Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool, Windows Police Pro, and Antivirus 2010


  • This topic is locked This topic is locked
52 replies to this topic

#1 Likesdirt

Likesdirt

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 11 October 2009 - 04:56 PM

RootRepeal would not run - error message "Insufficient resources exist to complete the requested service". Win32kDiag.exe would not run - error message "There is not enough free memory to run this program. Quit one or more programs, then try again" , and blank desktop (no icons) except for "Windows Police Pro has denied Internet Access of the program." and buttons to activate Police Pro or continue at risk. I have posted other symptoms in the AII forum and I was able to run Peek.dat and posted the log there. Here's the link http://www.bleepingcomputer.com/forums/t/263112/security-tool-windows-pro-police/

I have disconnected the internet cable, changed all passwords that we can think of, and sent for a credit report since one of our credit card companies had changed the account number due to a possible fraud alert but they could not tell us what it was, only that it was an automated change by their security system. Is there anything else I should be doing to protect our information?

I am working in Safe Mode on the infected computer and accessing internet from our laptop and using a flashdrive to transfer downloads and information. Tried using normal mode and last known good configuration, both lock up the computer. When they did work, I could not access Task Manager or run anti-virus programs. Also was able to run "FixTM" in Safe mode but when I opened Task Manager from the task bar clock, there were no tabs at the top. Did a search for the bad files and found several that I did not recognize and all had the same date/time modified, which were the last files and also when the malware surfaced, so I deleted them. Did not do any good. The more I tried to use the computer, the worse things got. I have Quickbooks files and family pictures on there that I would like to get onto my external hard drive. If that is possible, please let me know how. Here is the log report from Peek.dat.

Volume in drive C has no label.
Volume Serial Number is 6030-858F

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SYSTEM32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SYSTEM32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SYSTEM32

04/13/2008 07:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 39,463,391,232 bytes free

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:53 AM

Posted 22 October 2009 - 12:57 AM

Hi,

Sorry for delayed response. Forums have been really busy. Let me know if you still need help with this.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Likesdirt

Likesdirt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 22 October 2009 - 01:19 PM

Yes sir, I still need help. The laptop I was using at home to access the internet has now been infected as well. It has Spyware Protect 2009 or something to that effect. I was able to delete the program files but it's still there in the registry and won't let me open any browsers. So, let me know how to proceed. We could get the laptop going first or I can do it from my computer at work. The latter may take us a little longer but whatever works, right? Let me know what to do first and I'll get right on it.

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:53 AM

Posted 22 October 2009 - 03:41 PM

Hi,

We follow one system/one topic policy. Let's concentrate on the one which log you posted earlier. Create a new topic for this later infected one, please.


Let's see if you're able to run DDS first.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Likesdirt

Likesdirt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 22 October 2009 - 04:26 PM

I tried to run DDS before and could not get it to open. The Peek.dat file is all I could get. When I try to open DDS on my desktop I get the following message:

C:\Documents and Settings\Troy\Desktop\dds.scr is not a valid Win32 application.

Edited by Likesdirt, 22 October 2009 - 05:54 PM.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:53 AM

Posted 23 October 2009 - 02:54 AM

Hi,

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Likesdirt

Likesdirt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 23 October 2009 - 06:52 PM

Downloaded the file ok. When I double click the icon on my desktop, the 'Open With' dialog box opens and wants me to choose the program to use to open the file. This isn't normal, so I don't know how to proceed at this point.

UPDATE: I went to the Windows Support site and followed the instructions for "Can't Open EXE Files". I changed the default setting of HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* (quote-percent-one-quote-space-percent-asterisk). Now when I double click WIN32Kexe, get a message with the header "16 Bit MS-DOS Subsystem" and the message reads "C:\DOCUME~1\Troy\Desktop\WIN32K~1.EXE
The NTVDM CPU has encountered an illegal instruction.
CS:0df8 IP:0111 OP:63 72 69 70 74 choose 'Close' to terminate the application."

If I choose 'Close' or 'Ignore', the file will not open.

UPDATE 2: I went back to my desktop, there was a WIN32KDiag icon there which I had put there from my flashdrive a couple of weeks ago, and when I double clicked, it ran! I don't know how, but here is the text.

