Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection - Internet Explorer Pop-ups, Google-search redirects


  • Please log in to reply
9 replies to this topic

#1 Pinkerton492

Pinkerton492

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 07 November 2009 - 03:08 PM

I'd PM to reopen my last topic, but that would probably take another week or so to get through.

Running Windows XP.
I Have Vundo.
I Cannot Remove Vundo.
I've Tried Malwarebytes.
I've Tried AVG.
I've Tried Windows Defender.
I get pop-ups from Internet Explorer (iexplore.exe) when I use internet browsers (Firefox, Google Chrome)
I've uninstalled Internet Explorer.
I still get pop-ups.
I search on Google. Most links redirect to Fake Virus Protection crap. Have to copy&paste for actual websites.
I've, since my last asking for help, resolved several other issues. BY MYSELF. Didn't help much telling me not to fix things if I receive no response.
Hopefully this is CLEAR enough that I may be assisted before next year.


DDS (Ver_09-10-13.01) - NTFSx86
Run by Nick at 14:41:11.22 on Sat 11/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.118 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nick\Desktop\dBds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {0F8C5DCE-408D-4D6E-804D-EE75F10A9C63} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4299F9CB-4039-4892-B8C3-37FCBEC21BD5} - No File
BHO: {AA1A4F83-B4AC-4859-8C91-21DBE6C5625B} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {5D956A61-05E7-427B-A2B1-BF32FB18B1BE} - No File
TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\nick\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\McAgent.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [podalatog] Rundll32.exe "c:\windows\system32\najuseja.dll",a
mRunServices: [System Kernal Support] system.exe
mRunServices: [i] c:\windows\system32\i.exe
mRunServices: [iyeginkwe] c:\windows\system32\iyeginkwe.exe
mRunServices: [gm] c:\windows\system32\gm.exe
mRunServices: [rakvb] c:\windows\system32\rakvb.exe
mRunServices: [tiluiponwx] c:\windows\system32\tiluiponwx.exe
mRunServices: [extp] c:\windows\system32\extp.exe
mRunServices: [kcplgni] c:\windows\system32\kcplgni.exe
mRunServices: [dtrnupk] c:\windows\system32\dtrnupk.exe
mRunServices: [tt] c:\windows\system32\tt.exe
mRunServices: [vdqagkx] c:\windows\system32\vdqagkx.exe
mRunServices: [ezziwnv] c:\windows\system32\ezziwnv.exe
mRunServices: [ymd] c:\windows\system32\ymd.exe
mRunServices: [saz] c:\windows\system32\saz.exe
mRunServices: [thf] c:\windows\system32\thf.exe
mRunServices: [dxwvdcdiqcv] c:\windows\system32\dxwvdcdiqcv.exe
mRunServices: [alzyxqck] c:\windows\system32\alzyxqck.exe
mRunServices: [orzpnn] c:\windows\system32\orzpnn.exe
mRunServices: [ggdabhe] c:\windows\system32\ggdabhe.exe
mRunServices: [r] c:\windows\system32\r.exe
mRunServices: [ksjnumhzkgxd] c:\windows\system32\ksjnumhzkgxd.exe
mRunServices: [nwcnlaeogr] c:\windows\system32\nwcnlaeogr.exe
mRunServices: [zibynwf] c:\windows\system32\zibynwf.exe
mRunServices: [cwl] c:\windows\system32\cwl.exe
mRunServices: [hsxaefdvuw] c:\windows\system32\hsxaefdvuw.exe
mRunServices: [gkefyoambbjr] c:\windows\system32\gkefyoambbjr.exe
mRunServices: [jdzesci] c:\windows\system32\jdzesci.exe
mRunServices: [tvkn] c:\windows\system32\tvkn.exe
mRunServices: [kgrvy] c:\windows\system32\kgrvy.exe
mRunServices: [tppgapl] c:\windows\system32\tppgapl.exe
mRunServices: [xqhtkxw] c:\windows\system32\xqhtkxw.exe
mRunServices: [owklbhbtkxj] c:\windows\system32\owklbhbtkxj.exe
mRunServices: [hex] c:\windows\system32\hex.exe
mRunServices: [uhjuxd] c:\windows\system32\uhjuxd.exe
