Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware Infection

  • This topic is locked This topic is locked
2 replies to this topic

#1 halopk


  • Members
  • 3 posts
  • Local time:02:48 AM

Posted 30 November 2009 - 02:30 PM

Hello everyone, ill go ahead and explain whats happened so far.

About 6 days ago I was browsing for some D2 serials and came to a site that froze my browser and reset my computer.
I didn't think anything of it at first, And no I don't remember the site name sorry =/

anyways that's how it happened I believe, here is the problem.
I do now know im infected, 6 days earlier Malwarebytes' Anti-Malware 1.41 wouldn't find anything.
Now last night here is the log

Malwarebytes' Anti-Malware 1.41
Database version: 3260
Windows 5.1.2600 Service Pack 2

11/30/2009 12:17:34 AM
mbam-log-2009-11-30 (00-17-34).txt

Scan type: Quick Scan
Objects scanned: 120601
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:WINDOWSsystem32gahehuje.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:Documents and SettingsHelpAssistantLocal SettingsTempudcgii.dll (Malware.Packer) -> Quarantined and deleted successfully.
C:Documents and SettingsSterlingLocal SettingsTempudcgii.dll (Malware.Packer) -> Quarantined and deleted successfully.

MY thought's is it's just new stuff, But im really disliking the slow side effects + blue screens.
If anyone could please help, Im asking on my knees.

O and I tried doing a full scan and it blue screens me about half way, just a heads up. I havnt tried since I deleted those 3 things. Ive done nothing since that :D

EDIT :Forgot to add things from the past.

I did get infected with secruity tool and think I had gotten it fully removed. but just in case not that was on my computer.
some negative things still happening on my computer, like not being able to boot into safe mode. I couldn't use system restore till I removed the admin lock via registry edit.
It didnt help anyways all my older saves were deleted. um what else... Oh yeah I had Kaspersky Internet Secuity 2009 On my computer. It went fubar after as well On startup It wasnt aloud to start I got access Violation Errors. I had to completly remove KiS from my computer to boot with more then 95% CPU. If I think of anything else ill add it here!

Sorry I forgot some logs.

I have rootrepeal running now but I got the other stuff.
EDIT: rootrepeal finished and came up with some stuff im not happy about=/ I here rootkits are a pain.
anyhow I added the attatchments below.

DDS (Ver_09-11-29.01) - NTFSx86
Run by Sterling at 11:57:57.26 on Mon 11/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.573 [GMT -8:00]

FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCreativeSBAudigy2ZSSurround MixerCTSysVol.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsSterlingDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://hebnetfinder.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:program filesasksbarsrchastt1.binA2SRCHAS.DLL
mWinlogon: UIHost=c:documents and settingsall usersapplication datatuneup softwaretuneup utilitieswinstylertu_logonui.exe
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:program filesasksbarsrchastt1.binA2SRCHAS.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:program fileswindows live toolbarmsntb.dll
BHO: 1 (0x1) - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:program filesasksbarbar1.binASKSBAR.DLL
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:program fileswindows live toolbarmsntb.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [rundll32] c:windowssystem32rundll32.exe c:docume~1sterling
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [CTSysVol] c:program filescreativesbaudigy2zssurround mixerCTSysVol.exe /r
mRun: [SBDrvDet] c:program filescreativesb drive detSBDrvDet.exe /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwareK0Z0Q1rLP.exe" /runcleanupscript
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Windows Live Search - c:program fileswindows live toolbarmsntb.dll/search.htm
IE: Add to Banner Ad Blocker - c:program fileskaspersky labkaspersky internet security 2009ie_banner_deny.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:program filesfree download managerdlall.htm
IE: Download selected with Free Download Manager - file://c:program filesfree download managerdlselected.htm
IE: Download video with Free Download Manager - file://c:program filesfree download managerdlfvideo.htm
IE: Download with Free Download Manager - file://c:program filesfree download managerdllink.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_07binssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:program fileswindows livewriterWriterBrowserExtension.dll
DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} - hxxp://www.worldwinner.com/games/v54/zengems/zengems.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} - hxxp://www.worldwinner.com/games/v52/dinerdash/dinerdash.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v49/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} - hxxp://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
AppInit_DLLs: vivodiha.dll c:windowssystem32wazuhope.dll
SSODL: lenakotah - {49375b42-1783-46be-b627-8ddc1dd1f66f} - No File
STS: {49375b42-1783-46be-b627-8ddc1dd1f66f} - No File
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Notification Packages = scecli sagimame.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1sterlingapplic~1mozillafirefoxprofilespcwdg0oo.default
FF - component: c:program filesfree download managerfirefoxextensioncomponentsvmsfdmff.dll
FF - plugin: c:documents and settingssterlinglocal settingsapplication datagoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:windowssystem32driversSI3112r.sys [2002-3-10 89610]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2008-5-28 55024]
R2 PfDetNT;PfDetNT;c:windowssystem32driverspfmodnt.sys [2008-8-16 15840]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:windowssystem32driversklim5.sys [2008-4-30 24592]
S2 Ias;Network Security;c:windowssystem32svchost.exe -k netsvcs [2004-8-4 14336]
S3 autorun;autorun;??c:huadio.tmp --> c:huadio.tmp [?]
S3 DAEDriver54;DAEDriver54;c:windowssoftwaredistributiondatastorelogsdak32.sys [2008-10-30 29696]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:program filesdragon agebin_shipdaupdatersvc.service.exe --> c:program filesdragon agebin_shipDAUpdaterSvc.Service.exe [?]
S3 dump_wmimmc;dump_wmimmc;??c:program filessoftnyxgunboundwcgameguarddump_wmimmc.sys --> c:program filessoftnyxgunboundwcgameguarddump_wmimmc.sys [?]
S3 FAELZZZ;FAELZZZ;??c:documents and settingssterlingdesktopgggggggggg.sys --> c:documents and settingssterlingdesktopgggggggggg.sys [?]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;??c:documents and settingssterlingdesktopengine rev. 1316 + cts gc-usamoney1299.sys --> c:documents and settingssterlingdesktopengine rev. 1316 + cts gc-usaMoney1299.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:windowssystem32gamemon.des -service --> c:windowssystem32GameMon.des -service [?]
S3 Revolution1;Revolution1;??c:documents and settingssterlingdesktopgunbounddk haxshak3.sys --> c:documents and settingssterlingdesktopgunbounddk haxSHAK3.sys [?]
S3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2008-5-28 7408]
S3 StarBurst1;StarBurst1;??c:starburstenginezstarburst enginestarburst32.sys --> c:starburstenginezstarburst engineStarBurst32.sys [?]

