Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware or Rootkit Has Got Me Down


  • This topic is locked This topic is locked
2 replies to this topic

#1 alexander.h.white

alexander.h.white

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 20 October 2009 - 12:32 PM

Hi Everyone,

I am home from school for the week and, of course, my parents' computers are infected with malware and need to be cleaned up. I work at the Helpdesk at school and deal with this sort of thing all the time, but my stepdad's computer has got a pretty serious infection and I am in need of some assistance. So here are the symptoms:

1. Links displayed on search results page on both Yahoo and Google redirect to phony sites (that has since been resolved using HiJackThis, but that is the first and most obvious thing I noticed when I got home).
2. Malwarebytes AntiMalware, SpyBot S&D, and Super AntiSpyware are unable to run in either regular mode or safe mode. The error message that is displayed after trying to run these programs is: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Needless to say, very suspicious.
3. Rootkit Revealer runs okay for about ten to thirty seconds, but then closes. That can't be good.

As I mentioned, I have run HiJackThis and I have gotten the log cleaned up pretty well. I can post the latest log if you would like. I am willing to run ComboFix or anything else that you think might me worthwhile as well.

I'll leave it at that for now. Any help would be greatly appreciated!

-Alex

Also, here is a copy of the DDS log and attached are the Attach.txt and ark.txt files:

DDS (Ver_09-10-13.01) - NTFSx86
Run by Enjoy The Show Video at 13:39:20.87 on 10/20/09
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [Google Update] "c:\documents and settings\enjoy the show video\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
Trusted Zone: overture.com\secure
Trusted Zone: yahoo.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-20 13:18 50,176 a------- c:\windows\system32\proquota.exe
2009-10-20 13:18 50,176 a------- c:\windows\system32\dllcache\proquota.exe
2009-10-20 13:12 <DIR> a-dshr-- C:\cmdcons
2009-10-20 13:11 236,544 a------- c:\windows\PEV.exe
2009-10-20 13:11 161,792 a------- c:\windows\SWREG.exe
2009-10-20 13:11 98,816 a------- c:\windows\sed.exe
2009-10-19 17:13 5,160,960 a------- c:\windows\system32\IDTSJGYM
2009-10-19 17:11 5,160,960 a------- c:\windows\system32\VCMXEG
2009-10-19 16:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-19 16:51 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 16:51 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-19 16:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 07:52 54,156 a---h--- c:\windows\QTFont.qfn
2009-10-19 07:52 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-09-01 15:52 15,204 a------- c:\program files\common files\etov._sy
2009-09-01 15:52 17,972 a------- c:\docume~1\enjoyt~1\applic~1\qofav.sys
2009-09-01 15:52 17,720 a------- c:\windows\system32\ebirybad.com
2009-09-01 15:52 16,675 a------- c:\program files\common files\ubegyfun._sy
2009-09-01 15:52 16,560 a------- c:\program files\common files\eqaxizuzy.sys
2009-09-01 15:52 16,451 a------- c:\program files\common files\otunes.ban
2009-09-01 15:52 16,448 a------- c:\program files\common files\eficu.lib
2009-09-01 15:52 15,816 a------- c:\docume~1\alluse~1\applic~1\ipugupe.scr
2009-09-01 15:52 13,405 a------- c:\windows\system32\doqyz.com
2009-09-01 15:52 13,054 a------- c:\docume~1\enjoyt~1\applic~1\qodicydyp.exe
2009-09-01 15:52 11,918 a------- c:\windows\system32\yhapec.exe
2009-09-01 15:52 11,706 a------- c:\program files\common files\biwozoc.sys
2009-09-01 15:15 19,707 a------- c:\program files\common files\sowijoc.lib
2009-09-01 15:15 13,470 a------- c:\program files\common files\opuwucyqa.pif
2009-09-01 15:15 17,307 a------- c:\windows\system32\esibi.bin
2009-09-01 15:15 16,045 a------- c:\windows\uxyhu.bin
2009-09-01 15:15 15,168 a------- c:\program files\common files\ohezecopem.lib
2009-09-01 15:15 14,605 a------- c:\program files\common files\jyrigi.com
2009-09-01 15:15 14,578 a------- c:\docume~1\enjoyt~1\applic~1\ylufodad.com
2009-09-01 15:15 12,821 a------- c:\windows\ivaf.dat
2009-09-01 15:15 12,799 a------- c:\program files\common files\upytozubik.exe
2009-09-01 15:15 12,719 a------- c:\docume~1\alluse~1\applic~1\vaxuculix.sys
2009-09-01 15:15 12,129 a------- c:\docume~1\enjoyt~1\applic~1\rypawe.pif
2009-09-01 14:26 19,671 a------- c:\program files\common files\larakoqovu.exe
2009-09-01 14:26 18,119 a------- c:\docume~1\alluse~1\applic~1\epaquj.com
2009-09-01 14:26 16,309 a------- c:\docume~1\enjoyt~1\applic~1\yfoby.dat
2009-09-01 14:26 15,671 a------- c:\program files\common files\fita.db
2009-09-01 14:26 13,992 a------- c:\program files\common files\ponotatuc.db
2009-09-01 14:26 13,315 a------- c:\windows\system32\rorehaweva.bin
2009-08-31 20:51 19,434 a------- c:\docume~1\alluse~1\applic~1\uzos.scr
2009-08-31 20:51 16,177 a------- c:\windows\yfaby.sys
2009-08-31 20:51 16,000 a------- c:\windows\system32\vizyt.sys
2009-08-31 20:51 14,786 a------- c:\program files\common files\ulad.dl
2009-08-31 15:22 19,971 a------- c:\windows\system32\tywize.bin
2009-08-31 15:22 17,156 a------- c:\windows\pijaqo.bin
2009-08-31 15:22 14,460 a------- c:\windows\dohygigeqo.sys
2009-08-31 15:22 13,212 a------- c:\program files\common files\daza.dl
2009-08-31 15:22 12,733 a------- c:\windows\system32\sivyqelel.bin
2009-08-31 15:22 12,454 a------- c:\windows\system32\genyratu.scr
2009-08-31 15:22 11,217 a------- c:\docume~1\alluse~1\applic~1\pyxozylyri.sys
2009-08-31 15:22 10,714 a------- c:\docume~1\alluse~1\applic~1\qabu.exe
2009-08-31 15:22 10,227 a------- c:\windows\system32\gyxe.exe
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-04-03 15:05 34 a------- c:\documents and settings\enjoy the show video\jagex_runescape_preferences.dat
2007-02-10 10:04 7,623,930 a------- c:\program files\flash_player_update3_mx2004_win.zip

============= FINISH: 13:39:27.71 ===============

Attached Files


Edited by alexander.h.white, 20 October 2009 - 01:05 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 AM

Posted 30 October 2009 - 02:02 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 AM

Posted 06 November 2009 - 06:03 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users