mRunServices: [rmaal] c:\windows\system32\rmaal.exe
mRunServices: [uopkg] c:\windows\system32\uopkg.exe
mRunServices: [trwqlhhz] c:\windows\system32\trwqlhhz.exe
mRunServices: [jeb] c:\windows\system32\jeb.exe
mRunServices: [bbvtz] c:\windows\system32\bbvtz.exe
mRunServices: [sx] c:\windows\system32\sx.exe
mRunServices: [afhhejk] c:\windows\system32\afhhejk.exe
mRunServices: [rezftzbix] c:\windows\system32\rezftzbix.exe
mRunServices: [h] c:\windows\system32\h.exe
mRunServices: [pliq] c:\windows\system32\pliq.exe
mRunServices: [qtom] c:\windows\system32\qtom.exe
mRunServices: [sg] c:\windows\system32\sg.exe
mRunServices: [qwipahoiymq] c:\windows\system32\qwipahoiymq.exe
mRunServices: [dvy] c:\windows\system32\dvy.exe
mRunServices: [ynrkwndaavt] c:\windows\system32\ynrkwndaavt.exe
mRunServices: [ihcabpr] c:\windows\system32\ihcabpr.exe
mRunServices: [pfvvlcwr] c:\windows\system32\pfvvlcwr.exe
mRunServices: [kbcdnhgkgjyk] c:\windows\system32\kbcdnhgkgjyk.exe
mRunServices: [gyfnfb] c:\windows\system32\gyfnfb.exe
StartupFolder: c:\docume~1\nick\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
IE: &Search
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: aol.com\my.screenname
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - hxxp://www.terp17.com/ax/axo.cab
DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - hxxp://cabs.elitemediagroup.net/cabs/eliteview.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235265835197
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235266019025
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: bmbxadob - bmbxadob.dll
Notify: bvolg - c:\windows\apppatch\bvolg.dll
Notify: efcaBsrs - efcaBsrs.dll
Notify: igfxcui - igfxdev.dll
Notify: jkhfc - jkhfc.dll
Notify: oviehduw - oviehduw.dll
AppInit_DLLs: minepc.dll c:\windows\system32\hosirobi.dll c:\windows\system32\dayapepa.dll c:\windows\system32\yirumuno.dll c:\windows\system32\nowowise.dll c:\windows\system32\wuyevega.dll jelayube.dll c:\windows\system32\toduzawa.dll c:\windows\system32\najuseja.dll
SSODL: bolanuvur - {5b99e56b-006d-48f4-8d47-37695ded013a} - No File
SSODL: rabefiyos - {6ba117f2-95e7-4f5f-865e-818fb4bd9b6c} - No File
SSODL: keyinonok - {1d50a45d-19ab-42ce-8930-49ade1085185} - No File
SSODL: nosofajen - {adec5f7d-2880-4b8a-8dfe-a00910832d4e} - No File
SSODL: yuzozaley - {57e42849-daf3-4a9a-bc76-1c44fdf6d53b} - c:\windows\system32\bepogahi.dll
SSODL: ruhasukez - {d6ef053a-674d-4892-8490-eb8581c98627} - c:\windows\system32\toduzawa.dll
SSODL: wewelosof - {56899e57-9508-4d14-be0a-cecb6df172dd} - c:\windows\system32\najuseja.dll
STS: {5b99e56b-006d-48f4-8d47-37695ded013a} - No File
STS: {6ba117f2-95e7-4f5f-865e-818fb4bd9b6c} - No File
STS: {1d50a45d-19ab-42ce-8930-49ade1085185} - No File
STS: {adec5f7d-2880-4b8a-8dfe-a00910832d4e} - No File
STS: kupuhivus: {57e42849-daf3-4a9a-bc76-1c44fdf6d53b} - c:\windows\system32\bepogahi.dll
STS: kupuhivus: {d6ef053a-674d-4892-8490-eb8581c98627} - c:\windows\system32\toduzawa.dll
STS: mujuzedij: {56899e57-9508-4d14-be0a-cecb6df172dd} - c:\windows\system32\najuseja.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: {493F974E-FEAE-459E-B770-D9262474EB97} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRJYqoN
LSA: Notification Packages = scecli tahiraga.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nick\applic~1\mozilla\firefox\profiles\mkztoo1n.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\nick\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-20 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-20 108552]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10621.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10621.sys [?]

