Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Moved from another forum to this one - powerful rootkit.


  • This topic is locked This topic is locked
5 replies to this topic

#1 glynnmania

glynnmania

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale, AZ
  • Local time:06:16 AM

Posted 08 December 2009 - 12:20 PM

Hi everyone,

I was asked to move this problem from another forum to here. Here's the link to that forum:

http://www.bleepingcomputer.com/forums/ind...p;#entry1529707

Here is my root repeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/07 20:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: H8SRTipjwmioevx.sys
Image Path: C:WINDOWSsystem32driversH8SRTipjwmioevx.sys
Address: 0xEBB65000 Size: 114688 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: PROCEXP113.SYS
Image Path: C:WINDOWSsystem32DriversPROCEXP113.SYS
Address: 0xF8BD7000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xB3A43000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:WINDOWSsystem32wincert.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32config
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32H8SRTbaqpuxbqho.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32h8srtcfg.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32H8SRTepfjriqqmw.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32H8SRTmlixjxhmha.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32H8SRTovvnhfwaiy.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32curslib.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT3936.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT4627.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT46a4.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT69c7.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT72b5.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT74a9.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT8fba.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT9658.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT9827.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRTa0f5.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRTb7fb.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRTc6e0.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRTe579.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRTe83c.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTemph8srtmainqt.dll
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerTemplatescurslib.dll
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerTemplateswincert.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32driversH8SRTipjwmioevx.sys
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerLocal SettingsTemph8srtmainqt.dll
Status: Invisible to the Windows API!

Path: c:documents and settingsownerlocal settingstemp~df2da2.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:documents and settingsownerlocal settingstemp~df9eea.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE535FAC6E4background_gradient[1]
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE535FAC6E4ErrorPageTemplate[1]
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE535FAC6E4httpErrorPagesScripts[1]
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE535FAC6E4bullet[1]
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE535FAC6E4errorPageStrings[1]
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE535FAC6E4info_48[1]
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE576DULFW6errorPageStrings[1]
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE576DULFW6httpErrorPagesScripts[1]
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE5JAH4F6BEinfo_48[1]
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE5JAH4F6BEbullet[1]
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE5JAH4F6BEbackground_gradient[1]
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE5JAH4F6BEdown[1]
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE5KH4ZAOSUdown[1]
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE5KH4ZAOSUhttp_404[1]
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE5KH4ZAOSUErrorPageTemplate[1]
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE5KH4ZAOSUhttp_404[2]
Status: Visible to the Windows API, but not on disk.

Path: C:Program FilesAdobeReader 9.0ResourceTypeSupportUnicodeMappingswin
Status: Invisible to the Windows API!

Path: C:Documents and SettingsOwnerApplication DataThunderbirdProfilesuhdz3yny.defaultextensionsThunderBrowse@thunderbrowse.comchromestylewin
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTepfjriqqmw.dll]
Process: svchost.exe (PID: 1156) Address: 0x00e00000 Size: 65536

Object: Hidden Module [Name: H8SRTmlixjxhmha.dll]
Process: explorer.exe (PID: 3276) Address: 0x00f00000 Size: 106496

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:WINDOWSsystem32driversH8SRTipjwmioevx.sys

==EOF==

Help would be great!

Thanks in advance.

when i try to upload the dds file here is what i get from the forum:

