Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection - AntiVirusPro 2010


  • This topic is locked This topic is locked
22 replies to this topic

#1 peggrw

peggrw

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Virginia
  • Local time:10:37 PM

Posted 10 October 2009 - 09:14 PM

Computer was severely locked up with the AntivirusPro 2010 notifications. TaskMgr would not work; Spybot and Malwarebytes only ran for 3 seconds and then would never run again. Permission to run these were denied. IE would not allow access to Google and other sites. Windows Firewall was also bypassed. Tried to remove the infection myself and got to where the AntivirusPro notifications are temporarily gone. I can now run my spyware packages, but they show continued infection by Virtumonde, Vundo trojans. I was directed to run RootRepeal, Win32KDiag and DDS logs and post them here. Thankyou for any help you can provide.


DDS (Ver_09-09-29.01) - NTFSx86 NETWORK
Run by Administrator at 21:23:08.14 on Sat 10/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.225 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\windows\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nehakite.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
mSearchAssistant =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [SpybotDeletingB3221] command.com /c del "c:\windows\system32\fapawozi.dll_old"
uRunOnce: [SpybotDeletingD1581] cmd.exe /c del "c:\windows\system32\fapawozi.dll_old"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [TPSMain] TPSMain.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [sokiseyaz] Rundll32.exe "c:\windows\system32\zuvusibo.dll",a
mRunOnce: [SpybotDeletingA7867] command.com /c del "c:\windows\system32\fapawozi.dll_old"
mRunOnce: [SpybotDeletingC6229] cmd.exe /c del "c:\windows\system32\fapawozi.dll_old"
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\npjpi150_10.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165789983828
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: indows\system32\suwuwuha.dll valahedo.dll felazako.dll c:\windows\system32\hatasefa.dll c:\windows\system32\ c:\windows\system32\zovujiwu.dll c:\windows\system32\zuvusibo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: mizihoraz - {a4057917-b588-40a5-9c13-c22ecec10c77} - c:\windows\system32\suwuwuha.dll
SSODL: fadufitut - {1622e71a-03b7-42c8-8965-801a7665f72f} - c:\windows\system32\hatasefa.dll
SSODL: bomimutap - {2d64181e-17e2-492b-b0eb-bb6c482aa9d0} - No File
SSODL: lorolalop - {84345f97-9845-4129-a50d-ce49dc5f2cb8} - c:\windows\system32\zovujiwu.dll
SSODL: kedatelev - {9c51ea8b-0ed6-4251-8223-86f4a60c4a98} - c:\windows\system32\zuvusibo.dll
STS: gahurihor: {a4057917-b588-40a5-9c13-c22ecec10c77} - c:\windows\system32\suwuwuha.dll
STS: tokatiluy: {1622e71a-03b7-42c8-8965-801a7665f72f} - c:\windows\system32\hatasefa.dll
STS: jugezatag: {84345f97-9845-4129-a50d-ce49dc5f2cb8} - c:\windows\system32\zovujiwu.dll
STS: mujuzedij: {9c51ea8b-0ed6-4251-8223-86f4a60c4a98} - c:\windows\system32\zuvusibo.dll
LSA: Notification Packages = .dll gajapuda.dll scecli nowepeto.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-11-9 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-11-9 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2007-12-18 2189240]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091008.003\NAVENG.SYS [2009-10-8 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091008.003\NAVEX15.SYS [2009-10-8 1323568]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2009-10-08 18:41 11,168 a---h--- c:\windows\system32\jabadike
2009-10-08 15:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-10-08 11:39 <DIR> --d----- c:\program files\Unlocker
2009-10-08 09:24 4,720 a------- c:\windows\system32\PerfStringBackup.TMP
2009-10-08 02:12 <DIR> --d----- c:\windows\system32\scripting
2009-10-08 02:12 <DIR> --d----- c:\windows\l2schemas
2009-10-08 02:12 <DIR> --d----- c:\windows\system32\en
2009-10-08 02:12 <DIR> --d----- c:\windows\system32\bits
2009-10-08 02:04 <DIR> --d----- c:\windows\network diagnostic
2009-10-07 23:38 <DIR> --d----- C:\VundoFix Backups
2009-10-07 18:51 <DIR> --d----- c:\windows\pss
2009-10-07 18:45 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-07 18:45 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-07 17:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 17:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-07 15:07 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-10-07 15:06 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-10-07 14:39 <DIR> --d-h--- c:\windows\PIF
2009-10-07 12:02 18,945 a------- c:\windows\vysiny.bin
2009-10-07 12:02 18,906 a------- c:\windows\ugaquly.bin
2009-10-07 12:02 18,274 a------- c:\docume~1\alluse~1\applic~1\ipedudi.bat
2009-10-07 12:02 17,220 a------- c:\windows\upagefi.pif
2009-10-07 12:02 17,206 a------- c:\windows\onedasa.dll
2009-10-07 12:02 16,838 a------- c:\windows\kacofa.lib
2009-10-07 12:02 15,776 a------- c:\program files\common files\jisob.pif
2009-10-07 12:02 14,261 a------- c:\windows\fovosyt.dl
2009-10-07 12:02 13,523 a------- c:\windows\system32\jevavymor._dl
2009-10-07 12:02 12,422 a------- c:\program files\common files\emony.dat
2009-10-07 12:02 11,252 a------- c:\windows\cafor.com
2009-10-03 15:28 17,449 a------- c:\windows\system32\yficevev._sy
2009-10-03 15:28 15,586 a------- c:\windows\system32\bapove.vbs
2009-10-03 15:28 14,319 a------- c:\windows\ywuvexuk._sy
2009-10-03 15:28 13,102 a------- c:\windows\adaliwo.dll
2009-10-03 15:28 11,901 a------- c:\windows\oximetyqac.com
2009-10-03 14:45 18,789 a------- c:\docume~1\alluse~1\applic~1\netafa.exe
2009-10-03 14:45 14,671 a------- c:\windows\system32\ycuke.exe
2009-10-03 14:45 14,440 a------- c:\program files\common files\zokufiri.scr
2009-10-03 14:45 14,394 a------- c:\windows\icisafohe.db
2009-10-03 14:45 13,396 a------- c:\windows\system32\wucocod.inf
2009-10-03 14:45 13,152 a------- c:\windows\system32\byrirahojy.inf
2009-10-03 14:45 11,966 a------- c:\windows\system32\zuwytydi.vbs
2009-10-03 14:45 11,482 a------- c:\windows\keviverylo.dll
2009-10-03 14:45 11,207 a------- c:\docume~1\alluse~1\applic~1\vaxu.vbs
2009-10-03 14:45 10,639 a------- c:\windows\tido.reg
2009-10-03 14:44 16,157 a------- c:\windows\qehurudak.pif
2009-10-02 20:35 68 a------- c:\windows\system32\gasfkyxoyvuxwv.dat
2009-10-02 20:35 19,533 a------- c:\windows\hyka.sys
2009-10-02 20:35 19,523 a------- c:\windows\system32\jydedy.inf
2009-10-02 20:35 17,929 a------- c:\windows\verovy.dll
2009-10-02 20:35 17,760 a------- c:\windows\gisezo.lib
2009-10-02 20:35 16,548 a------- c:\program files\common files\hufilituco.reg
2009-10-02 20:35 16,488 a------- c:\windows\system32\givoxelopi.com
2009-10-02 20:35 16,291 a------- c:\windows\uvygefym.dll
2009-10-02 20:35 16,278 a------- c:\windows\system32\epabotiz.lib
2009-10-02 20:35 15,997 a------- c:\program files\common files\pidoluwiri.pif
2009-10-02 20:35 14,475 a------- c:\windows\wuveza.com
2009-10-02 20:35 12,828 a------- c:\windows\ipyhezyheg.lib
2009-10-02 20:35 11,577 a------- c:\windows\qilofy.scr
2009-10-02 20:30 23,091 a------- c:\windows\system32\gasfkyrfnnvxpx.dat

