Multiple virus threats: Personal Guard 2009 and winsc.exe

Hi all. I'm new to bleepingcomputer.com and I need your help. First things first, I would like to ask those who are members of the HijackThis Team or Moderators only post help related solutions to my problem. The reason for this is that I am attaching a HiJackThis log along with other bleepingcomputer required documents.

So, here's a description of some of the symptoms of my infected computer. Personal Guard 2009 was mysteriously installed on my computer without my knowledge and it is impossible to remove it with traditional software removing techniques, such as the Add/Remove Programs feature. When I browse the internet with Firefox, Internet Explorer windows pop up but they don't show a web page. They are just blank. Of course, the traditional pop up windows that appear in Firefox come standard with all viruses. I have downloaded Malwarebytes and it is blocking it from running. There is a trick that I know by renaming the program to windows trusted name that will trick the virus into letting the renamed program run. That didn't work because even though I am a computer administrator, a message appeared stating that I do not have sufficient user privileges to run "winlogon" (which is what I renamed the program Malwarebytes to). Also, I am unable to start in Safe Mode and I am unable to run msconfig.

Attached is a Word document containing a list of viruses the CA Antivirus has detected and a HiJackThis Log too.

------------------------------------------------------------------------------------------------------------------------------------------


DDS (Ver_09-10-26.01) - NTFSx86
Run by ANTONIO at 21:21:20.14 on Sat 11/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.206 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\ANTONIO\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ANTONIO\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = cdn;*.local
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SansaDispatch] c:\documents and settings\antonio\application data\sandisk\sansa updater\SansaDispatch.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [rukokuzek] Rundll32.exe "c:\windows\system32\buyenayo.dll",a
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\windows\system32\divosewo.dll c:\windows\system32\tevupiru.dll jusiwona.dll c:\windows\system32\yoletepu.dll c:\windows\system32\rijavuza.dll c:\windows\system32\buyenayo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SysNet - {6915A590-F99F-42B3-820A-0C054A98B566} - c:\documents and settings\all users\microsoft adata\sysnet.dll
SSODL: surajukay - {46c31e69-ff17-48f9-85cd-042c1212c043} - c:\windows\system32\zulagovi.dll
SSODL: wipewopug - {530b2027-ffe4-4f00-ab25-f6dd0a827043} - c:\windows\system32\zulagovi.dll
SSODL: pewometog - {9b53e818-a438-4710-8e7c-139f6f174f4c} - c:\windows\system32\rijavuza.dll
SSODL: jalahomar - {4a05dd98-cbef-4353-84fc-450ba6f00546} - c:\windows\system32\zulagovi.dll
SSODL: juduvoraw - {f21b4160-1609-4ab9-bd42-f8c057563a1d} - c:\windows\system32\rijavuza.dll
SSODL: yububupom - {af23bfd0-2778-474b-8316-871e7b3124eb} - c:\windows\system32\rijavuza.dll
SSODL: wayisokad - {186e5ae6-6ea8-4b65-959b-8db534d06e55} - c:\windows\system32\rijavuza.dll
SSODL: vesujusoj - {ce06e379-a4e1-4112-984f-83b079033e5a} - c:\windows\system32\yemavema.dll
SSODL: jedehobor - {33cd6972-ffb4-4833-aa34-2bdf5645e414} - c:\windows\system32\zifubogu.dll
SSODL: pafafipaw - {be7c03cc-208e-4e68-994c-4fd6cb9997ab} - c:\windows\system32\buyenayo.dll
STS: kupuhivus: {46c31e69-ff17-48f9-85cd-042c1212c043} - c:\windows\system32\zulagovi.dll
STS: gahurihor: {530b2027-ffe4-4f00-ab25-f6dd0a827043} - c:\windows\system32\zulagovi.dll
STS: mujuzedij: {9b53e818-a438-4710-8e7c-139f6f174f4c} - c:\windows\system32\rijavuza.dll
STS: tokatiluy: {4a05dd98-cbef-4353-84fc-450ba6f00546} - c:\windows\system32\zulagovi.dll
STS: kupuhivus: {f21b4160-1609-4ab9-bd42-f8c057563a1d} - c:\windows\system32\rijavuza.dll
STS: kupuhivus: {af23bfd0-2778-474b-8316-871e7b3124eb} - c:\windows\system32\rijavuza.dll
STS: tokatiluy: {186e5ae6-6ea8-4b65-959b-8db534d06e55} - c:\windows\system32\rijavuza.dll
STS: mujuzedij: {ce06e379-a4e1-4112-984f-83b079033e5a} - c:\windows\system32\yemavema.dll
STS: mujuzedij: {33cd6972-ffb4-4833-aa34-2bdf5645e414} - c:\windows\system32\zifubogu.dll
STS: tokatiluy: {be7c03cc-208e-4e68-994c-4fd6cb9997ab} - c:\windows\system32\buyenayo.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli zebekeli.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\antonio\applic~1\mozilla\firefox\profiles\y8ttptvj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-07 23:33:27 0 d-----w- c:\docume~1\antonio\applic~1\SanDisk
2009-11-07 23:10:40 0 d-----w- c:\documents and settings\antonio\Tracing
2009-11-07 22:49:26 0 d-----w- c:\program files\Microsoft
2009-11-07 22:47:10 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-07 22:36:49 0 d-----w- c:\program files\common files\Windows Live
2009-11-05 01:56:28 0 d-----w- c:\program files\Trend Micro
2009-10-31 04:44:50 51197 ----a-w- c:\windows\spoov.exe
2009-10-31 04:44:50 47872 ----a-w- c:\windows\certsystem.exe
2009-10-31 04:44:50 38352 ----a-w- c:\windows\regred.exe
2009-10-31 04:44:50 33149 ----a-w- c:\windows\usexplorer.exe
2009-10-31 04:44:50 28320 ----a-w- c:\windows\securits.com
2009-10-31 04:44:50 18941 ----a-w- c:\windows\microsoftdef.dll
2009-10-31 04:44:49 0 d-----w- c:\program files\Personal Guard 2009
2009-10-31 04:44:42 0 d-----w- c:\documents and settings\all users\Microsoft AData