=============== Created Last 30 ================

2009-11-23 08:56:50 26176 ---ha-w- c:windowssystem32hamachi.sys
2009-11-19 00:03:16 61440 ----a-w- c:windows00.gis2
2009-11-18 08:23:54 0 d-----w- C:ijji
2009-11-18 08:00:22 515416 ----a-w- c:windowssystem32XAudio2_5.dll
2009-11-18 08:00:21 238936 ----a-w- c:windowssystem32xactengine3_5.dll
2009-11-18 08:00:20 1974616 ----a-w- c:windowssystem32D3DCompiler_42.dll
2009-11-18 08:00:18 5501792 ----a-w- c:windowssystem32d3dcsx_42.dll
2009-11-18 08:00:18 235344 ----a-w- c:windowssystem32d3dx11_42.dll
2009-11-18 08:00:17 453456 ----a-w- c:windowssystem32d3dx10_42.dll
2009-11-18 08:00:16 1892184 ----a-w- c:windowssystem32D3DX9_42.dll
2009-11-18 07:49:10 64000 ----a-w- c:windowssystem32uc_sfighters_launching.dll
2009-11-18 07:49:10 61440 ----a-w- c:windowssystem32uc_atlantica_launching.dll
2009-11-18 07:49:10 58800 ----a-w- c:windowssystem32ijjiProcessRestarter.exe
2009-11-18 07:49:10 53248 ----a-w- c:windowssystem32uc_luminary_launching.dll
2009-11-18 07:49:10 0 d-----w- c:program filesijji
2009-11-18 07:48:00 87472 ----a-w- c:windowssystem32ijjiChannelingPlugin.dll
2009-11-17 08:58:15 0 d-----w- c:program filesDragon Agezz
2009-11-17 08:58:13 0 d-----w- c:program filescommon filesBioWare
2009-11-16 21:22:06 0 d-----w- c:docume~1alluse~1applic~1BioWare
2009-11-16 21:14:11 0 d-----w- c:windowssystem32AGEIA
2009-11-16 11:33:11 0 d-----w- c:program filescommon filesWindows Live
2009-11-15 19:55:17 4932286 ------w- c:windows{00000001-00000000-00000008-00001102-00000004-20021102}.BAK
2009-11-15 01:03:15 0 d-----w- c:program filesMicrosoft Web Designer Tools
2009-11-14 18:30:29 0 d-----w- c:program filesBuild-A-Lot 4
2009-11-11 20:39:05 61440 ----a-w- c:windows00.gis1
2009-11-03 21:09:32 0 d-----w- c:program filesRockstar Games
2009-11-02 00:55:18 65536 ----a-w- c:windows00.gis9

==================== Find3M ====================

2009-11-23 10:51:37 216212 ----a-w- c:windowsDIIUnin.dat
2009-11-23 10:50:58 21840 ----atw- c:windowssystem32SIntfNT.dll
2009-11-23 10:50:58 17212 ----atw- c:windowssystem32SIntf32.dll
2009-11-23 10:50:58 12067 ----atw- c:windowssystem32SIntf16.dll
2009-11-23 10:48:05 94208 ----a-w- c:windowsDIIUnin.exe
2009-11-23 10:48:05 2829 ----a-w- c:windowsDIIUnin.pif
2009-11-16 22:58:06 95259 ----a-w- c:windowssystem32driversklick.dat
2009-11-16 22:58:06 108059 ----a-w- c:windowssystem32driversklin.dat
2009-10-31 10:07:51 249856 ------w- c:windowsSetup1.exe
2009-10-31 10:07:49 73216 ----a-w- c:windowsST6UNST.EXE
2009-09-11 14:33:52 133632 ----a-w- c:windowssystem32msv1_0.dll
2009-09-05 01:44:40 69464 ----a-w- c:windowssystem32XAPOFX1_3.dll
2009-09-04 20:45:26 58880 ----a-w- c:windowssystem32msasn1.dll
2002-03-22 09:54:27 17440 ----a-w- c:program filescommon filesywole.dat
2002-03-22 09:54:27 10563 ----a-w- c:program filescommon filesvyluzykyva.exe
2002-07-12 07:16:33 924 --sha-w- c:windowssystem32npWELkkj.ini2

============= FINISH: 11:58:25.35 ===============

Merged posts. ~ OB

Attached Files

Edited by Orange Blossom, 30 November 2009 - 04:53 PM.

BC AdBot (Login to Remove)


#2 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:48 AM

Posted 04 December 2009 - 02:24 PM

Hello halopk,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.


* Malwarebytes was updated today, so download, install the latest version of Malwarebytes and update it.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh DDS log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 04 December 2009 - 02:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:48 AM

Posted 17 December 2009 - 03:10 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users