==================== Find3M ====================

2009-10-10 21:15 1,011,128 a--sh--- c:\windows\system32\nehakite.exe
2009-10-10 21:15 91,136 a--sh--- c:\windows\system32\zuvusibo.dll
2009-10-10 21:15 39,424 a--sh--- c:\windows\system32\rakedega.dll
2009-10-09 16:29 1,011,718 a--sh--- c:\windows\system32\lijaduhi.exe
2009-10-09 16:29 39,424 a--sh--- c:\windows\system32\fuyisajo.dll
2009-10-09 05:13 1,011,629 a--sh--- c:\windows\system32\mohiseje.exe
2009-10-09 05:12 39,424 a--sh--- c:\windows\system32\wizunipo.dll
2009-10-08 17:12 1,011,275 a--sh--- c:\windows\system32\sayiwido.exe
2009-10-08 17:12 39,424 a--sh--- c:\windows\system32\yejedotu.dll
2009-10-08 12:19 1,011,393 a--sh--- c:\windows\system32\pewekasi.exe
2009-10-08 12:13 1,011,393 a--sh--- c:\windows\system32\sekisahi.exe
2009-10-08 12:13 39,424 a--sh--- c:\windows\system32\dutudari.dll
2009-10-08 02:30 1,050,147 a--sh--- c:\windows\system32\botabedu.exe
2009-10-08 02:30 91,136 a--sh--- c:\windows\system32\tanokoge.dll
2009-10-08 02:30 39,424 a--sh--- c:\windows\system32\rijedatu.dll
2009-10-07 23:09 53,248 a--sh--- c:\windows\system32\futakoze.dll
2009-10-07 23:08 1,050,147 a--sh--- c:\windows\system32\sewinuja.exe
2009-10-07 23:08 39,424 a--sh--- c:\windows\system32\soluvubu.dll
2009-10-07 12:57 1,050,147 a--sh--- c:\windows\system32\fapilizu.exe
2009-10-07 12:57 91,136 a--sh--- c:\windows\system32\yezoyihu.dll
2009-10-07 12:57 28,160 a--sh--- c:\windows\system32\gufipato.dll
2009-10-07 12:57 39,424 a--sh--- c:\windows\system32\yasijote.dll
2009-10-07 12:02 17,466 a------- c:\program files\common files\uner._dl
2009-10-07 12:02 10,383 a------- c:\program files\common files\ityxemyq.dl
2009-10-03 14:45 16,919 a------- c:\program files\common files\fepe._sy
2009-10-03 14:45 14,276 a------- c:\program files\common files\pavasi.lib
2009-10-03 09:26 1,048,099 a--sh--- c:\windows\system32\yudegoku.exe
2009-10-02 20:35 17,182 a------- c:\program files\common files\xymul.db
2009-10-02 20:35 13,114 a------- c:\program files\common files\idazafybo.lib
2009-10-02 20:35 10,014 a------- c:\program files\common files\zequc.ban
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll

============= FINISH: 21:23:39.01 ===============


Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP150.tmp\ZAP150.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19.tmp\ZAP19.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP22C.tmp\ZAP22C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP257.tmp\ZAP257.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B4.tmp\ZAP2B4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA1.tmp\ZAPA1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF0.tmp\ZAPF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Performance\WinSAT\DataStore\DataStore

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\root\root

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WDF16.tmp\WDF16.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WDFB.tmp\WDFB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Win15F.tmp\Win15F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Win165.tmp\Win165.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Win1B.tmp\Win1B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Win218.tmp\Win218.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Win234.tmp\Win234.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{1888DAFD-C634-4BC4-865C-3455E24F6177}\{1888DAFD-C634-4BC4-865C-3455E24F6177}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{3C080B57-0D1E-4C73-B03B-68A9EF9F23F3}\{3C080B57-0D1E-4C73-B03B-68A9EF9F23F3}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{7A900EAB-DA37-4554-AF19-9C337476D05D}\{7A900EAB-DA37-4554-AF19-9C337476D05D}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{E2D27B84-6365-11D6-9BAF-0090271AF8A4}\{E2D27B84-6365-11D6-9BAF-0090271AF8A4}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Twain32\Twain32

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!

