Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot run MBAM, Rkill or Combo Fix - all .exe not responding


  • This topic is locked This topic is locked
83 replies to this topic

#1 JCONTELL

JCONTELL

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 15 November 2009 - 09:26 PM

Original issue: intenet address bar redirects to xxxxxxxxx. Tried recommended malware removal @ http://www.bleepingcomputer.com/virus-remo...s-antivirus-pro - Cannot run MBAM - .exe error, desktop icon endless search flashlight - after reading further posts tried "rkill" receiving "logon.exe Another program is currently using this file". Ran COMBO FIX - "date error: 2009-11-15". HELP - keeping getting porn.com pop ups - which would be entertaining if this was not the family computer!

Edited to remove dangerous link!

Edited by thcbytes, 15 November 2009 - 09:47 PM.


BC AdBot (Login to Remove)

 


m

#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 15 November 2009 - 09:43 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

You have tried to run Combofix unsupervised.....this is ill advised!!

:( This is a complex and powerful tool that should not be used except under the supervision and direction of a malware expert. It can and will render your computer unbootable permanently!! Also realize that in most circumstances a single run of Combofix is ineffective. Specialized scripts will be written specifically directing this program to clean-up based on your logs!! :(

==========

Download and run Win32kDiag:Next......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running. If you are using Vista please right click and run as Admin!
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* What is your OS? XP, Vista or W7?
* Win32kDiag.txt
* Log.txt
* OTL.txt
* Extra.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 JCONTELL

JCONTELL
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 16 November 2009 - 12:15 PM

I'm able to save WIN32KDIAG, PEEK.BAT AND OTL to my desktop however, when I double click on the icon I receive a SECURITY WARNING: APPLICATION CANNOT BE EXECUTED. THE FILE WIN32KDIAG.EXE IS INFECTED. DO YOU WANT TO ACTIVATE YOUR ANTIVIRUS SOFTWARE NOW? The same warning repeats for CMD.EXE and OTL.EXE. Any suggestions?

#4 JCONTELL

JCONTELL
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 16 November 2009 - 12:28 PM

Operating system is XP.

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 16 November 2009 - 02:56 PM

It is a fake warning.

Try this.......

Right click and delete everything I had you download!

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Download and run Win32kDiag:Next......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running. If you are using Vista please right click and run as Admin!
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt
* OTL.txt
* Extra.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 JCONTELL

JCONTELL
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 16 November 2009 - 06:21 PM

Sending this message from my laptop. The infected computer keeps redirecting to other sites when I try to reply. I think the RKill ran sucessfully. I'm attaching the information you requested in 3 parts....is there any hope? Thanks so very, very much for your help!

Attached Files



#7 JCONTELL

JCONTELL
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 16 November 2009 - 06:27 PM

Cannot fit the rest - I have 2 additional attachments - Both less than 512k.

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 16 November 2009 - 11:50 PM

Do this please.........

Re-run RKill.

==========

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Please try to copy and paste all your logs directly into your reply
* Exehelper log
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 JCONTELL

JCONTELL
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 17 November 2009 - 12:51 PM

exeHelper by Raktor
Build 20091021
Run at 11:49:40 on 11/17/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe
Deleting file C:\WINDOWS\system32\41.exe
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\logon.exe
Error deleting C:\WINDOWS\system32\logon.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

#10 JCONTELL

JCONTELL
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 17 November 2009 - 12:58 PM

WHEN RUNNING COMBO FIX REC'D "DATE ERROR: 2009-11-17 CHECK YOUR SETTINGS"

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 17 November 2009 - 03:54 PM

Please do this.....

Right click the time in the lower right corner of your computer screen. Choose Adjust Date and Time. Please report the Date, Time and Time Zone there please.

==========

Re-run RKill

==========

Re-Run Exehelper

==========

Right click and delete your current copy of Combofix.

Try again.......