==================== Find3M ====================

2009-11-01 14:44:52 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-11-01 14:44:52 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2009-11-01 14:44:52 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
2009-11-01 14:44:52 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2009-11-01 14:44:52 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2009-11-01 14:44:52 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 00:48:27 37 ----a-w- c:\documents and settings\antonio\jagex_runescape_preferences.dat
2009-09-05 00:47:26 45 ----a-w- c:\documents and settings\antonio\jagex_runescape_preferences2.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 15:53:12 90112 --sha-w- c:\windows\system32\buyenayo.dll
2009-08-01 14:38:35 38400 --sha-w- c:\windows\system32\gafilumu.dll
2009-08-03 13:20:13 38912 --sha-w- c:\windows\system32\hupabubi.dll
2009-08-05 13:30:08 38912 --sha-w- c:\windows\system32\jepafuzi.dll
2009-08-07 01:30:31 37888 --sha-w- c:\windows\system32\jepewosi.dll
2009-07-31 16:50:19 52224 --sha-w- c:\windows\system32\jusiwona.dll
2009-07-31 16:50:19 52224 --sha-w- c:\windows\system32\kohigewi.dll
2009-08-06 01:29:59 37888 --sha-w- c:\windows\system32\lobebafu.dll
2009-08-02 02:37:25 60928 --sha-w- c:\windows\system32\mabarili.dll
2009-08-04 20:22:43 38400 --sha-w- c:\windows\system32\muguvora.dll
2009-07-31 16:49:35 90624 --sha-w- c:\windows\system32\mulanaha.dll
2009-08-06 13:30:42 37888 --sha-w- c:\windows\system32\nasijuye.dll
2009-07-31 04:49:22 178688 --sha-w- c:\windows\system32\noyahopi.dll
2009-08-02 20:27:51 37888 --sha-w- c:\windows\system32\pafiloha.dll
2009-08-07 15:53:13 37888 --sha-w- c:\windows\system32\pasagami.dll
2009-07-31 16:49:35 52224 --sha-w- c:\windows\system32\raramuge.dll
2009-08-02 02:37:25 37888 --sha-w- c:\windows\system32\tobuhifo.dll
2009-07-31 04:49:22 96768 --sha-w- c:\windows\system32\vuzejofu.dll
2009-08-04 02:07:07 37888 --sha-w- c:\windows\system32\yosimanu.dll
2009-07-31 16:50:19 52224 --sha-w- c:\windows\system32\zebekeli.dll
2009-08-07 01:30:31 89600 --sha-w- c:\windows\system32\zifubogu.dll
2009-08-04 02:07:07 89600 --sha-w- c:\windows\system32\zulagovi.dll
2009-06-18 21:14:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061820090619\index.dat