Error Upload failed. You are not permitted to upload this type of file

Here is the dds log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 10:22:09.62 on Tue 12/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.217 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSsystem32svchost -k rpcss
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k NetworkService
C:WINDOWSsystem32svchost.exe -k LocalService
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesJavajre6binjusched.exe
C:Program FilesAviraAntiVir Desktopavgnt.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
C:Program FilesProcess Explorerprocexp.exe
C:Program FilesAviraAntiVir Desktopavfwsvc.exe
C:Program FilesIObitIObit Security 360IS360srv.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32NMSSvc.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSSystem32alg.exe
C:Program FilesMozilla Thunderbirdthunderbird.exe
C:Documents and SettingsOwnerDesktopdds.scr
C:WINDOWSsystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: c:windowssystem32ixv36hu4.dll: {b45a4b16-23f2-41ad-f4e4-00aac39c0004} - c:windowssystem32ixv36hu4.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
mRun: [PHIME2002ASync] c:windowssystem32imetintlgntTINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:windowssystem32imetintlgntTINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [avgnt] "c:program filesaviraantivir desktopavgnt.exe" /min
mRun: [ZoneAlarm Client] "c:program fileszone labszonealarmzlclient.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [jirihiwol] Rundll32.exe "c:windowssystem32devopaha.dll",a
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
dRun: [calc] rundll32.exe c:docume~1locals~1ntuser.dll,_IWMPEvents@0
StartupFolder: c:docume~1ownerstartm~1programsstartupfirefox.lnk - c:program filesmozilla firefox 3.6 beta 1firefox.exe
StartupFolder: c:docume~1ownerstartm~1programsstartupproces~1.lnk - c:program filesprocess explorerprocexp.exe
StartupFolder: c:docume~1ownerstartm~1programsstartupthunde~1.lnk - c:program filesmozilla thunderbird 3 beta 2thunderbird.exe
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:windowssystem32GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:progra~1micros~4office12EXCEL.EXE/3000
LSP: c:program filesaviraantivir desktopavsda.dll
DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242315739752
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242315951830
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {F26F3CE2-6F3D-43B5-98A5-68048C7AA494} = 193.104.110.38,4.2.2.1,192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft officeoffice12GrooveSystemServices.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: fimohinu.dll c:windowssystem32devopaha.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SSODL: setofofuj - {c90017c8-34f6-41ae-9433-3a5d3ad34d61} - No File
SSODL: dulagajaf - {f4eb4869-a8d7-4532-a687-c0cbd85671cb} - No File
SSODL: zuduresev - {2978cbee-f5c1-4a35-991d-a802c9fd145a} - No File
SSODL: potusatad - {4e3d525b-ca17-4336-8120-e7ffb54d012a} - c:windowssystem32devopaha.dll
STS: c:windowssystem32ixv36hu4.dll: {b45a4b16-23f2-41ad-f4e4-00aac39c0004} - c:windowssystem32ixv36hu4.dll
STS: {c90017c8-34f6-41ae-9433-3a5d3ad34d61} - No File
STS: {f4eb4869-a8d7-4532-a687-c0cbd85671cb} - No File
STS: {2978cbee-f5c1-4a35-991d-a802c9fd145a} - No File
STS: jugezatag: {4e3d525b-ca17-4336-8120-e7ffb54d012a} - c:windowssystem32devopaha.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
LSA: Notification Packages = scecli jorofudo.dll
IFEO: taskmgr.exe - "c:program filesprocess explorerPROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:docume~1ownerapplic~1mozillafirefoxprofilesbe57t3nb.default
FF - prefs.js: browser.startup.homepage - www.en.wikipedia.org
FF - plugin: c:program filesgooglepicasa3npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefox 3.6 beta 1extensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-persistent-connections-per-server - 4
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefox 3.6 beta 1greprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefox 3.6 beta 1greprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefox 3.6 beta 1defaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avfwot;avfwot;c:windowssystem32driversavfwot.sys [2009-12-3 97608]
R1 avgio;avgio;c:program filesaviraantivir desktopavgio.sys [2009-12-3 11608]
R2 AntiVirFirewallService;Avira Firewall;c:program filesaviraantivir desktopavfwsvc.exe [2009-12-3 388865]
R2 avgntflt;avgntflt;c:windowssystem32driversavgntflt.sys [2009-5-14 55656]
R2 IS360service;IS360service;c:program filesiobitiobit security 360is360srv.exe [2009-12-4 312592]
R2 sm;SECUREMAKER driver;c:windowssystem32driverssm.sys [2007-7-5 30208]
R3 avfwim;AvFw Packet Filter Miniport;c:windowssystem32driversavfwim.sys [2009-12-3 69632]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:windowssystem32driverswg111v2.sys [2009-5-13 272128]
S0 TfFsMon;TfFsMon;c:windowssystem32driverstffsmon.sys --> c:windowssystem32driversTfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:windowssystem32driverstfsysmon.sys --> c:windowssystem32driversTfSysMon.sys [?]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:program filesaviraantivir desktopavmailc.exe [2009-12-3 194817]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:program filesaviraantivir desktopsched.exe [2009-12-3 108289]
S2 AntiVirService;Avira AntiVir Guard;c:program filesaviraantivir desktopavguard.exe [2009-12-3 185089]
S2 AntiVirWebService;Avira AntiVir WebGuard;c:program filesaviraantivir desktopavwebgrd.exe [2009-12-3 434945]
S2 ATE_PROCMON;ATE_PROCMON;??c:program filesanti trojan eliteatepmon.sys --> c:program filesanti trojan eliteATEPMon.sys [?]
S2 BtwSrv;BtwSrv;c:windowssystem32svchost.exe -k netsvcs [2004-8-4 14336]
S2 Ias;Windows Network Provider;c:windowssystem32svchost.exe -k netsvcs [2004-8-4 14336]
S2 vsmon;TrueVector Internet Monitor;c:windowssystem32zonelabsvsmon.exe -service --> c:windowssystem32zonelabsvsmon.exe -service [?]
S3 TfNetMon;TfNetMon;??c:windowssystem32driverstfnetmon.sys --> c:windowssystem32driversTfNetMon.sys [?]