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Exehelper log
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 JCONTELL

JCONTELL
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 17 November 2009 - 05:18 PM

ComboFix 09-11-18.04 - Owner 11/17/2009 15:35.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.460 [GMT -6:00]
Running from: c:\documents and settings\Owner.JENNIFER\Desktop\thcbytes.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ccu.exe
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\swUPdate.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner.JENNIFER\Local Settings\Application Data\hmjiqe
c:\documents and settings\Owner.JENNIFER\Local Settings\Application Data\hmjiqe\onalsysguard.exe
c:\program files\AdvancedVirusRemover
c:\recycler\S-1-5-21-4113106700-3010314447-797038581-500
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\kb913800.exe
c:\windows\system32\18467.exe
c:\windows\system32\6334.exe
c:\windows\system32\babetafu.dll
c:\windows\system32\basimosi.dll
c:\windows\system32\bezogebu.dll
c:\windows\system32\debirawa.dll
c:\windows\system32\dekikode.dll
c:\windows\system32\diwajame.dll
c:\windows\system32\dodowato.dll
c:\windows\system32\dugagubo.dll
c:\windows\system32\fimujavo.dll
c:\windows\system32\firorako.dll
c:\windows\system32\folosizo.dll
c:\windows\system32\funamazi.dll
c:\windows\system32\fupuvuyu.dll.tmp
c:\windows\system32\fusegofe.dll.tmp
c:\windows\system32\guhuyama.dll.tmp
c:\windows\system32\guvuzefo.dll
c:\windows\system32\hakososu.dll
c:\windows\system32\heniloza.dll.tmp
c:\windows\system32\iehelper.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\joyikeza.dll
c:\windows\system32\jugigujo.dll.tmp
c:\windows\system32\jujeyamo.dll.tmp
c:\windows\system32\kiyopole.dll
c:\windows\system32\kumudoze.dll.tmp
c:\windows\system32\livugafo.dll
c:\windows\system32\logon.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\mewivadi.dll
c:\windows\system32\mobahibe.dll
c:\windows\system32\mokejudu.dll
c:\windows\system32\mopolora.dll.tmp
c:\windows\system32\mujinoli.dll
c:\windows\system32\nameveli.dll
c:\windows\system32\notabuga.dll
c:\windows\system32\paguzumo.dll
c:\windows\system32\peloluna.dll
c:\windows\system32\pinayeze.dll
c:\windows\system32\piwiruje.dll
c:\windows\system32\rademoko.dll
c:\windows\system32\refomoyo.dll
c:\windows\system32\renawevu.dll.tmp
c:\windows\system32\rujumogi.dll
c:\windows\system32\sayijera.dll.tmp
c:\windows\system32\sdra64.exe
c:\windows\system32\selohuno.dll
c:\windows\system32\sepobehe.dll
c:\windows\system32\siwehade.dll
c:\windows\system32\sofewazi.dll
c:\windows\system32\sudenupu.dll
c:\windows\system32\sulerobu.dll.tmp
c:\windows\system32\surejopa.dll
c:\windows\system32\totimita.dll
c:\windows\system32\vedihome.dll
c:\windows\system32\vehemonu.dll
c:\windows\system32\vuyogevo.dll
c:\windows\system32\wafopadu.dll
c:\windows\system32\wiyisili.dll
c:\windows\system32\wobeweke.dll
c:\windows\system32\wurigepo.dll
c:\windows\system32\yebinovu.dll
c:\windows\system32\yigutizo.dll
c:\windows\system32\zebekeli.dll
c:\windows\system32\zijuguja.dll
c:\windows\system32\zilegove.dll.tmp
c:\windows\system32\zizatuje.dll
c:\windows\system32\zotubiyi.dll
c:\windows\system32\zozefebe.dll
c:\windows\Tasks\ktgdzrtx.job
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.

#13 JCONTELL

JCONTELL
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 17 November 2009 - 05:21 PM

