Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    GandCrab v5 Ransomware Utilizing the ALPC Task Scheduler Exploit

Featured Deal: Get 92% off The Complete Cisco Network Certification Training Bundle

Photo

Can't get rid of virus (?) - possibly Artemis

Started by torreypnz , Jan 12 2010 02:04 PM

  • This topic is locked This topic is locked
9 replies to this topic

#1 torreypnz

torreypnz

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:02:32 AM

Posted 12 January 2010 - 02:04 PM

I've had a virus (?) on my computer for awhile now - have run McAfee and Malwarebytes and they can not get rid of it. Now it has disabled Malwarebytes. I also can not do a system restore - says "System Restore has been turned off by group policy. To turn on System Restore, contact your domain administrator" I've tried restarting in safe mode but I get a blue screen. I'm also having trouble connecting to the internet. I'll post my logs below and also attach my reports done per the preparation guide. I'm not super computer literate - really hope someone can help me. Thanks in advance.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Amy at 12:05:17.11 on Tue 01/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.388 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RMClient\PMClient.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Amy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080509
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mWinlogon: Shell=Explorer.exe rundll32.exe bwsb.gio gltbr
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [JobHisInit] c:\program files\rmclient\JobHisInit.exe
mRun: [MplSetUp] c:\program files\rmclient\MplSetUp.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [hmrnbgqw] c:\windows\system32\config\systemprofile\local settings\application data\bxqmco\dmkisysguard.exe
mRun: [jwsekdne] c:\windows\system32\config\systemprofile\local settings\application data\yujvjx\bedrsysguard.exe
mRun: [selayajam] Rundll32.exe "c:\windows\system32\lukonoke.dll",a
dRun: [gmacjlyh] c:\windows\system32\config\systemprofile\local settings\application data\pxrhjj\eiymsysguard.exe
dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\je9fq3f.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\user.exe
dRun: [hmrnbgqw] c:\windows\system32\config\systemprofile\local settings\application data\bxqmco\dmkisysguard.exe
dRun: [jwsekdne] c:\windows\system32\config\systemprofile\local settings\application data\yujvjx\bedrsysguard.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartn~1.lnk - c:\program files\rmclient\PMClient.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\helper32.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {33F189C5-59EC-4031-B02F-288437CB068D} = 193.104.110.38,4.2.2.1,192.168.0.1
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: digekadom - {e47046eb-bee7-4178-8c90-56be783d350e} - c:\windows\system32\lukonoke.dll
STS: gahurihor: {e47046eb-bee7-4178-8c90-56be783d350e} - c:\windows\system32\lukonoke.dll
LSA: Notification Packages = scecli zolopepu.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-8-4 43520]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-5 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-5 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-5 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-5 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-5 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-5 40552]
S0 ukxnezw;ukxnezw; [x]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-5-9 30192]

