiles\srzzkhm9.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKLM-Run-TheStubware - c:\program files\TheStubware\TheStubware.exe
HKLM-Run-81146222 - c:\documents and settings\All Users\Application Data\81146222\81146222.exe
HKLM-Run-69703732 - c:\documents and settings\All Users\Application Data\69703732\69703732.exe
HKLM-Run-67698844 - c:\documents and settings\All Users\Application Data\67698844\67698844.exe
HKLM-Run-2723198831 - c:\documents and settings\Rachel\Application Data\2723198831\2723198831.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 11:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1248)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-10-10 11:25
ComboFix-quarantined-files.txt 2009-10-10 16:24
ComboFix2.txt 2009-10-10 05:06

Pre-Run: 30,017,871,872 bytes free
Post-Run: 29,959,757,824 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
203 --- E O F --- 2009-10-06 00:22



Also when combofix ended, my computer just sat on a blank white screen for a long time. I opened taskmanager and started explorer.exe which was not running for some reason.

Thanks very much for your continued help.

Edited by lacduflam, 10 October 2009 - 11:37 AM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:47 PM

Posted 10 October 2009 - 04:23 PM

Well done! :(

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.



=====================


We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 lacduflam

lacduflam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 10 October 2009 - 07:28 PM

Alright here are the logs. Thank You so much for all your help :( . I don't know what I would do without you.

Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2939
Windows 5.1.2600 Service Pack 2

10/10/2009 7:14:45 PM
mbam-log-2009-10-10 (19-14-45).txt

Scan type: Quick Scan
Objects scanned: 99215
Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntiPol (WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sonenaguv (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\dovedeho.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rachel\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rachel\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.



Junction Log:


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\Documents and Settings\Administrator\Desktop\RootRepeal.exe: Access is denied.


...

...

...
Failed to open \\?\c:\\Documents and Settings\Rachel\Desktop\RootRepeal.exe: Access is denied.




...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...No reparse points found.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:47 PM

Posted 11 October 2009 - 08:36 AM

We need to reset the permissions altered by the malware on some files.
  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:


    "%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Rachel\Desktop\RootRepeal.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\Desktop\RootRepeal.exe"

  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Do the same for the rest of the lines until you have run all the above commands one by one.

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 lacduflam

lacduflam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 11 October 2009 - 10:41 AM

Sam -

Everything seems to be running fine now :( I'm not seeing any programs running that shouldn't be, and my browser isn't being hijacked at all. Does the fact that you're asking me mean that you think everything is clean?

Thank you so much for your all your help.

Two quick questions:

I read somewhere on this site that a program called Viewpoint Manager might be bad. Do you know anything about this?

Also, if I click on this donate PayPal link, does the money go to you or to this website?

Thanks again.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:47 PM

Posted 11 October 2009 - 01:41 PM

From the logs that I'm seeing everything looks good. If you're not experiencing any issues then I think you're clean. Viewpoint is not really malware, but it does tend to install itself without permission and therefore it's considered foistware. It is recommended to uninstall the program. If you follow the donation link in my signature below it will go directly to me.

Here are some final steps and recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 lacduflam

lacduflam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 11 October 2009 - 02:23 PM

Thank you so much Sam. I can't express how helpful you have been and how much I appreciate it. You're my hero.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:47 PM

Posted 12 October 2009 - 06:28 AM

Glad I could help out! :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:47 PM

Posted 01 November 2009 - 09:47 AM

Now that your problem appears to be resolved, this topic will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this topic in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users