=============== Created Last 30 ================

2009-12-08 15:08:51 2713 --sh--w- c:windowssystem32gehufidu.exe
2009-12-08 02:24:34 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-12-08 02:24:30 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-12-08 02:24:30 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-12-08 02:17:30 0 d--h--w- c:windowsPIF
2009-12-07 19:12:26 93184 ----a-w- c:windowssystem32devopaha.dll
2009-12-07 19:11:43 39424 ----a-w- c:windowssystem32zovujiwu.dll
2009-12-07 06:39:05 0 d-----w- c:docume~1ownerapplic~1DeviceDoctorSoftware
2009-12-07 06:39:00 0 d-----w- c:program filesDevice Doctor
2009-12-07 04:21:26 0 d-----w- C:desktop
2009-12-06 20:39:45 120 ----a-w- c:windowssystem32srcr.dat
2009-12-06 19:43:58 7680 ----a-w- c:windows47249046.exe
2009-12-06 19:43:58 4 ----a-w- c:windows47249046.dat
2009-12-06 13:03:47 2713 --sh--w- c:windowssystem32sazukojo.exe
2009-12-05 19:01:48 93184 --sh--w- c:windowssystem32hikagazu.dll
2009-12-05 07:01:32 93184 --sh--w- c:windowssystem32zuzisoge.dll
2009-12-04 23:59:23 117 ----a-w- c:windowssystem32scg
2009-12-04 19:01:01 53760 ----a-w- c:windowssystem32nemudodi.dll
2009-12-04 16:24:01 0 d-----w- c:program filesIObit
2009-12-04 09:22:29 173 ----a-w- c:windowssystem32uses32.dat
2009-12-04 09:22:29 100 ----a-w- c:windowssystem32flags.ini
2009-12-04 08:08:42 0 d-----w- c:program filesCheckPoint
2009-12-04 08:08:23 1238408 ----a-w- c:windowssystem32zpeng25.dll
2009-12-04 08:08:23 0 d-----w- c:windowssystem32ZoneLabs
2009-12-04 08:08:21 422437 ----a-w- c:windowssystem32vsconfig.xml
2009-12-04 08:08:20 0 d-----w- c:program filesZone Labs
2009-12-04 04:40:21 0 ----a-w- c:windowssystem32ixv36hu4.dll
2009-12-03 21:46:43 664 ----a-w- c:windowssystem32d3d9caps.dat
2009-12-03 19:00:58 2713 --sh--w- c:windowssystem32fasapako.dll
2009-12-03 17:55:49 57 ----a-w- C:xcrashdump.dat
2009-12-03 17:55:08 71168 ----a-w- c:windowssystem32bwinamnc32.dll
2009-12-03 17:55:04 71168 ----a-w- c:windowssystem32winamnc.dll
2009-12-03 17:52:39 97608 ----a-w- c:windowssystem32driversavfwot.sys
2009-12-03 17:52:39 69632 ----a-w- c:windowssystem32driversavfwim.sys
2009-12-03 06:32:41 0 d-----w- c:docume~1alluse~1applic~1IObit
2009-12-03 01:01:34 0 d-----w- c:docume~1ownerapplic~1Malwarebytes
2009-12-03 01:00:50 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2009-12-02 04:55:37 93360 ----a-w- c:windowssystem32driversSBREDrv.sys