=============== Created Last 30 ================

2010-01-12 17:56:37 0 d-----w- c:\documents and settings\amy\DoctorWeb
2010-01-12 15:55:19 0 ----a-w- c:\windows\system32\1093.exe
2010-01-12 15:35:08 0 ----a-w- c:\windows\system32\16828.exe
2010-01-12 15:14:37 0 ----a-w- c:\windows\system32\31946.exe
2010-01-12 14:54:35 166 ----a-w- c:\windows\system32\12526.exe
2010-01-12 14:42:08 0 d-----w- c:\program files\ESET
2010-01-12 14:34:31 166 ----a-w- c:\windows\system32\12367.exe
2010-01-12 13:57:43 27911 ----a-w- c:\windows\system32\D0JG0HI43Z.dat
2010-01-12 13:57:43 1860 ----a-w- c:\windows\system32\4PH00J30X.dat
2010-01-12 13:57:40 27911 ----a-w- c:\windows\system32\7O0ZQ7Y9T5.dat
2010-01-12 13:57:40 1860 ----a-w- c:\windows\system32\VX6Z00S0G.dat
2010-01-12 13:54:32 2713 --sh--w- c:\windows\system32\kihagora.dll
2010-01-10 02:36:24 0 ----a-w- c:\windows\system32\3365.exe
2010-01-10 02:16:23 0 ----a-w- c:\windows\system32\27958.exe
2010-01-10 01:56:23 0 ----a-w- c:\windows\system32\14677.exe
2010-01-10 01:36:22 0 ----a-w- c:\windows\system32\27214.exe
2010-01-10 01:16:22 0 ----a-w- c:\windows\system32\20014.exe
2010-01-10 00:56:00 0 ----a-w- c:\windows\system32\5930.exe
2010-01-10 00:36:00 0 ----a-w- c:\windows\system32\11634.exe
2010-01-10 00:15:59 0 ----a-w- c:\windows\system32\5430.exe
2010-01-09 23:55:59 0 ----a-w- c:\windows\system32\29065.exe
2010-01-09 23:35:37 0 ----a-w- c:\windows\system32\27311.exe
2010-01-09 23:15:37 0 ----a-w- c:\windows\system32\178.exe
2010-01-09 22:55:37 0 ----a-w- c:\windows\system32\30055.exe
2010-01-09 22:35:36 0 ----a-w- c:\windows\system32\30526.exe
2010-01-09 22:15:36 0 ----a-w- c:\windows\system32\16853.exe
2010-01-09 21:55:32 0 ----a-w- c:\windows\system32\25015.exe
2010-01-09 21:35:29 0 ----a-w- c:\windows\system32\15932.exe
2010-01-09 21:15:28 0 ----a-w- c:\windows\system32\16126.exe
2010-01-09 20:55:28 0 ----a-w- c:\windows\system32\16837.exe
2010-01-09 20:35:28 0 ----a-w- c:\windows\system32\6082.exe
2010-01-09 20:15:27 0 ----a-w- c:\windows\system32\28122.exe
2010-01-09 19:55:06 0 ----a-w- c:\windows\system32\29665.exe
2010-01-09 19:36:12 29184 ----a-w- c:\windows\system32\bwsb.gio
2010-01-09 19:35:03 0 ----a-w- c:\windows\system32\7217.exe
2010-01-09 19:15:02 0 ----a-w- c:\windows\system32\26514.exe
2010-01-09 18:55:02 0 ----a-w- c:\windows\system32\26172.exe
2010-01-09 18:35:01 0 ----a-w- c:\windows\system32\10597.exe
2010-01-09 18:15:01 0 ----a-w- c:\windows\system32\27392.exe
2010-01-09 17:54:40 0 ----a-w- c:\windows\system32\28544.exe
2010-01-09 17:34:39 0 ----a-w- c:\windows\system32\24191.exe
2010-01-09 05:57:39 45568 --sh--w- c:\windows\system32\domagihi.dll
2010-01-09 05:52:09 0 ----a-w- c:\windows\system32\41.exe
2010-01-09 05:52:05 472 ----a-w- c:\windows\system32\uses32.dat
2010-01-09 05:52:05 100 ----a-w- c:\windows\system32\flags.ini
2010-01-09 05:52:00 0 ----a-w- c:\windows\system32\IS15.exe
2010-01-09 05:51:54 767488 ----a-w- c:\windows\system32\drivers\dybrz.sys
2010-01-09 05:51:52 17408 ----a-w- c:\windows\system32\helper32.dll
2010-01-06 17:01:23 202072 ----a-r- c:\windows\cpnprt2.cid
2010-01-06 17:01:22 202072 ------w- c:\windows\system32\cpnprt2.cid
2010-01-06 17:01:18 0 d-----w- c:\program files\Coupons
2010-01-05 14:45:00 10403 ----a-w- c:\windows\system32\Config.MPF