============= FINISH: 21:26:11.95 ===============

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Hi Blade Zephon,

Thanks for the response, but I am trying to resolve a friends computer that I will not always have access to. When a solution arises to the pending problem, that' when I will have access. For the moment, I would request that you treat all of the files attached as the new ones that you have requested for review.

Thanks again.

Hello GuruNeedsHelp and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your logs and I will get back to you ASAP.

In the meantime:

1. Please TRACK this Topic

• At the top-right of this thread, click on the button.
• In the list that drops down, click on
• Place a tick-mark next to Immediate E-Mail Notification
• Then click on
• You will now receive an e-mail as soon as a Reply is made to this Topic.

2. Do Not Make Any Changes to the "Infected" Computer.

• Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
• Deleting Files/Folders
• Installing/Uninstalling Programs
• Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs

3. Please do not seek Help with this issue at another Computer Help Forum

• While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
• Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
• It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
• So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.

4. Throughout the course of us working together, I will be posting step-by-step procedures for you to follow on your computer.

• If at any time you do not fully understand what I have said, or you are not exactly sure what you are supposed to do, then please stop there and Post back to this topic and ask your questions. That way I will be able to more clearly explain the step/procedure and we won't have to worry about any steps being done incorrectly.

Doc.

Edited by DocSatan, 22 November 2009 - 06:21 PM.

Hi GuruNeedsHelp,

This Computer is infected with a Backdoor/Trojan.

Important Note: Backdoor/IRCBot Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms. Remote attackers use Backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. When infected by one of them you should disconnect the computer from the Internet until your system is cleaned. If your computer was used for online banking or has credit card information on it, ALL passwords should be changed immediately, including those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

• More info can be found here:
• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• What Should I Do If I've Become A Victim Of Identity Theft?
• Identity Theft Victims Guide - What to do

Though the Trojan has been identified and can be killed, because of it's Backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

• If you choose to Re-Format and Re-Install, see these links for instructions:
• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

We can attempt to clean this machine but we CANNOT guarantee that it will be 100% secure afterwards. If you decide not to Reformat and to try and Clean this Computer, please follow the instructions below:

1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix

• Save it to your Desktop
• Do NOT run ComboFix yet
• Here is an alternative link to download ComboFix, if the above one is not working for you:Link 1

2. Disable Your AntiVirus and AntiSpyware Programs

• You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
• These programs may interfere with our fix. We will re-enable them when we are done.

3. Double click on ComboFix.exe that you just saved to your Desktop

• Follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  

  

• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:

• ComboFix.txt

Doc.


Doc.

Hello DocSatan,
First off, I would like to thank you for all of the help you have given me so far. I would like to know how you classified the type of virus that is on my friend's computer just based on the information that I gave you. Although I have come to this forum seeking computer repair help based on HiJackThis logs, my main purpose was to find out which items from the HiJackThis log you would leave alone based on their functionality with the computer, which ones you would consider safe to delete based on the fact that I can always re-download them and that they could possibly be infected, and which ones to delete based on their viral identification. I am fairly new to reading and interpreting HiJackThis logs and I would like to compare my actions with yours.
Also, I feel incredibly uneasy about the fact that I would have to DISABLE my friend's anti-virus protection just to be able to scan the computer. His anti-virus (CA Anti-virus) constantly shows messages of items that have been quarantined and found to be harmful. I feel that if CA was disabled, then the viruses would have full access to the computer and would cause even more harm.
I have made friends with a high end computer technician that has helped me with my computer when I was in need. Unfortunately I am unable to get in touch with him. All he asked for was a HiJackThis log to interpret. He gave me a set of instructions to follow for removing any and all viruses. These were his guidelines that he has passed on to me so that I would be able to help myself and others when the time was needed. I will attach his guidelines for you to view. Any commenting and additional tips would be appreciated. I would like to follow his guideline, but in the process it requires the interpretation of a HiJackThis log. I wold like your recommended plan of action for each item in the log. Please feel free to edit the log and re-post it with your recommendations.