Attached Files


Edited by peggrw, 10 October 2009 - 09:24 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:37 PM

Posted 11 October 2009 - 08:55 PM

Hello peggrw :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Additional instructions can be found HERE.



Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 peggrw

peggrw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Virginia
  • Local time:10:37 PM

Posted 12 October 2009 - 12:01 AM

Thanks, Ran ComboFix as requested. I ran it as Administrator in Safe Mode with Networking. ComboFix self booted in the normal user mode. The only issues seen were two Windows Notifications during boot "Error Loading nowepeto.dll" and "Error Loading C:\windows\system32\vekukedu.dll Otherwise the system came up and produced the ComboFix Log. Included below:

ComboFix 09-10-11.01 - Administrator 10/12/2009 0:16.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.234 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\cibybyj.dl
c:\documents and settings\All Users\Application Data\ipedudi.bat
c:\documents and settings\All Users\Application Data\lyqu.inf
c:\documents and settings\All Users\Application Data\netafa.exe
c:\documents and settings\All Users\Application Data\vaxu.vbs
c:\documents and settings\All Users\Application Data\ykudydu._dl
c:\documents and settings\Kristen\Application Data\erefi.sys
c:\documents and settings\Kristen\Application Data\iniasd.txt
c:\documents and settings\Kristen\Application Data\pimu.dll
c:\documents and settings\Kristen\Application Data\ryloqy.com
c:\documents and settings\Kristen\Application Data\svcst.exe
c:\documents and settings\Kristen\Application Data\xacugivyfu.reg
c:\documents and settings\Kristen\Application Data\ylafutoha.vbs
c:\documents and settings\Kristen\Cookies\awilabe.ban
c:\documents and settings\Kristen\Cookies\cyqetaju.ban
c:\documents and settings\Kristen\Cookies\hudy._dl
c:\documents and settings\Kristen\Cookies\iwug._dl
c:\documents and settings\Kristen\Cookies\lyrumolul.lib
c:\documents and settings\Kristen\Cookies\uxonafuwo.db
c:\documents and settings\Kristen\Cookies\wucyt.reg
c:\documents and settings\Kristen\Cookies\xogucim.com
c:\documents and settings\Kristen\Local Settings\Application Data\bimyz.scr
c:\documents and settings\Kristen\Local Settings\Application Data\fenoxuzojo.dll
c:\documents and settings\Kristen\Local Settings\Application Data\lasype.com
c:\documents and settings\Kristen\Local Settings\Application Data\meqy._dl
c:\documents and settings\Kristen\Local Settings\Application Data\mywiqaly.exe
c:\documents and settings\Kristen\Local Settings\Application Data\qiviwikepi._dl
c:\documents and settings\Kristen\Local Settings\Application Data\ynyvube.bat
c:\documents and settings\Kristen\Local Settings\Application Data\yrivuxake.reg
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\bala.com
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\bigaso.com
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\bixa.vbs
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\hatur.vbs
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\lufopul.bat
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\oniquh.lib
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\onyfahotu._dl
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\puquqygugi.db
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\vovozun.inf
c:\documents and settings\Kristen\Local Settings\Temporary Internet Files\xuhav.lib
c:\program files\Common Files\hufilituco.reg
c:\program files\Common Files\ityxemyq.dl
c:\program files\Common Files\jisob.pif
c:\program files\Common Files\pidoluwiri.pif
c:\program files\Common Files\uner._dl
c:\program files\Common Files\zequc.ban
c:\program files\Common Files\zokufiri.scr
c:\windows\adaliwo.dll
c:\windows\fovosyt.dl
c:\windows\hyka.sys
c:\windows\kb913800.exe
c:\windows\keviverylo.dll
c:\windows\onedasa.dll
c:\windows\qehurudak.pif
c:\windows\qilofy.scr
c:\windows\system32\bapove.vbs
c:\windows\system32\botabedu.exe
c:\windows\system32\byrirahojy.inf
c:\windows\system32\fapilizu.exe
c:\windows\system32\felazako.dll
c:\windows\system32\futakoze.dll
c:\windows\system32\futoweni.dll
c:\windows\system32\gajapuda.dll
c:\windows\system32\gasfkyrfnnvxpx.dat
c:\windows\system32\gasfkyxoyvuxwv.dat
c:\windows\system32\jevavymor._dl
c:\windows\system32\jydedy.inf
c:\windows\system32\masutora.dll
c:\windows\system32\nowepeto.dll
c:\windows\system32\sewinuja.exe
c:\windows\system32\vekukedu.dll
c:\windows\system32\wakemoza.dll
c:\windows\system32\wucocod.inf
c:\windows\system32\ycuke.exe
c:\windows\system32\yudegoku.exe
c:\windows\system32\zuwytydi.vbs
c:\windows\tido.reg
c:\windows\ugaquly.bin
c:\windows\upagefi.pif
c:\windows\uvygefym.dll
c:\windows\verovy.dll
c:\windows\vysiny.bin
c:\windows\ywuvexuk._sy

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkynssipjuc
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_gasfkynssipjuc