Running from: C:\Documents and Settings\Troy\Desktop\specialk.exe

Log file at : C:\Documents and Settings\Troy\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\A4W_DATA\A4W_DATA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ADDINS\ADDINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP143.tmp\ZAP143.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E3.tmp\ZAP1E3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D0.tmp\ZAP2D0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2ED.tmp\ZAP2ED.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.6361\11.0.6361

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2001-08-18 07:00:00 47616 C:\i386\EVENTLOG.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe

[1] 2009-02-06 05:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-04 02:56:57 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\SYSTEM32\DLLCACHE\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe ()

[1] 2001-08-18 07:00:00 203264 C:\i386\WMIPRVSE.EXE (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\7zS1.tmp\7zS1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

Edited by Likesdirt, 23 October 2009 - 08:06 PM.


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:53 AM

Posted 24 October 2009 - 05:26 AM

Hi,

Glad to see you got log generated after all :(

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to move:
    C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Likesdirt

Likesdirt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 24 October 2009 - 03:52 PM

Hi,

Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.




Win32kDiag log:

Running from: C:\Documents and Settings\Troy\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Troy\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\A4W_DATA\A4W_DATA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\A4W_DATA\A4W_DATA

Found mount point : C:\WINDOWS\ADDINS\ADDINS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ADDINS\ADDINS

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP143.tmp\ZAP143.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP143.tmp\ZAP143.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E3.tmp\ZAP1E3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E3.tmp\ZAP1E3.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D0.tmp\ZAP2D0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D0.tmp\ZAP2D0.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2ED.tmp\ZAP2ED.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2ED.tmp\ZAP2ED.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\SHARED\RES\RES

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.6361\11.0.6361

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.6361\11.0.6361

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MUI\MUI

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ErrorRep\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ErrorRep\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe

Found mount point : C:\WINDOWS\Temp\7zS1.tmp\7zS1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\7zS1.tmp\7zS1.tmp

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:53 AM

Posted 25 October 2009 - 04:16 AM

Good. Please see if you're able to run DDS now. Post back both dds.txt & attach.txt contents.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Likesdirt

Likesdirt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 25 October 2009 - 03:27 PM