=============== Created Last 30 ================

2009-10-30 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\65807733
2009-10-29 20:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\15546526
2009-10-29 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\93768740
2009-10-28 04:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\95766639
2009-10-23 04:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\23145217
2009-10-22 16:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\06867431
2009-10-22 03:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\02581218
2009-10-21 15:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\28331219
2009-10-21 03:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\20487526
2009-10-20 15:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\98081329
2009-10-20 03:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\30362620
2009-10-19 15:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\91548734
2009-10-18 21:35 <DIR> --d----- c:\program files\CCleaner
2009-10-12 16:46 <DIR> --dsh--- c:\documents and settings\nick\PrivacIE
2009-10-12 16:40 <DIR> --dsh--- c:\documents and settings\nick\IETldCache
2009-10-12 16:33 78,336 a------- c:\windows\system32\ieencode.dll
2009-10-12 16:33 78,336 a------- c:\windows\system32\dllcache\ieencode.dll
2009-10-10 15:39 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-10 15:13 <DIR> --d----- c:\docume~1\nick\applic~1\AVG8
2009-10-08 15:09 <DIR> --d----- C:\VundoFix Backups

==================== Find3M ====================

2009-10-12 14:35 12,496 a------- c:\windows\MSPuzzle.dat
2009-10-10 15:20 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-10-10 15:20 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-10-10 15:20 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-13 19:18 37 a------- c:\documents and settings\nick\jagex_runescape_preferences.dat
2009-09-13 19:14 45 a------- c:\documents and settings\nick\jagex_runescape_preferences2.dat
2009-09-10 13:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-09 15:05 103,535 a------- c:\windows\hpoins04.dat
2009-08-19 02:08 4,878 a------- c:\windows\system32\PerfStringBackup.TMP
2006-11-12 21:04 1,487,941 ac-sh--- c:\windows\apppatch\glovb.bak1
2006-12-20 21:18 1,516,195 ac-sh--- c:\windows\apppatch\glovb.bak2
2006-12-21 20:26 1,501,350 ac-sh--- c:\windows\apppatch\glovb.ini2
2009-07-18 15:58 1,114,994 a--sh--- c:\windows\system32\biwoguto.exe
2009-07-09 15:13 1,011,718 a--sh--- c:\windows\system32\buyetuza.exe
2009-08-05 08:18 91,136 a--sh--- c:\windows\system32\dasadote.dll
2009-08-04 20:18 90,624 a--sh--- c:\windows\system32\davonizo.dll
2009-07-08 15:13 1,011,424 a--sh--- c:\windows\system32\dinibafi.exe
2009-07-15 03:16 1,114,600 a--sh--- c:\windows\system32\dogesuza.exe
2009-08-03 08:17 38,400 a--sh--- c:\windows\system32\dopifadi.dll
2009-07-13 03:16 1,011,513 a--sh--- c:\windows\system32\fodevuna.exe
2009-07-27 04:01 1,011,753 a--sh--- c:\windows\system32\gahawotu.exe
2009-07-26 04:01 1,011,747 a--sh--- c:\windows\system32\gesewufi.exe
2009-07-24 04:00 1,011,746 a--sh--- c:\windows\system32\gihunuwa.exe
2009-07-29 20:14 1,011,611 a--sh--- c:\windows\system32\gukowema.exe
2009-07-28 20:14 3 a--sh--- c:\windows\system32\guyuzera.dll
2009-07-11 15:14 1,011,296 a--sh--- c:\windows\system32\hekuyilo.exe
2009-08-05 08:18 38,400 a--sh--- c:\windows\system32\henowosa.dll
2009-08-06 08:19 91,648 a--sh--- c:\windows\system32\hevolagi.dll