((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-08 19:23 . 2009-10-08 19:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-08 16:29 . 2009-10-08 16:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-08 15:39 . 2009-10-08 15:39 -------- d-----w- c:\program files\Unlocker
2009-10-08 15:28 . 2009-10-08 15:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\system32\scripting
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\l2schemas
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\system32\en
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\system32\bits
2009-10-08 05:37 . 2009-10-08 05:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-10-08 03:38 . 2009-10-08 03:38 -------- d-----w- C:\VundoFix Backups
2009-10-07 22:45 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-07 22:45 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-07 21:45 . 2009-10-07 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 21:08 . 2009-10-07 21:08 -------- d-----w- c:\documents and settings\Kristen\Application Data\Malwarebytes
2009-10-07 21:08 . 2009-10-07 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 19:07 . 2009-10-07 19:07 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-07 19:06 . 2009-10-07 19:06 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-07 18:39 . 2009-10-07 19:05 -------- d--h--w- c:\windows\PIF
2009-10-07 16:02 . 2009-10-07 16:02 12422 ----a-w- c:\program files\Common Files\emony.dat
2009-10-07 16:02 . 2009-10-07 16:02 11252 ----a-w- c:\windows\cafor.com
2009-10-03 19:28 . 2009-10-03 19:28 11901 ----a-w- c:\windows\oximetyqac.com
2009-10-03 00:35 . 2009-10-03 00:35 16488 ----a-w- c:\windows\system32\givoxelopi.com
2009-10-03 00:35 . 2009-10-03 00:35 14475 ----a-w- c:\windows\wuveza.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 03:37 . 2009-07-12 03:37 1011282 --sha-w- c:\windows\system32\nijoroze.exe
2009-10-12 03:37 . 2009-07-12 03:37 39424 --sha-w- c:\windows\system32\nutuhunu.dll
2009-10-11 01:15 . 2009-07-11 01:15 1011128 --sha-w- c:\windows\system32\nehakite.exe
2009-10-11 01:15 . 2009-07-11 01:15 39424 --sha-w- c:\windows\system32\rakedega.dll
2009-10-09 20:29 . 2009-07-09 20:29 1011718 --sha-w- c:\windows\system32\lijaduhi.exe
2009-10-09 20:29 . 2009-07-09 20:29 39424 --sha-w- c:\windows\system32\fuyisajo.dll
2009-10-09 09:13 . 2009-07-09 09:12 1011629 --sha-w- c:\windows\system32\mohiseje.exe
2009-10-09 09:12 . 2009-07-09 09:12 39424 --sha-w- c:\windows\system32\wizunipo.dll
2009-10-08 21:12 . 2009-07-08 21:12 1011275 --sha-w- c:\windows\system32\sayiwido.exe
2009-10-08 21:12 . 2009-07-08 21:12 39424 --sha-w- c:\windows\system32\yejedotu.dll
2009-10-08 18:45 . 2006-10-19 07:04 72592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 16:19 . 2009-07-08 16:19 1011393 --sha-w- c:\windows\system32\pewekasi.exe
2009-10-08 16:13 . 2009-07-08 16:13 1011393 --sha-w- c:\windows\system32\sekisahi.exe
2009-10-08 16:13 . 2009-07-08 16:13 39424 --sha-w- c:\windows\system32\dutudari.dll
2009-10-08 15:40 . 2009-01-27 22:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 13:24 . 2009-10-08 13:24 4720 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-08 06:30 . 2009-07-08 06:30 91136 --sha-w- c:\windows\system32\tanokoge.dll
2009-10-08 06:30 . 2009-07-08 06:30 39424 --sha-w- c:\windows\system32\rijedatu.dll
2009-10-08 03:08 . 2009-07-08 03:08 39424 --sha-w- c:\windows\system32\soluvubu.dll
2009-10-08 03:07 . 2009-01-27 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-07 16:57 . 2009-07-07 16:57 28160 --sha-w- c:\windows\system32\gufipato.dll
2009-10-07 16:57 . 2009-07-07 16:57 91136 --sha-w- c:\windows\system32\yezoyihu.dll
2009-10-07 16:57 . 2009-07-07 16:57 39424 --sha-w- c:\windows\system32\yasijote.dll
2009-10-03 18:45 . 2009-10-03 18:45 16919 ----a-w- c:\program files\Common Files\fepe._sy
2009-10-03 18:45 . 2009-10-03 18:45 14276 ----a-w- c:\program files\Common Files\pavasi.lib
2009-10-03 00:35 . 2009-10-03 00:35 17182 ----a-w- c:\program files\Common Files\xymul.db
2009-10-03 00:35 . 2009-10-03 00:35 13114 ----a-w- c:\program files\Common Files\idazafybo.lib
2009-08-28 01:26 . 2009-08-28 01:26 -------- d-----w- c:\program files\MSBuild
2009-08-28 01:26 . 2009-08-28 01:26 -------- d-----w- c:\program files\Reference Assemblies
2009-08-27 22:41 . 2007-05-22 01:10 -------- d-----w- c:\documents and settings\Kristen\Application Data\Move Networks
2009-08-26 23:52 . 2006-10-19 08:24 -------- d-----w- c:\program files\Google
2009-08-26 23:52 . 2006-10-19 06:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 23:48 . 2006-10-19 09:15 -------- d-----w- c:\program files\Common Files\Real
2009-08-26 23:38 . 2006-10-19 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-08-26 23:26 . 2007-01-29 15:42 -------- d-----w- c:\program files\MySpace
2009-08-26 23:12 . 2007-05-08 21:41 -------- d-----w- c:\program files\iMesh Applications
2009-08-26 22:55 . 2006-12-31 21:00 -------- d-----w- c:\program files\Creative
2009-08-26 22:52 . 2006-10-19 08:23 -------- d-----w- c:\program files\GemMaster
2009-08-26 22:38 . 2007-02-02 23:15 -------- d-----w- c:\documents and settings\Kristen\Application Data\FrostWire
2009-08-26 21:49 . 2008-05-12 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-26 21:49 . 2008-05-12 00:48 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-26 21:20 . 2009-08-26 21:20 -------- d-----w- c:\program files\VS Revo Group
2009-08-26 21:13 . 2008-05-13 00:22 256 ----a-w- c:\documents and settings\Kristen\pool.bin
2009-08-05 09:01 . 2006-10-19 04:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2006-10-19 04:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-08 16:19 . 2009-07-08 16:19 3 --sha-w- c:\windows\system32\nineyuyo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 115560]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-06 16262656]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 6:25 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 2:55 PM 23888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3832ccc-95c7-11db-87b8-001636948775}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2d76773-33c7-11db-bd96-806d6172696f}]
\shell\play\command - "c:\program files\InterVideo\WinDVD\WinDVD.exe" %1