Attached File  Attach.zip   2.33KB   13 downloads



DDS (Ver_09-10-24.04) - NTFSx86 NETWORK
Run by Troy at 15:16:08.56 on Sun 10/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
AV: avast! antivirus 4.8.1335 [VPS 091008-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
uDefault_Page_URL = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: ICQSys (IE PlugIn): {77dc0b63-1535-4ba9-8be8-d59eb676fa02} - c:\windows\system32\plugie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [yihudutez] Rundll32.exe "c:\windows\system32\zodogupe.dll",a
mRunOnce: [Cleanup] C:\cleanup.exe
dRun: [zivoleyaza] Rundll32.exe "pihuyeha.dll",s
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: falfiles.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000162-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wma9dmo.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://zone.msn.com/bingame/choc/default/ChocolatierWeb.1.0.0.17.cab
DPF: {2564B8E6-7D84-11D4-A689-30475BC10000} - hxxp://www.toolkitcma.com/tkweb/tkweb.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} - hxxp://supportservices.msn.com/us/smtptool/MailCfg.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/cnma/default/ct.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
AppInit_DLLs: c:\windows\system32\madudori.dll c:\windows\system32\gumapoke.dll penigusa.dll c:\windows\system32\zodogupe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yohuduyak - {70dd4837-b816-4db6-84f9-d0489606f96c} - c:\windows\system32\fopihofu.dll
SSODL: fazepozep - {b85c75dc-590d-4d43-ae2f-a187a82b4d24} - c:\windows\system32\fopihofu.dll
SSODL: kosodorok - {59d082c3-2c97-4cae-8971-55cc3d6240b4} - c:\windows\system32\fopihofu.dll
SSODL: huloweyaf - {a207e5d4-b829-423e-bdfa-1fd9f5e507ad} - c:\windows\system32\fopihofu.dll
SSODL: jalavimef - {75ec1e2b-48ef-40ca-accf-d5161c86ef20} - c:\windows\system32\fopihofu.dll
SSODL: babumujeg - {08ab5382-2179-41d3-a475-76b4b165cd8b} - c:\windows\system32\rusejafe.dll
SSODL: jijunijev - {a1ff7e05-fbe1-4b34-a721-31838187dbdf} - c:\windows\system32\rusejafe.dll
SSODL: parunuvik - {f27f1559-ee00-49c0-af82-963076cb18e1} - c:\windows\system32\rusejafe.dll
SSODL: kobasigon - {8e76d545-4bc1-4127-aa5b-9fe40a64466e} - c:\windows\system32\rusejafe.dll
SSODL: soyosowid - {dce88d91-7ac0-491c-9ed8-74e5cbfe1a54} - c:\windows\system32\toteduba.dll
SSODL: yejujimez - {6d091f0b-e6e8-4f21-a46d-9dcabb4d165e} - c:\windows\system32\rusejafe.dll
SSODL: talamilip - {c52ab8f3-29c0-4d63-9310-98501331d17d} - c:\windows\system32\madudori.dll
STS: jugezatag: {70dd4837-b816-4db6-84f9-d0489606f96c} - c:\windows\system32\fopihofu.dll
STS: tokatiluy: {b85c75dc-590d-4d43-ae2f-a187a82b4d24} - c:\windows\system32\fopihofu.dll
STS: jugezatag: {59d082c3-2c97-4cae-8971-55cc3d6240b4} - c:\windows\system32\fopihofu.dll
STS: kupuhivus: {a207e5d4-b829-423e-bdfa-1fd9f5e507ad} - c:\windows\system32\fopihofu.dll
STS: tokatiluy: {75ec1e2b-48ef-40ca-accf-d5161c86ef20} - c:\windows\system32\fopihofu.dll
STS: tokatiluy: {08ab5382-2179-41d3-a475-76b4b165cd8b} - c:\windows\system32\rusejafe.dll
STS: gahurihor: {a1ff7e05-fbe1-4b34-a721-31838187dbdf} - c:\windows\system32\rusejafe.dll
STS: tokatiluy: {f27f1559-ee00-49c0-af82-963076cb18e1} - c:\windows\system32\rusejafe.dll
STS: jugezatag: {8e76d545-4bc1-4127-aa5b-9fe40a64466e} - c:\windows\system32\rusejafe.dll
STS: jugezatag: {dce88d91-7ac0-491c-9ed8-74e5cbfe1a54} - c:\windows\system32\toteduba.dll
STS: mujuzedij: {6d091f0b-e6e8-4f21-a46d-9dcabb4d165e} - c:\windows\system32\rusejafe.dll
STS: tokatiluy: {c52ab8f3-29c0-4d63-9310-98501331d17d} - c:\windows\system32\madudori.dll
LSA: Notification Packages = scecli vowayore.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\troy\applic~1\mozilla\firefox\profiles\3qazwrly.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bar2barmxpark.com/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

As per the instructions you would have received, kindly ensure any onboard
script blocking tools have been disabled for they shall interfere with DDS.

DDS is a non-invasive diagnostic tool.

- DDS makes no registry writes/changes

- DDS does not create any permanent files/folders.

This scan should not take longer than three minutes to complete.

When the scan is complete, a logfile/report shall pop open.

Post the contents of the logfile to the forum where it was requested

We only require it to run just once. Dispose after use.


:::::::::::::::::::::::::::::::::::::::