2010-01-05 14:42:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-01-05 14:42:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-01-05 14:42:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-05 14:42:39 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-05 14:41:54 0 d-----w- c:\program files\common files\McAfee
2010-01-05 14:41:51 0 d-----w- c:\program files\McAfee.com
2010-01-05 14:41:40 0 d-----w- c:\program files\McAfee
2010-01-05 14:38:34 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-01-04 17:58:54 0 d-----w- c:\windows\pss
2010-01-04 04:59:47 2957 ----a-w- c:\windows\system32\1655.exe
2010-01-04 04:39:46 2957 ----a-w- c:\windows\system32\18762.exe
2010-01-04 04:19:43 2957 ----a-w- c:\windows\system32\32591.exe
2010-01-04 03:59:41 2957 ----a-w- c:\windows\system32\900.exe
2010-01-04 03:39:38 2957 ----a-w- c:\windows\system32\29168.exe
2010-01-04 03:19:31 2957 ----a-w- c:\windows\system32\16413.exe
2010-01-04 02:59:29 2957 ----a-w- c:\windows\system32\13030.exe
2010-01-04 02:39:29 2957 ----a-w- c:\windows\system32\27506.exe
2010-01-04 02:19:28 2957 ----a-w- c:\windows\system32\24946.exe
2010-01-04 01:59:26 2957 ----a-w- c:\windows\system32\6422.exe
2010-01-04 01:39:26 2957 ----a-w- c:\windows\system32\18588.exe
2010-01-04 01:19:25 2957 ----a-w- c:\windows\system32\24221.exe
2010-01-04 00:59:24 2957 ----a-w- c:\windows\system32\9758.exe
2010-01-04 00:39:23 2957 ----a-w- c:\windows\system32\32209.exe
2010-01-04 00:19:22 2957 ----a-w- c:\windows\system32\8909.exe
2010-01-03 23:59:21 2957 ----a-w- c:\windows\system32\14945.exe
2010-01-03 23:39:21 2957 ----a-w- c:\windows\system32\10383.exe
2010-01-03 23:19:20 2957 ----a-w- c:\windows\system32\27753.exe
2010-01-03 22:59:19 2957 ----a-w- c:\windows\system32\12287.exe
2010-01-03 22:39:18 2957 ----a-w- c:\windows\system32\15457.exe
2010-01-03 22:19:14 2957 ----a-w- c:\windows\system32\11337.exe
2010-01-03 21:59:10 2957 ----a-w- c:\windows\system32\18007.exe
2010-01-03 21:39:06 2957 ----a-w- c:\windows\system32\30191.exe
2010-01-03 21:18:56 2957 ----a-w- c:\windows\system32\31107.exe
2010-01-03 20:58:56 2957 ----a-w- c:\windows\system32\3430.exe
2010-01-03 20:38:52 2957 ----a-w- c:\windows\system32\13966.exe
2010-01-03 20:18:51 2957 ----a-w- c:\windows\system32\21724.exe
2010-01-03 19:58:41 2957 ----a-w- c:\windows\system32\16941.exe
2010-01-03 19:38:39 2957 ----a-w- c:\windows\system32\1150.exe
2010-01-03 19:18:37 2957 ----a-w- c:\windows\system32\27350.exe
2010-01-03 18:58:36 2957 ----a-w- c:\windows\system32\12052.exe
2010-01-03 18:38:32 2957 ----a-w- c:\windows\system32\4031.exe
2010-01-03 18:18:31 2957 ----a-w- c:\windows\system32\15574.exe
2010-01-03 17:58:27 2957 ----a-w- c:\windows\system32\23655.exe
2010-01-03 17:38:26 2957 ----a-w- c:\windows\system32\24767.exe
2010-01-03 17:18:25 2957 ----a-w- c:\windows\system32\22355.exe
2010-01-03 16:58:24 2957 ----a-w- c:\windows\system32\18636.exe
2010-01-03 16:38:23 2957 ----a-w- c:\windows\system32\9161.exe
2010-01-03 16:18:22 2957 ----a-w- c:\windows\system32\13290.exe
2010-01-03 15:58:21 2957 ----a-w- c:\windows\system32\23986.exe
2010-01-03 15:38:20 2957 ----a-w- c:\windows\system32\16512.exe
2010-01-03 15:18:19 2957 ----a-w- c:\windows\system32\5097.exe
2010-01-03 14:58:09 2957 ----a-w- c:\windows\system32\15573.exe
2010-01-03 14:38:08 2957 ----a-w- c:\windows\system32\26777.exe
2010-01-03 14:18:07 2957 ----a-w- c:\windows\system32\5829.exe
2010-01-03 13:58:06 2957 ----a-w- c:\windows\system32\6270.exe
2010-01-03 13:38:02 2957 ----a-w- c:\windows\system32\19072.exe
2010-01-03 13:18:01 2957 ----a-w- c:\windows\system32\26924.exe