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZRxdm479MFUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{45b0bb7d-3fe8-4c3c-bdbc-008c33d6df2f} - yikujode.dll
HKLM-Run-sokiseyaz - c:\windows\system32\vekukedu.dll
HKLM-Run-vokotisive - nowepeto.dll
SharedTaskScheduler-{a4057917-b588-40a5-9c13-c22ecec10c77} - c:\windows\system32\suwuwuha.dll
SharedTaskScheduler-{1622e71a-03b7-42c8-8965-801a7665f72f} - c:\windows\system32\hatasefa.dll
SharedTaskScheduler-{66a187c9-5788-47fd-8962-43d35eac1e1f} - c:\windows\system32\vekukedu.dll
SSODL-mizihoraz-{a4057917-b588-40a5-9c13-c22ecec10c77} - c:\windows\system32\suwuwuha.dll
SSODL-fadufitut-{1622e71a-03b7-42c8-8965-801a7665f72f} - c:\windows\system32\hatasefa.dll
SSODL-bomimutap-{2d64181e-17e2-492b-b0eb-bb6c482aa9d0} - (no file)
SSODL-bizenilit-{66a187c9-5788-47fd-8962-43d35eac1e1f} - c:\windows\system32\vekukedu.dll
SafeBoot-Wdf01000.sys
SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 00:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,31,f8,73,9b,07,e8,48,a3,f7,25,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,31,f8,73,9b,07,e8,48,a3,f7,25,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7732)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\ati2evxx.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\TPSBattM.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre1.5.0_10\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-10-12 0:43 - machine was rebooted [Kristen]
ComboFix-quarantined-files.txt 2009-10-12 04:43

Pre-Run: 25,692,090,368 bytes free
Post-Run: 25,543,925,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

339 --- E O F --- 2009-10-08 13:27

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:37 PM

Posted 12 October 2009 - 09:46 AM

Lots of infected files still on the machine. Please rerun CF again. Be sure to run it in normal mode this time.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 peggrw

peggrw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Virginia
  • Local time:10:37 PM

Posted 12 October 2009 - 11:10 AM

Ok, Ran CF again. Software ran OK and produced a Log file but did not reboot. Just a blank blue windows GUI for 20 minutes with no disk activity. I manually rebooted through the task manager. The system then tried to automatically install some Windows and other S/W updates upon reboot. I figured that might mess up this process so I turned off Windows automatic updates and tried to turn off the S/W manager updates but after clicking on S/W updates in the control panel TeaTimer indicated a keylogger and then automatically deleted it. I was unable to open S/W updates from the control panel after that. Sorry I forgot to write down the info on the keylogger. Should I have disabled TeaTimer before running CF? I am trying to avoid assuming anything, running any programs or rebooting the machine unless you instruct me to do so but didn't want the updates to mess with your diagnostics.

Here is the CF logfile.

ComboFix 09-10-11.03 - Kristen 10/12/2009 10:58.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.112 [GMT -4:00]
Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kristen\Start Menu\Programs\Security Tool.lnk