P.S. Ignore the text in red (It just represents the exchange of information during the process of fixing my own computer). The Black text are my own notes on things to remember and how to perform certain actions. And, of course, the final process of removing all remaining viruses is to scan the computer with an anti-virus/anti-malware/anti-spyware program(s).

Hello GuruNeedsHelp,

First off, I would like to thank you for all of the help you have given me so far.

• Your Welcome.

I would like to know how you classified the type of virus that is on my friend's computer just based on the information that I gave you.

• Well, the Backdoor Infection was identified by the following in the DDS Log:
  • ============== Pseudo HJT Report ===============
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
• And from the RootRepeal Log:
  • Hidden/Locked Files
    -------------------
    Path: C:\WINDOWS\system32\sdra64.exe
    Status: Invisible to the Windows API!
    
    Path: C:\WINDOWS\system32\lowsec
    Status: Invisible to the Windows API!
• You can read about this infection here: PWS:Win32/Zbot.PM

Although I have come to this forum seeking computer repair help based on HiJackThis logs, my main purpose was to find out which items from the HiJackThis log you would leave alone based on their functionality with the computer, which ones you would consider safe to delete based on the fact that I can always re-download them and that they could possibly be infected, and which ones to delete based on their viral identification. I am fairly new to reading and interpreting HiJackThis logs and I would like to compare my actions with yours.

• I understand your curiosity and desire to learn more about the Malware Research/Fighting community. I am not able to get in to the details here, as this forum is meant to Identify Computer Malware Issues and then attempt to fix them.
• If you are interested in Training, we have a Malware Removal Training Program here at B.C.
• You can use this Site for researching HiJackThis Entries if you like: SystemLookUp

Also, I feel incredibly uneasy about the fact that I would have to DISABLE my friend's anti-virus protection just to be able to scan the computer. His anti-virus (CA Anti-virus) constantly shows messages of items that have been quarantined and found to be harmful. I feel that if CA was disabled, then the viruses would have full access to the computer and would cause even more harm.

• The disabling of the AntiVirus (AV) Program is only temporary. We need to disable the AV so that it will not interfere with the Running of ComboFix. (As stated in Steps 2 and 4 of my previous instructions).

I have made friends with a high end computer technician that has helped me with my computer when I was in need. Unfortunately I am unable to get in touch with him. All he asked for was a HiJackThis log to interpret. He gave me a set of instructions to follow for removing any and all viruses. These were his guidelines that he has passed on to me so that I would be able to help myself and others when the time was needed. I will attach his guidelines for you to view. Any commenting and additional tips would be appreciated. I would like to follow his guideline, but in the process it requires the interpretation of a HiJackThis log. I wold like your recommended plan of action for each item in the log. Please feel free to edit the log and re-post it with your recommendations.

• This is just not feasible.
• My function here, as a Volunteer Helper, is to analyze Logs and Symptoms and then try to fix the Persons Malware Related Computer Issues.
• I cannot try to compete with another Helper in Fixing this computer, it's just not an efficient or productive scenario.
• If you would like to have your IT Friend help you fix this computer, then please let me know so that I can close this Topic.

Every Malware problem is different and the fixes we are giving are specific to each user. Trying to fix things without the proper knowledge can result in inappropriate Malware removal and/or damage caused to the Operating System (OS).