2010-01-03 12:58:00 2957 ----a-w- c:\windows\system32\28745.exe
2010-01-03 12:37:59 2957 ----a-w- c:\windows\system32\5021.exe
2010-01-03 12:17:55 2957 ----a-w- c:\windows\system32\22386.exe
2010-01-03 11:57:51 2957 ----a-w- c:\windows\system32\31673.exe
2010-01-03 11:37:48 2957 ----a-w- c:\windows\system32\2306.exe
2010-01-03 11:17:47 2957 ----a-w- c:\windows\system32\13977.exe
2010-01-03 10:57:46 0 ----a-w- c:\windows\system32\9930.exe
2010-01-03 10:37:12 2957 ----a-w- c:\windows\system32\22704.exe
2010-01-03 10:17:11 2957 ----a-w- c:\windows\system32\29658.exe
2010-01-03 09:57:10 2957 ----a-w- c:\windows\system32\4639.exe
2010-01-03 09:37:06 2957 ----a-w- c:\windows\system32\31115.exe
2010-01-03 09:17:05 2957 ----a-w- c:\windows\system32\4833.exe
2010-01-03 08:57:05 2957 ----a-w- c:\windows\system32\16541.exe
2010-01-03 08:37:03 2957 ----a-w- c:\windows\system32\22929.exe
2010-01-03 08:17:03 2957 ----a-w- c:\windows\system32\2082.exe
2010-01-03 07:56:58 2957 ----a-w- c:\windows\system32\16118.exe
2010-01-03 07:36:57 2957 ----a-w- c:\windows\system32\21538.exe
2010-01-03 07:16:56 0 ----a-w- c:\windows\system32\5537.exe
2010-01-03 06:56:26 2957 ----a-w- c:\windows\system32\11323.exe
2010-01-03 06:36:24 2957 ----a-w- c:\windows\system32\24626.exe
2010-01-03 06:16:21 2957 ----a-w- c:\windows\system32\32439.exe
2010-01-03 05:56:17 2957 ----a-w- c:\windows\system32\16944.exe
2010-01-03 05:36:16 2957 ----a-w- c:\windows\system32\26308.exe
2010-01-03 05:16:15 0 ----a-w- c:\windows\system32\13931.exe
2010-01-03 04:55:44 2957 ----a-w- c:\windows\system32\7376.exe
2010-01-03 04:35:41 2957 ----a-w- c:\windows\system32\4966.exe
2010-01-03 04:15:39 2957 ----a-w- c:\windows\system32\11840.exe
2010-01-03 03:55:38 2957 ----a-w- c:\windows\system32\18756.exe
2010-01-03 03:35:37 2957 ----a-w- c:\windows\system32\19954.exe
2010-01-03 03:15:36 2957 ----a-w- c:\windows\system32\24084.exe
2010-01-03 02:55:35 2957 ----a-w- c:\windows\system32\12623.exe
2010-01-03 02:35:35 2957 ----a-w- c:\windows\system32\19629.exe
2010-01-03 02:15:31 2957 ----a-w- c:\windows\system32\3548.exe
2010-01-03 01:55:30 2957 ----a-w- c:\windows\system32\24393.exe
2010-01-03 01:35:20 2957 ----a-w- c:\windows\system32\31101.exe
2010-01-03 01:15:13 2957 ----a-w- c:\windows\system32\15006.exe
2010-01-03 00:55:09 2957 ----a-w- c:\windows\system32\15350.exe
2010-01-03 00:35:08 2957 ----a-w- c:\windows\system32\24370.exe
2010-01-03 00:15:07 2957 ----a-w- c:\windows\system32\6729.exe
2010-01-02 23:55:06 2957 ----a-w- c:\windows\system32\15890.exe
2010-01-02 23:34:56 2957 ----a-w- c:\windows\system32\23805.exe
2010-01-02 23:14:52 2957 ----a-w- c:\windows\system32\27446.exe
2010-01-02 22:54:51 2957 ----a-w- c:\windows\system32\22648.exe
2010-01-02 22:34:50 2957 ----a-w- c:\windows\system32\19264.exe
2010-01-02 22:14:49 2957 ----a-w- c:\windows\system32\8942.exe
2010-01-02 21:54:49 2957 ----a-w- c:\windows\system32\9040.exe
2010-01-02 21:34:45 2957 ----a-w- c:\windows\system32\30106.exe
2010-01-02 21:14:43 2957 ----a-w- c:\windows\system32\288.exe
2010-01-02 20:54:43 2957 ----a-w- c:\windows\system32\1842.exe
2010-01-02 20:34:42 2957 ----a-w- c:\windows\system32\22190.exe
2010-01-02 20:14:41 2957 ----a-w- c:\windows\system32\3035.exe
2010-01-02 19:54:40 2957 ----a-w- c:\windows\system32\12316.exe
2010-01-02 19:34:36 2957 ----a-w- c:\windows\system32\778.exe
2010-01-02 19:14:35 2957 ----a-w- c:\windows\system32\27529.exe