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-24 20:35:43 574 ----a-w- C:\cleanup.bat
2009-10-24 20:35:43 19286 ----a-w- C:\cleanup.exe
2009-10-24 20:35:43 135168 ----a-w- C:\zip.exe
2009-10-24 00:21:01 146432 ----a-w- c:\windows\regedit.com
2009-10-22 13:09:30 2713 --sh--w- c:\windows\system32\nulomuso.exe
2009-10-21 19:08:50 2713 --sh--w- c:\windows\system32\yohufeku.exe
2009-10-21 01:08:13 2713 --sh--w- c:\windows\system32\tunodiwa.exe
2009-10-20 07:07:33 2713 --sh--w- c:\windows\system32\fugikubu.exe
2009-10-19 13:06:53 2713 --sh--w- c:\windows\system32\muyayile.exe
2009-10-18 19:06:12 2713 --sh--w- c:\windows\system32\hebanayu.exe
2009-10-18 01:05:33 2713 --sh--w- c:\windows\system32\lejusabu.exe
2009-10-17 07:04:53 2713 --sh--w- c:\windows\system32\reyimimo.exe
2009-10-16 13:04:13 2713 --sh--w- c:\windows\system32\wikomibu.exe
2009-10-15 19:03:33 2713 --sh--w- c:\windows\system32\hitijuno.exe
2009-10-15 01:02:53 2713 --sh--w- c:\windows\system32\sosesura.exe
2009-10-14 07:02:13 2713 --sh--w- c:\windows\system32\zopaturo.exe
2009-10-13 13:01:37 2713 --sh--w- c:\windows\system32\yakobupa.exe
2009-10-12 19:00:58 2713 --sh--w- c:\windows\system32\relebama.exe
2009-10-12 01:00:19 2713 --sh--w- c:\windows\system32\gimenejo.exe
2009-10-11 06:59:40 2713 --sh--w- c:\windows\system32\tifakapu.exe
2009-10-08 01:02:30 112 ----a-w- c:\windows\system32\wwp.htm
2009-10-07 23:31:55 8551 ----a-w- c:\windows\system32\wispex.html
2009-10-07 23:31:55 0 d---a-w- c:\windows\system32\images
2009-10-07 23:31:54 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-10-07 23:31:23 4 ----a-w- c:\windows\system32\bincd32.dat
2009-10-07 06:23:55 2713 --sh--w- c:\windows\system32\mayosare.exe
2009-10-02 17:04:34 19975 ----a-w- c:\windows\system32\wymij.inf
2009-10-02 17:04:34 19288 ----a-w- c:\windows\ubyzi.inf
2009-10-02 17:04:34 18397 ----a-w- c:\windows\dabomegid.dat
2009-10-02 17:04:34 17539 ----a-w- c:\windows\awus.reg
2009-10-02 17:04:34 15984 ----a-w- c:\windows\uwokyzecot.bin
2009-10-02 17:04:33 17598 ----a-w- c:\windows\osef.db
2009-10-02 17:04:33 11336 ----a-w- c:\windows\oviqu.bat
2009-10-02 17:04:31 13396 ----a-w- c:\windows\avyd.pif
2009-10-02 17:04:31 11762 ----a-w- c:\windows\ramu.lib
2009-10-02 17:04:05 0 ----a-w- c:\windows\system32\41.exe
2009-10-02 17:03:47 1955840 ----a-w- c:\windows\system32\AVR09.exe
2009-10-02 17:03:29 22528 ----a-w- c:\windows\system32\winhelper.dll
2009-10-02 15:28:11 831 ----a-w- c:\windows\system32\critical_warning.html
2009-10-02 15:27:45 72704 ----a-w- c:\windows\system32\drivers\ritivpdficxemqrc.sys
2009-10-02 15:27:35 45568 ----a-w- c:\windows\system32\winupdate.exe
2009-10-02 15:27:35 0 ----a-w- c:\windows\win32k.sys
2009-10-02 15:27:20 52224 ----a-w- C:\afuqr.exe
2009-10-02 15:27:10 72704 ----a-w- c:\windows\system32\drivers\smqitixvxtethoia.sys
2009-10-02 15:27:08 36994 ----a-w- C:\vklebc.exe
2009-10-02 15:27:07 148480 ----a-w- C:\qgferewy.exe
2009-10-02 15:27:00 19456 ----a-w- C:\ekffax.exe
2009-10-02 15:26:59 185236 ----a-w- C:\prdfjhha.exe
2009-10-02 15:26:57 6144 ----a-w- C:\avjelge.exe
2009-10-02 15:26:55 45568 ----a-w- C:\hrngen.exe
2009-10-02 15:26:54 194568 ------w- C:\qtpjjuur.exe