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-17 21:44 . 2009-11-17 21:45 -------- d-----w- c:\windows\LastGood
2009-11-15 23:15 . 2009-11-15 23:15 -------- d-----w- C:\SDFix
2009-10-28 14:33 . 2009-10-28 14:33 -------- d-----w- c:\documents and settings\Owner.JENNIFER\Application Data\AVG8
2009-10-25 22:59 . 2009-10-25 22:59 24576 ----a-w- c:\documents and settings\All Users\Application Data\iPass\vmmonitor.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-16 01:09 . 2009-09-17 11:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-16 01:07 . 2009-09-07 01:03 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-16 01:06 . 2006-05-22 05:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-25 22:59 . 2007-10-23 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\iPass
2009-10-15 17:18 . 2009-10-10 02:27 -------- d-sh--w- c:\documents and settings\All Users\Application Data\0cca759
2009-10-13 21:09 . 2009-01-05 00:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-13 17:53 . 2009-06-28 20:28 589824 ----a-w- c:\documents and settings\Owner.JENNIFER\Application Data\My Sam's Club Digital Photo Center\1C64-EC47-1438-983D_6279\DVDRProX.dll
2009-09-27 23:23 . 2007-09-27 22:22 -------- d-----w- c:\program files\PokerStars.NET
2009-09-25 05:37 . 2005-01-09 23:48 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2005-01-09 23:48 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-21 20:00 . 2009-09-21 20:00 -------- d-----w- c:\program files\Coupons
2009-09-17 13:12 . 2005-01-10 01:26 56480 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2005-01-09 23:48 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-01-09 23:48 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2005-01-09 23:49 247326 ----a-w- c:\windows\system32\strmdll.dll
2007-10-23 18:57 . 2007-10-23 18:57 25711936 ----a-w- c:\program files\ipass & NortelVPNClient & TunnelGuard.EXE
2007-10-23 18:47 . 2007-10-23 18:47 14915347 ----a-w- c:\program files\McAfeeHome7.EXE
2009-08-14 03:24 . 2009-08-14 03:24 89600 --sha-w- c:\windows\system32\gajapuda.dll
2009-08-13 15:24 . 2009-08-13 15:24 51200 --sha-w- c:\windows\system32\himurovu.dll
2009-08-14 03:24 . 2009-08-14 03:24 51200 --sha-w- c:\windows\system32\megidizu.dll
2009-08-14 15:25 . 2009-08-14 15:25 89088 --sha-w- c:\windows\system32\powilisu.dll
2009-08-15 14:55 . 2009-08-15 14:55 89600 --sha-w- c:\windows\system32\sezerabo.dll
2009-08-14 03:25 . 2009-08-14 03:25 51200 --sha-w- c:\windows\system32\sogidona.dll
2009-08-16 15:11 . 2009-08-16 15:11 91136 --sha-w- c:\windows\system32\tadebava.dll
2009-08-14 15:25 . 2009-08-14 15:25 61440 --sha-w- c:\windows\system32\tiwihasi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5448e61a-7de6-4d1e-9422-042f91ac1359}]
2009-08-14 03:25 51200 --sha-w- c:\windows\system32\sogidona.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-30 29744]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"PrintScreen"="c:\program files\Countrywide\Bprint.exe" [2007-02-06 138240]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-130"="c:\program files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe" [2008-03-20 1675264]
"kesetotev"="c:\windows\system32\tadebava.dll" [2009-08-16 91136]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner.JENNIFER\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-13 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Auto Detect.lnk - c:\program files\iConcepts Music Express\MEAutoDetect.exe [2007-12-16 270336]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-5-21 2168360]
Digital Lifeline.lnk - c:\program files\Digital Lifeline\bin\mpbtn.exe [2006-8-11 172032]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
TunnelGuard Tray Monitor.lnk - c:\windows\Installer\{5650A422-0789-473F-B2C7-6C3D10CC9FFB}\Icon079d381e2.exe [2007-10-23 8192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{03704304-42d8-4057-8a7d-60fd214396d8}"= "c:\windows\system32\tadebava.dll" [2009-08-16 91136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"yipovemah"= {03704304-42d8-4057-8a7d-60fd214396d8} - c:\windows\system32\tadebava.dll [2009-08-16 91136]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nortel Networks\\TunnelGuard\\platforms\\win32\\TGIconApp.EXE"=
"c:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [10/23/2007 12:59 PM 24521]
R3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [10/22/2008 1:01 PM 320384]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [6/10/2009 10:40 AM 560896]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/21/2006 11:38 PM 29744]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [10/23/2007 12:59 PM 155216]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.suddenlink.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: cwinsider.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0AA2D4B3-27C3-42CB-B671-8B6CF97AE4FE} - hxxps://www.cwinsider.com/cwi/frntd/advantedge/TSAEButn.cab
DPF: {2797548A-1E33-4717-A979-586A8539415F} - hxxps://ioriginateb.countrywide.com/NXF/Accelerator/Accelerator.cab
DPF: {413D6754-BFD4-47FE-9346-319559290BFA} - hxxps://www.webpcfos.com/webpcfos/websabre/HTEweb_new.cab
DPF: {7114683A-020D-4D16-80FD-6ACE384B66DF} - hxxps://ive.cwinsider.com:11002/fpspr70.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rscpyrya - c:\documents and settings\Owner.JENNIFER\Local Settings\Application Data\hmjiqe\onalsysguard.exe
HKLM-Run-MotiveMonitor - c:\program files\Motive\AsstCommon\motmon.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-rscpyrya - c:\documents and settings\Owner.JENNIFER\Local Settings\Application Data\hmjiqe\onalsysguard.exe
HKLM-Run-hofesavega - zozefebe.dll
SharedTaskScheduler-{f5d2935a-b21f-4f50-8ad3-4551f1259745} - c:\windows\system32\sufakuyi.dll
SharedTaskScheduler-{005c13ed-4303-49af-87fd-52eb340aad8a} - c:\windows\system32\dabujehi.dll
SharedTaskScheduler-{742a2333-eed6-46f2-a4b0-a99c9efa0c0d} - c:\windows\system32\dabujehi.dll
SharedTaskScheduler-{09b1bc7b-808c-49f9-aa93-51ba45adcf5b} - c:\windows\system32\dabujehi.dll
SSODL-zifetuziz-{f5d2935a-b21f-4f50-8ad3-4551f1259745} - c:\windows\system32\sufakuyi.dll
SSODL-beleyupok-{005c13ed-4303-49af-87fd-52eb340aad8a} - c:\windows\system32\dabujehi.dll
SSODL-fulijoduw-{742a2333-eed6-46f2-a4b0-a99c9efa0c0d} - c:\windows\system32\dabujehi.dll
SSODL-rijuzuyod-{09b1bc7b-808c-49f9-aa93-51ba45adcf5b} - c:\windows\system32\dabujehi.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 15:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wuauclt.exe.wusetup.177343.bak 51224 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.180750.bak 1809944 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5996)
c:\docume~1\OWNER~1.JEN\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\tadebava.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\mcshield.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-17 15:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-17 21:54