So, just to Re-Cap:

• This Computer is infected with a Backdoor Trojan. Please read the warnings and advice associated with this type of infection HERE.
• If you decide to try and clean this computer, then please follow my instructions HERE.
• If you decided to Reformat or to have someone else help you with this computer, please reply back to this Topic and let me know.

Doc.

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Reopened as per user's request.

Hello GuruNeedsHelp,

Are you seeking assistance with the same computer as from your initial post? If so, I must remind you of the Hazards of the Backdoor Infection that was present in the initial DDS Log:

This Computer is infected with a Backdoor/Trojan.

Important Note: Backdoor/IRCBot Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms. Remote attackers use Backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. When infected by one of them you should disconnect the computer from the Internet until your system is cleaned. If your computer was used for online banking or has credit card information on it, ALL passwords should be changed immediately, including those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

• More info can be found here:
• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• What Should I Do If I've Become A Victim Of Identity Theft?
• Identity Theft Victims Guide - What to do

Though the Trojan has been identified and can be killed, because of it's Backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

• If you choose to Re-Format and Re-Install, see these links for instructions:
• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

We can attempt to clean this machine but we CANNOT guarantee that it will be 100% secure afterward.

If you have decided to try and clean this computer, please follow the instructions below:

1. Please post a new DDS Log

• Click HERE and follow Step 6.
• Post the Contents of DDS.txt in a reply to this topic.
• Attach attach.txt to this topic, follow Step 8 of the above link for instructions on attaching files.

Here's the newest HiJackThis Log and a DDS Log. There are files in C\windows\temp that I am unable to delete as well.

Edited by htv8, 12 December 2009 - 09:27 AM.
Removed Word attachment because of the icons inside. ~ htv8

Hello GuruNeedsHelp,

Before we continue I just want to be sure that you have Informed the Owner of this Laptop that it IS infected with a Backdoor Trojan and that it's security has been compromised. Also that the Owner was informed of the possibility of Identity Theft due to this Infection.

Please let me know if the Owner has been informed.

1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix

• Save it to your Desktop
• Do NOT run ComboFix yet
• Here is an alternative link to download ComboFix, if the above one is not working for you:Link 1

2. Disable Your AntiVirus and AntiSpyware Programs

• You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
• These programs may interfere with our fix. We will re-enable them when we are done.

3. Double click on ComboFix.exe that you just saved to your Desktop

• Follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  

  

• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:

• ComboFix.txt

Doc.

I cannot get Combofix.exe to run. I have disabled the antivirus software on the computer temporarily. When I double click the icon to run the program, the windows security window pops up asking me if I want to run this software, ao I click "run", but nothing happens. I have even tried restarting the computer. Any suggestions?

Here is the Combofix log, but I was unable to disable the antivirus on the computer. I did everything in my power to shut everything down without uninstalling it. What's the next step?

Hello GuruNeedsHelp,

FYI: Do NOT run ComboFix until I say that it is OK to do so. The developer is resolving an issue and has pulled Combofix for now.

Please download OTL and save it to your desktop

• Double click on the icon on your desktop.
• Copy and Paste the following code into the textbox. Do not include the word "Code"
  

  :Files
  c:\windows\system32\fahapera.dll
  c:\windows\system32\fiyobubi.dll
  c:\windows\system32\gajukilu.dll
  c:\windows\system32\hiduhozo.dll
  c:\windows\system32\lagoguze.dll
  c:\windows\system32\nabukeyu.dll
  c:\windows\system32\nomifeyi.dll.tmp
  c:\windows\system32\sesotoja.dll
  c:\windows\system32\sirifiwi.dll
  c:\windows\system32\sivotumo.dll.tmp
  c:\windows\system32\vamibedi.dll
  c:\windows\system32\wegahuwe.dll
  c:\windows\system32\wejuwava.dll.tmp
  c:\windows\system32\yulejoka.dll
  
  :Reg
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83e08f49-985c-4a01-b5af-054b7f717e2a}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "rukokuzek"=-
  [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
  "{f9e99de0-2f19-4263-885c-2772580acb9c}"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
  "denudayeb"=-
  [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
  "DisableMonitoring"=dword:00000000

• Push
• A report will open. Copy and Paste that report in your next reply.