==================== Find3M ====================

2009-10-25 20:09:15 1011747 --sha-w- c:\windows\system32\yusayena.exe
2009-10-25 20:09:05 91648 --sha-w- c:\windows\system32\zodogupe.dll
2009-10-25 20:09:04 39424 --sha-w- c:\windows\system32\hofonike.dll
2009-10-24 20:28:11 1011746 --sha-w- c:\windows\system32\nuzeriko.exe
2009-10-24 20:27:55 90624 --sha-w- c:\windows\system32\toteduba.dll
2009-10-24 20:27:55 39424 --sha-w- c:\windows\system32\puzominu.dll
2009-10-23 23:39:29 52736 --sha-w- c:\windows\system32\sedehobi.dll
2009-10-23 23:39:20 1011747 --sha-w- c:\windows\system32\yaluwani.exe
2009-10-23 23:39:04 91648 --sha-w- c:\windows\system32\gumapoke.dll
2009-10-23 23:39:04 39424 --sha-w- c:\windows\system32\lupayusa.dll
2009-10-23 01:11:00 1051170 --sha-w- c:\windows\system32\nufifini.exe
2009-10-23 01:10:41 1011633 --sha-w- c:\windows\system32\jewipaje.exe
2009-10-23 01:10:27 52736 --sha-w- c:\windows\system32\molufoze.dll
2009-10-23 01:10:00 91648 --sha-w- c:\windows\system32\rujamika.dll
2009-10-23 01:09:57 39424 --sha-w- c:\windows\system32\lofuwogi.dll
2009-10-08 23:43:34 53248 --sha-w- c:\windows\system32\vikikeme.dll
2009-10-08 23:43:21 1011755 --sha-w- c:\windows\system32\nijoroze.exe
2009-10-08 23:43:07 91136 --sha-w- c:\windows\system32\rusejafe.dll
2009-10-08 23:43:06 39424 --sha-w- c:\windows\system32\yitidena.dll
2009-10-07 23:25:58 1050659 --sha-w- c:\windows\system32\nadusifa.exe
2009-10-07 23:25:57 53248 --sha-w- c:\windows\system32\vidajadu.dll
2009-10-07 23:25:54 1050659 --sha-w- c:\windows\system32\sadeyoli.exe
2009-10-07 23:25:27 39424 --sha-w- c:\windows\system32\hekazezi.dll
2009-10-07 23:25:15 91136 --sha-w- c:\windows\system32\fopihofu.dll
2009-10-07 23:25:13 28160 --sha-w- c:\windows\system32\reforola.dll
2009-10-02 17:04:34 10258 ----a-w- c:\program files\common files\isoce._dl
2009-10-02 15:35:10 1047587 --sha-w- c:\windows\system32\wowafuha.exe
2009-10-02 15:35:02 194056 --sha-w- c:\windows\system32\pekuveme.exe
2009-10-02 15:35:01 91648 --sha-w- c:\windows\system32\madudori.dll
2009-10-02 15:35:00 28160 --sha-w- c:\windows\system32\tifileze.dll
2009-10-02 15:34:59 39424 --sha-w- c:\windows\system32\pusekudu.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2006-12-28 02:08:18 114688 ----a-w- c:\program files\FixVTS.exe
2009-07-23 23:39:37 52736 --sha-w- c:\windows\system32\garazuha.dll
2009-07-23 23:39:37 52736 --sha-w- c:\windows\system32\penigusa.dll
2009-07-23 23:39:37 52736 --sha-w- c:\windows\system32\vowayore.dll

============= FINISH: 15:16:49.07 ===============

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:53 AM

Posted 25 October 2009 - 04:46 PM

Hi,

Try to do these steps in normal mode.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Likesdirt

Likesdirt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 25 October 2009 - 07:27 PM

Hi,

I am unable to proceed in normal mode. I can log on but after my settings load, there is nothing but the blank, blue screen. Do you want me to proceed in safe mode? I can't access Avast to disable it and when I turn off Windows Firewall and close the window, the setting reverts back to "on". Am I doing something wrong?

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:53 AM

Posted 26 October 2009 - 01:47 AM

Yes, proceed in safe mode, please. Are you getting errors with Avast or what prevents from disabling it?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Likesdirt

Likesdirt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 26 October 2009 - 07:09 AM

Yes, the error message when try to open Avast is something like "Windows can't locate the file. To locate yourself, click browse."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users