2009-08-06 08:19 38,400 a--sh--- c:\windows\system32\hewovohe.dll
2009-07-17 15:57 1,113,590 a--sh--- c:\windows\system32\hobavana.exe
2009-07-21 15:59 1,011,374 a--sh--- c:\windows\system32\huyewipu.exe
2009-08-02 20:17 90,112 a--sh--- c:\windows\system32\jabayima.dll
2009-07-12 15:15 1,011,386 a--sh--- c:\windows\system32\jeleguja.exe
2009-08-06 20:19 37,888 a--sh--- c:\windows\system32\jiwayode.dll
2007-08-09 07:56 1,743,372 ---sh--- c:\windows\system32\jjkkj.bak1
2007-08-10 17:06 1,695,180 ---sh--- c:\windows\system32\jjkkj.bak2
2007-08-10 17:08 1,686,670 ---sh--- c:\windows\system32\jjkkj.ini2
2009-07-14 03:16 1,011,572 a--sh--- c:\windows\system32\jofagowo.exe
2009-07-15 15:56 1,112,656 a--sh--- c:\windows\system32\kanolalo.exe
2009-07-25 16:00 1,011,751 a--sh--- c:\windows\system32\katumela.exe
2009-07-12 03:15 1,011,268 a--sh--- c:\windows\system32\kediranu.exe
2005-09-12 05:12 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2009-07-16 03:56 1,111,915 a--sh--- c:\windows\system32\kipaguho.exe
2009-07-14 15:16 1,112,864 a--sh--- c:\windows\system32\kovuzuwa.exe
2009-07-20 15:58 1,011,676 a--sh--- c:\windows\system32\labefala.exe
2009-07-25 04:00 1,011,747 a--sh--- c:\windows\system32\lajogilo.exe
2009-07-10 03:14 1,011,343 a--sh--- c:\windows\system32\logiyiwe.exe
2009-08-02 20:17 38,400 a--sh--- c:\windows\system32\lubidufi.dll
2009-07-26 16:01 1,011,747 a--sh--- c:\windows\system32\metuyuli.exe
2009-07-16 15:56 1,111,915 a--sh--- c:\windows\system32\milokira.exe
2009-07-22 03:59 1,011,141 a--sh--- c:\windows\system32\mohuboza.exe
2009-07-21 03:59 1,011,240 a--sh--- c:\windows\system32\monifave.exe
2009-08-07 08:19 91,136 a--sh--- c:\windows\system32\najuseja.dll
2009-08-04 20:18 38,912 a--sh--- c:\windows\system32\nejisemi.dll
2008-08-01 21:16 876,710 a--sh--- c:\windows\system32\NoqYJRqr.ini2
2009-07-18 03:57 1,112,684 a--sh--- c:\windows\system32\nosifeya.exe
2009-07-29 08:14 1,011,618 a--sh--- c:\windows\system32\nulohonu.exe
2009-07-28 04:01 1,011,487 a--sh--- c:\windows\system32\papovosu.exe
2009-07-23 03:59 1,011,749 a--sh--- c:\windows\system32\rihotopu.exe
2009-08-03 08:17 89,600 a--sh--- c:\windows\system32\rozumafa.dll
2009-08-03 20:17 90,112 a--sh--- c:\windows\system32\rukirani.dll
2009-07-10 15:14 1,011,609 a--sh--- c:\windows\system32\rumapabo.exe
2009-07-17 03:56 1,114,430 a--sh--- c:\windows\system32\ruyikewu.exe
2009-07-22 15:59 1,011,707 a--sh--- c:\windows\system32\sinehotu.exe
2009-07-11 03:14 1,011,121 a--sh--- c:\windows\system32\tozifodo.exe
2009-08-04 08:18 89,600 a--sh--- c:\windows\system32\tupejute.dll
2009-08-04 08:18 38,912 a--sh--- c:\windows\system32\tuvoyawi.dll
2009-07-13 15:16 1,011,606 a--sh--- c:\windows\system32\vafazatu.exe
2009-08-07 08:19 38,400 a--sh--- c:\windows\system32\vumoyanu.dll
2009-07-19 15:58 1,011,607 a--sh--- c:\windows\system32\vuvimama.exe
2009-07-20 03:58 1,011,210 a--sh--- c:\windows\system32\wilelazi.exe
2009-08-06 20:19 91,648 a--sh--- c:\windows\system32\wupetoge.dll
2009-08-05 20:18 91,648 a--sh--- c:\windows\system32\yenafute.dll
2009-08-05 20:18 37,888 a--sh--- c:\windows\system32\yisabake.dll
2009-07-23 16:00 1,011,749 a--sh--- c:\windows\system32\zafugiho.exe
2009-08-03 20:17 38,912 a--sh--- c:\windows\system32\zalifire.dll
2009-07-24 16:00 1,011,747 a--sh--- c:\windows\system32\zelasojo.exe
2009-07-09 03:13 1,011,003 a--sh--- c:\windows\system32\ziratuvi.exe
2009-07-19 03:58 1,011,315 a--sh--- c:\windows\system32\zomiduvi.exe