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-08 19:23 . 2009-10-08 19:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-08 16:29 . 2009-10-08 16:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-08 15:39 . 2009-10-08 15:39 -------- d-----w- c:\program files\Unlocker
2009-10-08 15:28 . 2009-10-08 15:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\system32\scripting
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\l2schemas
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\system32\en
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\system32\bits
2009-10-08 05:37 . 2009-10-08 05:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-10-08 03:38 . 2009-10-08 03:38 -------- d-----w- C:\VundoFix Backups
2009-10-07 22:45 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-07 22:45 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-07 21:45 . 2009-10-07 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 21:08 . 2009-10-07 21:08 -------- d-----w- c:\documents and settings\Kristen\Application Data\Malwarebytes
2009-10-07 21:08 . 2009-10-07 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 19:07 . 2009-10-07 19:07 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-07 19:06 . 2009-10-07 19:06 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-07 18:39 . 2009-10-07 19:05 -------- d--h--w- c:\windows\PIF
2009-10-07 16:02 . 2009-10-07 16:02 12422 ----a-w- c:\program files\Common Files\emony.dat
2009-10-07 16:02 . 2009-10-07 16:02 11252 ----a-w- c:\windows\cafor.com
2009-10-03 19:28 . 2009-10-03 19:28 11901 ----a-w- c:\windows\oximetyqac.com
2009-10-03 00:35 . 2009-10-03 00:35 16488 ----a-w- c:\windows\system32\givoxelopi.com
2009-10-03 00:35 . 2009-10-03 00:35 14475 ----a-w- c:\windows\wuveza.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 03:37 . 2009-07-12 03:37 1011282 --sha-w- c:\windows\system32\nijoroze.exe
2009-10-12 03:37 . 2009-07-12 03:37 39424 --sha-w- c:\windows\system32\nutuhunu.dll
2009-10-11 01:15 . 2009-07-11 01:15 1011128 --sha-w- c:\windows\system32\nehakite.exe
2009-10-11 01:15 . 2009-07-11 01:15 39424 --sha-w- c:\windows\system32\rakedega.dll
2009-10-09 20:29 . 2009-07-09 20:29 1011718 --sha-w- c:\windows\system32\lijaduhi.exe
2009-10-09 20:29 . 2009-07-09 20:29 39424 --sha-w- c:\windows\system32\fuyisajo.dll
2009-10-09 09:13 . 2009-07-09 09:12 1011629 --sha-w- c:\windows\system32\mohiseje.exe
2009-10-09 09:12 . 2009-07-09 09:12 39424 --sha-w- c:\windows\system32\wizunipo.dll
2009-10-08 21:12 . 2009-07-08 21:12 1011275 --sha-w- c:\windows\system32\sayiwido.exe
2009-10-08 21:12 . 2009-07-08 21:12 39424 --sha-w- c:\windows\system32\yejedotu.dll
2009-10-08 18:45 . 2006-10-19 07:04 72592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 16:19 . 2009-07-08 16:19 1011393 --sha-w- c:\windows\system32\pewekasi.exe
2009-10-08 16:13 . 2009-07-08 16:13 1011393 --sha-w- c:\windows\system32\sekisahi.exe
2009-10-08 16:13 . 2009-07-08 16:13 39424 --sha-w- c:\windows\system32\dutudari.dll
2009-10-08 15:40 . 2009-01-27 22:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 13:24 . 2009-10-08 13:24 4720 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-08 06:30 . 2009-07-08 06:30 91136 --sha-w- c:\windows\system32\tanokoge.dll
2009-10-08 06:30 . 2009-07-08 06:30 39424 --sha-w- c:\windows\system32\rijedatu.dll
2009-10-08 03:08 . 2009-07-08 03:08 39424 --sha-w- c:\windows\system32\soluvubu.dll
2009-10-08 03:07 . 2009-01-27 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-07 16:57 . 2009-07-07 16:57 28160 --sha-w- c:\windows\system32\gufipato.dll
2009-10-07 16:57 . 2009-07-07 16:57 91136 --sha-w- c:\windows\system32\yezoyihu.dll
2009-10-07 16:57 . 2009-07-07 16:57 39424 --sha-w- c:\windows\system32\yasijote.dll
2009-10-03 18:45 . 2009-10-03 18:45 16919 ----a-w- c:\program files\Common Files\fepe._sy
2009-10-03 18:45 . 2009-10-03 18:45 14276 ----a-w- c:\program files\Common Files\pavasi.lib
2009-10-03 00:35 . 2009-10-03 00:35 17182 ----a-w- c:\program files\Common Files\xymul.db
2009-10-03 00:35 . 2009-10-03 00:35 13114 ----a-w- c:\program files\Common Files\idazafybo.lib
2009-08-28 01:26 . 2009-08-28 01:26 -------- d-----w- c:\program files\MSBuild
2009-08-28 01:26 . 2009-08-28 01:26 -------- d-----w- c:\program files\Reference Assemblies
2009-08-27 22:41 . 2007-05-22 01:10 -------- d-----w- c:\documents and settings\Kristen\Application Data\Move Networks
2009-08-26 23:52 . 2006-10-19 08:24 -------- d-----w- c:\program files\Google
2009-08-26 23:52 . 2006-10-19 06:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 23:48 . 2006-10-19 09:15 -------- d-----w- c:\program files\Common Files\Real
2009-08-26 23:38 . 2006-10-19 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-08-26 23:26 . 2007-01-29 15:42 -------- d-----w- c:\program files\MySpace
2009-08-26 23:12 . 2007-05-08 21:41 -------- d-----w- c:\program files\iMesh Applications
2009-08-26 22:55 . 2006-12-31 21:00 -------- d-----w- c:\program files\Creative
2009-08-26 22:52 . 2006-10-19 08:23 -------- d-----w- c:\program files\GemMaster
2009-08-26 22:38 . 2007-02-02 23:15 -------- d-----w- c:\documents and settings\Kristen\Application Data\FrostWire
2009-08-26 21:49 . 2008-05-12 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-26 21:49 . 2008-05-12 00:48 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-26 21:20 . 2009-08-26 21:20 -------- d-----w- c:\program files\VS Revo Group
2009-08-26 21:13 . 2008-05-13 00:22 256 ----a-w- c:\documents and settings\Kristen\pool.bin
2009-08-05 09:01 . 2006-10-19 04:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2006-10-19 04:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-08 16:19 . 2009-07-08 16:19 3 --sha-w- c:\windows\system32\nineyuyo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 115560]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-06 16262656]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 2:50 PM 98816]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 6:25 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 2:55 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZRxdm479MFUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 11:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,31,f8,73,9b,07,e8,48,a3,f7,25,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,31,f8,73,9b,07,e8,48,a3,f7,25,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-12 11:10
ComboFix-quarantined-files.txt 2009-10-12 15:09
ComboFix2.txt 2009-10-12 04:43

Pre-Run: 25,555,472,384 bytes free
Post-Run: 25,540,624,384 bytes free

184 --- E O F --- 2009-10-08 13:27

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:37 PM

Posted 12 October 2009 - 01:39 PM

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
c:\program files\Common Files\fepe._sy
Click Submit.
Please post the results of this scan to this thread.

Do the same for
c:\program files\Common Files\pavasi.lib
c:\program files\Common Files\xymul.db
c:\program files\Common Files\idazafybo.lib

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 peggrw

peggrw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Virginia
  • Local time:10:37 PM

Posted 12 October 2009 - 02:53 PM

Filename: fepe._sy
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 12 Oct 2009 21:43:08 (CET) Permalink
File size: 16919 bytes
Filetype: MS Windows icon resource - 1 icon
MD5: 17e69b5835efd313be1a9dbd86cc87fa
SHA1: 9e84ac798b8bf220e2575bd8f746c1fda4dca089

Filename: pavasi.lib
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 12 Oct 2009 21:47:06 (CET) Permalink
File size: 14276 bytes
Filetype: MS Windows icon resource - 3 icons, 2x1, 1-colors
MD5: f562a553e4f22291eaa9f3c1ea749b51
SHA1: 609c3fa2f9625aaa117c5dbf4ed9cb1b786e2852

Filename: xymul.db
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 12 Oct 2009 21:49:45 (CET) Permalink
File size: 17182 bytes
Filetype: MS Windows icon resource - 3 icons, 2-colors
MD5: 227755e596d23429cf5c8b7243e464be
SHA1: 583d85033b9a69460e24610e6b89488e827de858

Filename: idazafybo.lib
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 12 Oct 2009 21:51:47 (CET) Permalink
File size: 13114 bytes
Filetype: Unknown
MD5: 118d42b5dc1f92ecd88c546513aa0922
SHA1: ef2be7027548b25ae74a996640c6d73e6d50d9f3

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:37 PM

Posted 12 October 2009 - 03:06 PM

You're doing good. Want to make sure we get TeaTimer disabled this time along with the AV.

Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\oximetyqac.com
c:\windows\system32\givoxelopi.com
c:\windows\wuveza.com
c:\windows\system32\nijoroze.exe
c:\windows\system32\nutuhunu.dll
c:\windows\system32\nehakite.exe
c:\windows\system32\rakedega.dll
c:\windows\system32\lijaduhi.exe
c:\windows\system32\fuyisajo.dll
c:\windows\system32\mohiseje.exe
c:\windows\system32\wizunipo.dll
c:\windows\system32\sayiwido.exe
c:\windows\system32\yejedotu.dll
c:\windows\system32\pewekasi.exe
c:\windows\system32\sekisahi.exe
c:\windows\system32\dutudari.dll
c:\windows\system32\tanokoge.dll
c:\windows\system32\rijedatu.dll
c:\windows\system32\soluvubu.dll
c:\windows\system32\gufipato.dll
c:\windows\system32\yezoyihu.dll
c:\windows\system32\yasijote.dll
c:\windows\system32\nineyuyo.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 peggrw

peggrw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Virginia
  • Local time:10:37 PM

Posted 12 October 2009 - 04:26 PM

Disabled TeaTimer, AntiVirus and Firewall. Ran CF with script. Prior to producing the log, CF tried to upload files to a server for further analysis. That upload failed. I tried to manually upload the 6.8M file C:\Qoobox\Quarantine\[4]-Submit_2009-10-12_16.46.57.zip but it was rejected as too large. Here is the CF log.

ComboFix 09-10-11.03 - Kristen 10/12/2009 16:47.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.109 [GMT -4:00]
Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kristen\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\oximetyqac.com"
"c:\windows\system32\dutudari.dll"
"c:\windows\system32\fuyisajo.dll"
"c:\windows\system32\givoxelopi.com"
"c:\windows\system32\gufipato.dll"
"c:\windows\system32\lijaduhi.exe"
"c:\windows\system32\mohiseje.exe"
"c:\windows\system32\nehakite.exe"
"c:\windows\system32\nijoroze.exe"
"c:\windows\system32\nineyuyo.dll"
"c:\windows\system32\nutuhunu.dll"
"c:\windows\system32\pewekasi.exe"
"c:\windows\system32\rakedega.dll"
"c:\windows\system32\rijedatu.dll"
"c:\windows\system32\sayiwido.exe"
"c:\windows\system32\sekisahi.exe"
"c:\windows\system32\soluvubu.dll"
"c:\windows\system32\tanokoge.dll"
"c:\windows\system32\wizunipo.dll"
"c:\windows\system32\yasijote.dll"
"c:\windows\system32\yejedotu.dll"
"c:\windows\system32\yezoyihu.dll"
"c:\windows\wuveza.com"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\oximetyqac.com
c:\windows\system32\dutudari.dll
c:\windows\system32\fuyisajo.dll
c:\windows\system32\givoxelopi.com
c:\windows\system32\gufipato.dll
c:\windows\system32\lijaduhi.exe
c:\windows\system32\mohiseje.exe
c:\windows\system32\nehakite.exe
c:\windows\system32\nijoroze.exe
c:\windows\system32\nineyuyo.dll
c:\windows\system32\nutuhunu.dll
c:\windows\system32\pewekasi.exe
c:\windows\system32\rakedega.dll
c:\windows\system32\rijedatu.dll
c:\windows\system32\sayiwido.exe
c:\windows\system32\sekisahi.exe
c:\windows\system32\soluvubu.dll
c:\windows\system32\tanokoge.dll
c:\windows\system32\wizunipo.dll
c:\windows\system32\yasijote.dll
c:\windows\system32\yejedotu.dll
c:\windows\system32\yezoyihu.dll
c:\windows\wuveza.com

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-12 15:46 . 2009-10-12 15:46 -------- d-----w- c:\documents and settings\Kristen\Application Data\InstallShield
2009-10-12 15:37 . 2009-10-12 15:37 -------- d-----w- c:\windows\LastGood
2009-10-08 19:23 . 2009-10-08 19:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-08 16:29 . 2009-10-08 16:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-08 15:39 . 2009-10-08 15:39 -------- d-----w- c:\program files\Unlocker
2009-10-08 15:28 . 2009-10-08 15:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\system32\scripting
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\l2schemas
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\system32\en
2009-10-08 06:12 . 2009-10-08 06:12 -------- d-----w- c:\windows\system32\bits
2009-10-08 05:37 . 2009-10-08 05:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-10-08 03:38 . 2009-10-08 03:38 -------- d-----w- C:\VundoFix Backups
2009-10-07 22:45 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-07 22:45 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-07 21:45 . 2009-10-07 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 21:08 . 2009-10-07 21:08 -------- d-----w- c:\documents and settings\Kristen\Application Data\Malwarebytes
2009-10-07 21:08 . 2009-10-07 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 19:07 . 2009-10-07 19:07 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-07 19:06 . 2009-10-07 19:06 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-07 18:39 . 2009-10-07 19:05 -------- d--h--w- c:\windows\PIF
2009-10-07 16:02 . 2009-10-07 16:02 12422 ----a-w- c:\program files\Common Files\emony.dat
2009-10-07 16:02 . 2009-10-07 16:02 11252 ----a-w- c:\windows\cafor.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 18:45 . 2006-10-19 07:04 72592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 15:40 . 2009-01-27 22:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 13:24 . 2009-10-08 13:24 4720 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-08 03:07 . 2009-01-27 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 18:45 . 2009-10-03 18:45 16919 ----a-w- c:\program files\Common Files\fepe._sy
2009-10-03 18:45 . 2009-10-03 18:45 14276 ----a-w- c:\program files\Common Files\pavasi.lib
2009-10-03 00:35 . 2009-10-03 00:35 17182 ----a-w- c:\program files\Common Files\xymul.db
2009-10-03 00:35 . 2009-10-03 00:35 13114 ----a-w- c:\program files\Common Files\idazafybo.lib
2009-08-28 01:26 . 2009-08-28 01:26 -------- d-----w- c:\program files\MSBuild
2009-08-28 01:26 . 2009-08-28 01:26 -------- d-----w- c:\program files\Reference Assemblies
2009-08-27 22:41 . 2007-05-22 01:10 -------- d-----w- c:\documents and settings\Kristen\Application Data\Move Networks
2009-08-26 23:52 . 2006-10-19 08:24 -------- d-----w- c:\program files\Google
2009-08-26 23:52 . 2006-10-19 06:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 23:48 . 2006-10-19 09:15 -------- d-----w- c:\program files\Common Files\Real
2009-08-26 23:38 . 2006-10-19 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-08-26 23:26 . 2007-01-29 15:42 -------- d-----w- c:\program files\MySpace
2009-08-26 23:12 . 2007-05-08 21:41 -------- d-----w- c:\program files\iMesh Applications
2009-08-26 22:55 . 2006-12-31 21:00 -------- d-----w- c:\program files\Creative
2009-08-26 22:52 . 2006-10-19 08:23 -------- d-----w- c:\program files\GemMaster
2009-08-26 22:38 . 2007-02-02 23:15 -------- d-----w- c:\documents and settings\Kristen\Application Data\FrostWire
2009-08-26 21:49 . 2008-05-12 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-26 21:49 . 2008-05-12 00:48 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-26 21:20 . 2009-08-26 21:20 -------- d-----w- c:\program files\VS Revo Group
2009-08-26 21:13 . 2008-05-13 00:22 256 ----a-w- c:\documents and settings\Kristen\pool.bin
2009-08-05 09:01 . 2006-10-19 04:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2006-10-19 04:52 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-12_04.25.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-12 15:30 . 2009-10-12 15:30 16384 c:\windows\Temp\Perflib_Perfdata_474.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 115560]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-06 16262656]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 2:50 PM 98816]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 6:25 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 2:55 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZRxdm479MFUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 16:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,31,f8,73,9b,07,e8,48,a3,f7,25,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,31,f8,73,9b,07,e8,48,a3,f7,25,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-12 17:00
ComboFix-quarantined-files.txt 2009-10-12 20:59
ComboFix2.txt 2009-10-12 15:10
ComboFix3.txt 2009-10-12 04:43