2009-12-01 06:02:26 0 d-----w- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2009-12-01 06:00:42 0 d-----w- c:docume~1ownerapplic~1SUPERAntiSpyware.com
2009-12-01 02:49:39 0 d-----w- c:docume~1alluse~1applic~1Simply Super Software
2009-11-30 09:02:52 0 d-----w- c:docume~1alluse~1applic~1USBSRService
2009-11-30 09:00:30 0 d-----w- c:docume~1ownerapplic~1USBSafelyRemove
2009-11-30 08:41:56 0 d-----w- c:docume~1ownerapplic~1CheckPoint
2009-11-30 08:40:59 96 ----a-w- c:windowssystem32pdfl.dat
2009-11-30 08:40:59 80 ----a-w- c:windowssystem32ibfl.dat
2009-11-30 08:40:59 144 ----a-w- c:windowssystem32lkfl.dat
2009-11-29 21:00:06 0 d-----w- c:docume~1alluse~1applic~1Avira
2009-11-29 21:00:05 0 d-----w- c:program filesAvira
2009-11-29 20:33:30 34304 ----a-w- c:windowssystem32yyllhe.exe
2009-11-11 09:29:01 57801 ----a-w- c:windowssystem32igfx.hlp
2009-11-11 09:17:40 163840 ----a-w- c:windowssystem32igfxres.dll
2009-11-11 04:51:11 2328832 ----a-w- c:windowssystem32TUKernel.exe
2009-11-11 02:56:32 0 d-----w- c:docume~1ownerapplic~1TuneUp Software
2009-11-11 02:55:51 0 d-----w- c:docume~1alluse~1applic~1TuneUp Software
2009-11-11 02:55:42 0 d-sh--w- c:docume~1alluse~1applic~1{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2009-11-11 02:52:01 97792 ----a-w- c:windowssystem32LGUICOM.DLL
2009-11-11 02:52:01 3568 ----a-w- c:windowssystem32LMOUSE16.DLL
2009-11-11 02:52:01 16896 ----a-w- c:windowssystem32LMOUSE32.DLL
2009-11-11 02:52:01 104960 ----a-w- c:windowssystem32COMNCTR.DLL
2009-11-11 02:52:01 0 d-----w- c:program filescommon filesLogitech
2009-11-11 02:51:59 70801 ----a-w- c:windowssystem32driversLMouFlt2.Sys
2009-11-11 02:51:59 51729 ------w- c:windowssystem32driversL8042PR2.SYS
2009-11-11 02:51:59 37887 ------w- c:windowssystem32driversLHIDUSB.SYS
2009-11-11 02:51:59 25505 ----a-w- c:windowssystem32driversLHidFlt2.Sys
2009-11-11 02:51:59 23375 ------w- c:windowssystem32LCOINST.DLL
2009-11-11 02:51:59 19968 ------w- c:windowsLOGI_MWX.EXE
2009-11-11 02:51:59 152064 ------w- c:windowssystem32lmoufrc.dll
2009-11-11 02:51:59 14095 ------w- c:windowssystem32driversLCCFLTR.SYS
2009-11-11 02:51:21 53248 ----a-w- c:windowssystem32CSVer.dll
2009-11-11 02:48:47 0 d-----w- C:Intel
2009-11-11 02:47:50 44875 ----a-w- c:windowssystem32IPrtCnst.dll
2009-11-11 02:47:50 13891 ----a-w- c:windowssystem32driversIdeBusDr.sys
2009-11-11 02:47:50 101431 ----a-w- c:windowssystem32driversIdeChnDr.sys