Pre-Run: 167,207,788,544 bytes free
Post-Run: 168,151,982,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 08E50833DD392101A26BF11B87B4AEEC

#14 JCONTELL

JCONTELL
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 17 November 2009 - 05:23 PM

xeHelper by Raktor
Build 20091021
Run at 11:49:40 on 11/17/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe
Deleting file C:\WINDOWS\system32\41.exe
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\logon.exe
Error deleting C:\WINDOWS\system32\logon.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20091021
Run at 15:07:07 on 11/17/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe
Deleting file C:\WINDOWS\system32\logon.exe
Error deleting C:\WINDOWS\system32\logon.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 17 November 2009 - 10:12 PM

Well done. :(

Your computer was seriously infected!!!! What antivirus software do you use? Please remember to only do as I ask until I give you the all clear.

You should know.......

One or more of the identified infections is a Backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If after careful consideration you have decided to move forward with cleanup then please proceed as I have outlined below.

==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\gajapuda.dll
c:\windows\system32\himurovu.dll
c:\windows\system32\megidizu.dll
c:\windows\system32\powilisu.dll
c:\windows\system32\sezerabo.dll
c:\windows\system32\sogidona.dll
c:\windows\system32\tadebava.dll
c:\windows\system32\tiwihasi.dll

Folder::
c:\program files\Coupons

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5448e61a-7de6-4d1e-9422-042f91ac1359}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kesetotev"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{03704304-42d8-4057-8a7d-60fd214396d8}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"yipovemah"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please copy/paste the contents of that document in your next reply.

==========

Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

"C:\Qoobox\Add-Remove Programs.txt"

A text file opens up, copy and paste the content to your reply.

==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
==========

With your next post please provide:

* Answer question
* Combofix.txt
* Add/Remove log
* Security Check log
* ESET log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users