============= FINISH: 14:45:45.63 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:09 PM

Posted 07 November 2009 - 05:11 PM

Hi,

I notice you have Limewire installed. Limewire is a fantastic way to get yourself infected. I recommend you strongly consider removing it, and at the very least please stop using it until we have finished the cleaning process.


Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3

Posted Image

Posted Image

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 Pinkerton492

Pinkerton492
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 08 November 2009 - 11:21 PM

The only error that occurred was that Combo-Fix did not post a Report in the end.

It Rebooted due to a "detected rootkit" something-or-other.
the "10 minute" process took around 2 and a half hours; seemingly well worth it.
then it rebooted windows and "Find3M" pops up, telling me that the Report will be posted and not to open any programs.
all the while, everything on start-up opens up.
after a good half an hour of waiting, nothing happened, and "Find3M" disappeared.

I Guess the issue has been solved...? it might take a couple days or so to make sure everything mandatory runs properly. it took an extremely long time reopening Firefox.

As for Limewire. I haven't used it in eons practically, but I'm afraid that uninstalling it would delete all the files that other users have acquired through it. if there is a way to uninstall Limewire without losing all those files, it would be greatly appreciated.

Thank you!

#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:09 PM

Posted 09 November 2009 - 02:03 AM

Hi,

Is there a log at either C:\ComboFix.txt or C:\QooBox:\ComboFix.txt?

Please post a fresh DDS log as well so we can see where we stand now. I'll look into Limewire uninstallers later, for now its enough that you aren't using it.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 Pinkerton492

Pinkerton492
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 09 November 2009 - 09:44 PM

There wasn't anything under either of the two options given. Tried with a hyphen too, no result.

So far the systems seems to be running without any viruses, trojans, etc.. AVG and Windows Defender haven't caught anything going on under the radar, but I still have to find the time for a proper scan.