==================== Find3M ====================

2009-12-04 08:08:36 4212 ---ha-w- c:windowssystem32zllictbl.dat
2009-12-03 09:41:04 55656 ----a-w- c:windowssystem32driversavgntflt.sys
2009-11-16 00:40:07 79704 ---ha-w- c:windowssystem32mlfcache.dat
2009-10-30 00:29:08 2146304 ----a-w- c:windowssystem32GPhotos.scr
2009-10-11 11:17:27 411368 ----a-w- c:windowssystem32deploytk.dll
2009-10-08 21:57:02 611328 ----a-w- c:windowssystem32uiautomationcore.dll
2009-10-08 21:57:00 220160 ----a-w- c:windowssystem32oleacc.dll
2009-10-08 21:56:56 20480 ----a-w- c:windowssystem32oleaccrc.dll
2009-09-11 14:18:39 136192 ----a-w- c:windowssystem32msv1_0.dll
2009-09-07 19:15:35 4096 --sha-w- c:windowssystem32bofofevu.dll
2009-09-05 19:01:33 39424 --sha-w- c:windowssystem32bulawasi.dll
2009-03-21 14:06:58 0 --sha-w- c:windowssystem32calc.dll
2009-09-04 19:08:11 53760 --sha-w- c:windowssystem32fimohinu.dll
2009-09-04 07:01:16 12288 --sha-w- c:windowssystem32giletisa.dll
2009-09-07 01:35:33 93184 --sha-w- c:windowssystem32hamohive.dll
2009-09-03 19:00:52 45568 --sha-w- c:windowssystem32hulawira.dll
2009-09-04 19:08:10 53760 --sha-w- c:windowssystem32jorofudo.dll
2009-09-07 01:22:32 3 --sha-w- c:windowssystem32kivebeki.dll
2009-09-05 07:01:22 25600 --sha-w- c:windowssystem32lazahuji.dll
2009-09-04 19:03:39 39424 --sha-w- c:windowssystem32milokira.dll
2009-09-07 01:22:31 3 --sha-w- c:windowssystem32poyinada.dll
2009-09-04 19:03:40 45568 --sha-w- c:windowssystem32rewuguti.dll
2009-09-07 01:22:31 3 --sha-w- c:windowssystem32sateveme.dll
2009-09-07 01:35:33 39424 --sha-w- c:windowssystem32warihagi.dll
2009-09-07 19:15:33 61440 --sha-w- c:windowssystem32wehemeru.dll
2009-09-05 19:01:33 45568 --sha-w- c:windowssystem32yagehusi.dll
2009-09-05 07:01:22 45568 --sha-w- c:windowssystem32yejedotu.dll
2009-09-07 19:15:33 45568 --sha-w- c:windowssystem32yosineku.dll
2009-09-07 01:35:35 45568 --sha-w- c:windowssystem32zabinose.dll
2009-09-05 19:01:34 16384 --sha-w- c:windowssystem32ziyewila.dll

============= FINISH: 10:25:35.92 ===============

Edited by boopme, 08 December 2009 - 03:39 PM.


BC AdBot (Login to Remove)

 


#2 glynnmania

glynnmania
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale, AZ
  • Local time:06:16 AM

Posted 11 December 2009 - 07:04 PM

will someone please respond and help? my system is becoming progressively less stable, firefox is failing often.

Help is appreciated.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 AM

Posted 20 December 2009 - 06:23 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 glynnmania

glynnmania
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale, AZ
  • Local time:06:16 AM

Posted 20 December 2009 - 06:25 PM

I just backed up and reformatted. I no longer need help.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 AM

Posted 20 December 2009 - 06:36 PM

Ok. Thanks for letting us know.

Below are some prevention tips. I will then close this topic off shortly.
--
Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

With Regards,
Extremeboy

Edited by extremeboy, 20 December 2009 - 06:36 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 AM

Posted 20 December 2009 - 06:38 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users