Pre-Run: 25,529,925,632 bytes free
Post-Run: 25,477,738,496 bytes free

216 --- E O F --- 2009-10-08 13:27

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:37 PM

Posted 12 October 2009 - 04:44 PM

I'll check on the failed files upload.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    proquota.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 peggrw

peggrw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Virginia
  • Local time:10:37 PM

Posted 12 October 2009 - 04:57 PM

Thanks again, SystemLook file below:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 17:53 on 12/10/2009 by Kristen (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\WINDOWS\ServicePackFiles\i386\proquota.exe ------ 50176 bytes [18:21 28/09/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --a--- 50176 bytes [18:21 28/09/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-=End Of File=-

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:37 PM

Posted 12 October 2009 - 05:26 PM

We seem to be moving along fairly well. This is next:


:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy C:\WINDOWS\ServicePackFiles\i386\proquota.exe c:\windows\system32\proquota.exe/y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
If you get the message that the file is copied move on to the next thing. If not stop and tell me.


Open your MalwareBytes and do an update. After that please do a Quick Scan only. Allow it to remove anything it finds and post the log it produces. If it doesn't find anything just let me know, you don't have to post the log.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 peggrw

peggrw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Virginia
  • Local time:10:37 PM

Posted 12 October 2009 - 06:19 PM

Do I see light at the end of the tunnel?

Copied the file as directed and ran MalwareBytes. It found the Disabled.SecurityCenter issue and deleted it. I let the MalwareBytes reboot the machine to complete the deletion. That log is below. (After reboot I re-ran the scan and no issues were found.)

Malwarebytes' Anti-Malware 1.41
Database version: 2949
Windows 5.1.2600 Service Pack 3

10/12/2009 6:43:59 PM
mbam-log-2009-10-12 (18-43-59).txt

Scan type: Quick Scan
Objects scanned: 109838
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:37 PM

Posted 12 October 2009 - 06:41 PM

Let's keep our fingers crossed. It's looking pretty good right now if nothing else bad doesn't jump up and bite us.



Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.





Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.





We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 peggrw

peggrw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Virginia
  • Local time:10:37 PM

Posted 12 October 2009 - 08:57 PM

Adobe Reader and Java Updated. GMER log below.

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-12 21:55:15
Windows 5.1.2600 Service Pack 3
Running: ombbesdu.exe; Driver: C:\DOCUME~1\Kristen\LOCALS~1\Temp\fxliykod.sys


---- System - GMER 1.0.15 ----

SSDT 84EB0EE0 ZwAlertResumeThread
SSDT 84EAA0D0 ZwAlertThread
SSDT 84DA4830 ZwAllocateVirtualMemory
SSDT 84C3CB58 ZwConnectPort
SSDT 84993318 ZwCreateMutant
SSDT 84C27298 ZwCreateThread
SSDT 84DBEEE8 ZwFreeVirtualMemory
SSDT 84EBAC80 ZwImpersonateAnonymousToken
SSDT 84EB5F40 ZwImpersonateThread
SSDT 84C2A0C0 ZwMapViewOfSection
SSDT 84ECD2A8 ZwOpenEvent
SSDT 84ED2EB0 ZwOpenProcessToken
SSDT 84994580 ZwOpenThreadToken
SSDT 84C11C28 ZwResumeThread
SSDT 84E92990 ZwSetContextThread
SSDT 84C55828 ZwSetInformationProcess
SSDT 8498A320 ZwSetInformationThread
SSDT 84DCC588 ZwSuspendProcess
SSDT 84EB0D70 ZwSuspendThread
SSDT 84F64FD0 ZwTerminateProcess
SSDT 84EAF050 ZwTerminateThread
SSDT 84F67918 ZwUnmapViewOfSection
SSDT 84DACD98 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 198 804E27F4 4 Bytes CALL 35D303E7

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[2624] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 02421102 C:\Program Files\Unlocker\UnlockerHook.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc@start 4
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc@imagepath \systemroot\system32\drivers\gasfkytqpoybvx.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\main@aid 20124
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkytqpoybvx.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\modules@gasfkycmd.dll \systemroot\system32\gasfkytegowotr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\modules@gasfkylog.dat \systemroot\system32\gasfkyrfnnvxpx.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\modules@gasfkywsp.dll \systemroot\system32\gasfkyxqdetuvo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\modules@gasfky.dat \systemroot\system32\gasfkyxoyvuxwv.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkynssipjuc\modules@gasfkywsp8.dll \systemroot\system32\gasfkyrbltliqh.dll

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users