Regardless, here's the new DDS and Attach.txt


DDS (Ver_09-10-13.01) - NTFSx86
Run by Nick at 21:36:21.32 on Mon 11/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.245 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nick\Desktop\dBds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {0F8C5DCE-408D-4D6E-804D-EE75F10A9C63} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4299F9CB-4039-4892-B8C3-37FCBEC21BD5} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {5D956A61-05E7-427B-A2B1-BF32FB18B1BE} - No File
TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
uRun: [Google Update] "c:\documents and settings\nick\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\McAgent.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [podalatog] Rundll32.exe "c:\windows\system32\poyegubi.dll",a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\nick\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
IE: &Search
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: aol.com\my.screenname
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235265835197
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235266019025
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: bmbxadob - bmbxadob.dll
Notify: bvolg - c:\windows\apppatch\bvolg.dll
Notify: efcaBsrs - efcaBsrs.dll
Notify: igfxcui - igfxdev.dll
Notify: jkhfc - jkhfc.dll
Notify: oviehduw - oviehduw.dll
SSODL: bolanuvur - {5b99e56b-006d-48f4-8d47-37695ded013a} - No File
SSODL: rabefiyos - {6ba117f2-95e7-4f5f-865e-818fb4bd9b6c} - No File
SSODL: keyinonok - {1d50a45d-19ab-42ce-8930-49ade1085185} - No File
SSODL: nosofajen - {adec5f7d-2880-4b8a-8dfe-a00910832d4e} - No File
SSODL: yuzozaley - {57e42849-daf3-4a9a-bc76-1c44fdf6d53b} - c:\windows\system32\bepogahi.dll
SSODL: ruhasukez - {d6ef053a-674d-4892-8490-eb8581c98627} - c:\windows\system32\toduzawa.dll
SSODL: yuluvewuj - {24aeaf4a-c40a-470f-adb1-cce2b09e7c49} - c:\windows\system32\poyegubi.dll
STS: {5b99e56b-006d-48f4-8d47-37695ded013a} - No File
STS: {6ba117f2-95e7-4f5f-865e-818fb4bd9b6c} - No File
STS: {1d50a45d-19ab-42ce-8930-49ade1085185} - No File
STS: {adec5f7d-2880-4b8a-8dfe-a00910832d4e} - No File
STS: kupuhivus: {57e42849-daf3-4a9a-bc76-1c44fdf6d53b} - c:\windows\system32\bepogahi.dll
STS: kupuhivus: {d6ef053a-674d-4892-8490-eb8581c98627} - c:\windows\system32\toduzawa.dll
STS: kupuhivus: {24aeaf4a-c40a-470f-adb1-cce2b09e7c49} - c:\windows\system32\poyegubi.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nick\applic~1\mozilla\firefox\profiles\mkztoo1n.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\nick\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-20 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-20 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 297752]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 14336]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2006-3-11 36224]
S2 AOLSVCHst;AOL Service Host;"c:\windows\debug\aolhost.exe" --> c:\windows\debug\aolhost.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-18 24652]
S2 WMPNSVC;Windows Media Performance;"c:\windows\repair\wmpsvc.exe" --> c:\windows\repair\wmpsvc.exe [?]
S2 yxoeop7yeo;Print Spooler Service;c:\windows\system32\yyvjyozh.exe /service --> c:\windows\system32\yyvjyozh.exe [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10621.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10621.sys [?]
S3 mcdevice;mcdevice;c:\windows\system32\drivers\mcdevice.sys [2009-5-28 324096]
S3 MmedFilter;MmedFilter;\??\c:\windows\system32\drivers\mmedfilter.sys --> c:\windows\system32\drivers\MmedFilter.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\xdva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\xdva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\xdva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\xdva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]

=============== Created Last 30 ================

2009-11-08 23:24 <DIR> --d----- c:\windows\ServicePackFiles
2009-11-08 21:36 <DIR> a-dshr-- C:\cmdcons
2009-11-08 21:30 267,264 a------- c:\windows\PEV.exe
2009-11-08 21:30 161,792 a------- c:\windows\SWREG.exe
2009-11-08 21:30 77,312 a------- c:\windows\MBR.exe
2009-11-08 21:30 98,816 a------- c:\windows\sed.exe
2009-11-08 21:29 <DIR> --d----- C:\Combo-Fix
2009-11-08 17:59 <DIR> --d----- c:\program files\iPod
2009-11-08 17:58 <DIR> --d----- c:\program files\iTunes
2009-11-08 17:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-18 21:35 <DIR> --d----- c:\program files\CCleaner
2009-10-12 16:46 <DIR> --dsh--- c:\documents and settings\nick\PrivacIE
2009-10-12 16:40 <DIR> --dsh--- c:\documents and settings\nick\IETldCache
2009-10-12 16:33 78,336 a------- c:\windows\system32\ieencode.dll
2009-10-12 16:33 78,336 ac------ c:\windows\system32\dllcache\ieencode.dll

==================== Find3M ====================

2009-11-09 16:31 4,896 a------- c:\windows\system32\PerfStringBackup.TMP
2009-10-12 14:35 12,496 a------- c:\windows\MSPuzzle.dat
2009-10-10 15:38 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-10 15:20 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-10-10 15:20 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-10-10 15:20 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-13 19:18 37 a------- c:\documents and settings\nick\jagex_runescape_preferences.dat
2009-09-13 19:14 45 a------- c:\documents and settings\nick\jagex_runescape_preferences2.dat
2009-09-11 09:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-09 15:05 103,535 a------- c:\windows\hpoins04.dat
2009-09-04 15:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 02:36 832,512 a------- c:\windows\system32\wininet.dll
2009-08-29 02:36 17,408 a------- c:\windows\system32\corpol.dll
2009-08-26 03:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-03 08:17 38,400 a--sh--- c:\windows\system32\dopifadi.dll
2009-08-05 08:18 38,400 a--sh--- c:\windows\system32\henowosa.dll
2009-08-06 08:19 38,400 a--sh--- c:\windows\system32\hewovohe.dll
2009-08-06 20:19 37,888 a--sh--- c:\windows\system32\jiwayode.dll
2005-09-12 05:12 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2009-08-02 20:17 38,400 a--sh--- c:\windows\system32\lubidufi.dll
2009-08-04 20:18 38,912 a--sh--- c:\windows\system32\nejisemi.dll
2009-08-07 20:19 37,888 a--sh--- c:\windows\system32\podosewa.dll
2009-08-07 08:19 38,400 a--sh--- c:\windows\system32\vumoyanu.dll
2009-08-05 20:18 37,888 a--sh--- c:\windows\system32\yisabake.dll
2009-08-03 20:17 38,912 a--sh--- c:\windows\system32\zalifire.dll

============= FINISH: 21:37:57.26 ===============

Attached Files



#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:09 PM

Posted 10 November 2009 - 04:02 AM

Hi,

Looks like infection still heavily remains. I'd like to try ComboFix again, but a little differently.

First, please delete your copy of ComboFix, and re-download it (it has been updated). Please rename it on download again, this time rename it to:
explorer.exe

Make sure it is on your Desktop.

Next, please copy and paste the following red text to a new notepad file, and save it to your Desktop, entitled CFScript.txt.

KillAll::
StepDel::


Once saved, please close all Windows, and then drag CFScript.txt onto explorer.exe. This shall start ComboFix in a special way, which should be more effective then before.

Let me know how it goes.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 Pinkerton492

Pinkerton492
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 10 November 2009 - 06:25 PM

I'm a bit hesitant. The three links for ComboFix you posted earlier, Link 1 has 404'd, Link 2 was in Spanish(?), and Link 3 says the last time ComboFix was updated was in June 2009.

I'll wait til the links clears up, if they don't, could you repost them?

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:09 PM

Posted 11 November 2009 - 02:09 AM

Try again now. ComboFix was taken offline temporarily, a new version has now been uploaded.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#9 Pinkerton492

Pinkerton492
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 11 November 2009 - 05:39 PM

Combofix did whatever it does to help. :( And a lot faster this time also.

I've attached the log.

Attached Files



#10 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:09 PM

Posted 12 November 2009 - 03:33 AM

Hi,

That looks better, let's clean up further. First, open Control Panel and click Add/Remove Programs. Remove this old versions of Java:
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1

You should also update to the latest version. There should be a Java ControlPanel entry in your Control Panel with which you can do this.


We need to run another CFScript. Please do the same as before, but use this script:

Driver::
AOLSVCHst
yxoeop7yeo
EraserUtilDrv10621
WMPNSVC
XDva167
XDva177
XDva186
XDva189
XDva195


Post the ComboFix log when it's done.

Next, let's run a general AntiVirus scan to get a second opinion on your machines's health.

Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users