2010-01-02 18:54:35 2957 ----a-w- c:\windows\system32\9741.exe
2010-01-02 18:34:30 2957 ----a-w- c:\windows\system32\8723.exe
2010-01-02 18:14:29 2957 ----a-w- c:\windows\system32\12859.exe
2010-01-02 17:54:29 2957 ----a-w- c:\windows\system32\20037.exe
2010-01-02 17:34:28 2957 ----a-w- c:\windows\system32\32757.exe
2010-01-02 17:14:24 2957 ----a-w- c:\windows\system32\32662.exe
2010-01-02 16:54:23 2957 ----a-w- c:\windows\system32\27644.exe
2010-01-02 16:34:19 2957 ----a-w- c:\windows\system32\25547.exe
2010-01-02 16:14:18 2957 ----a-w- c:\windows\system32\6868.exe
2010-01-02 15:54:17 2957 ----a-w- c:\windows\system32\28253.exe
2010-01-02 15:34:13 2957 ----a-w- c:\windows\system32\7711.exe
2010-01-02 15:14:12 2957 ----a-w- c:\windows\system32\15141.exe
2010-01-02 14:54:11 2957 ----a-w- c:\windows\system32\4664.exe
2010-01-02 14:34:10 2957 ----a-w- c:\windows\system32\17673.exe
2010-01-02 14:14:06 2957 ----a-w- c:\windows\system32\30333.exe
2010-01-02 13:54:06 2957 ----a-w- c:\windows\system32\31322.exe
2010-01-02 13:33:44 2957 ----a-w- c:\windows\system32\23811.exe
2010-01-02 13:13:43 2957 ----a-w- c:\windows\system32\28703.exe
2010-01-02 12:53:43 2957 ----a-w- c:\windows\system32\9894.exe
2010-01-02 12:33:38 2957 ----a-w- c:\windows\system32\17035.exe
2010-01-02 12:13:38 2957 ----a-w- c:\windows\system32\26299.exe
2010-01-02 11:53:37 2957 ----a-w- c:\windows\system32\25667.exe
2010-01-02 11:33:36 2957 ----a-w- c:\windows\system32\19912.exe
2010-01-02 11:13:32 0 ----a-w- c:\windows\system32\1869.exe
2010-01-02 10:53:31 0 ----a-w- c:\windows\system32\11538.exe
2010-01-02 10:33:30 0 ----a-w- c:\windows\system32\14771.exe
2010-01-02 10:13:26 0 ----a-w- c:\windows\system32\21726.exe
2010-01-02 09:53:23 0 ----a-w- c:\windows\system32\5447.exe
2010-01-02 09:33:22 0 ----a-w- c:\windows\system32\19895.exe
2010-01-02 09:13:21 0 ----a-w- c:\windows\system32\19718.exe
2010-01-02 08:53:17 0 ----a-w- c:\windows\system32\18716.exe
2010-01-02 08:33:16 0 ----a-w- c:\windows\system32\17421.exe
2010-01-02 08:13:15 0 ----a-w- c:\windows\system32\12382.exe
2010-01-02 07:53:14 0 ----a-w- c:\windows\system32\292.exe
2010-01-02 07:32:43 0 ----a-w- c:\windows\system32\153.exe
2010-01-02 07:12:33 0 ----a-w- c:\windows\system32\3902.exe
2010-01-02 06:52:33 0 ----a-w- c:\windows\system32\14604.exe
2010-01-02 06:32:32 0 ----a-w- c:\windows\system32\32391.exe
2010-01-02 06:12:31 0 ----a-w- c:\windows\system32\5436.exe
2010-01-02 05:52:27 0 ----a-w- c:\windows\system32\4827.exe
2010-01-02 05:32:26 0 ----a-w- c:\windows\system32\11942.exe
2010-01-02 05:12:24 0 ----a-w- c:\windows\system32\2995.exe
2010-01-02 04:52:24 0 ----a-w- c:\windows\system32\491.exe
2010-01-02 04:32:23 0 ----a-w- c:\windows\system32\9961.exe
2010-01-02 04:12:01 0 ----a-w- c:\windows\system32\16827.exe
2010-01-02 03:52:01 0 ----a-w- c:\windows\system32\23281.exe
2010-01-02 03:32:00 0 ----a-w- c:\windows\system32\28145.exe
2010-01-02 03:11:56 0 ----a-w- c:\windows\system32\5705.exe
2010-01-02 02:51:46 0 ----a-w- c:\windows\system32\24464.exe
2010-01-02 02:31:45 0 ----a-w- c:\windows\system32\26962.exe
2010-01-02 02:11:44 0 ----a-w- c:\windows\system32\29358.exe
2010-01-02 01:51:43 0 ----a-w- c:\windows\system32\11478.exe
2010-01-02 01:31:39 0 ----a-w- c:\windows\system32\15724.exe
2010-01-02 01:11:08 0 ----a-w- c:\windows\system32\19169.exe
2010-01-02 00:51:08 0 ----a-w- c:\windows\system32\26500.exe
2010-01-02 00:31:04 166 ----a-w- c:\windows\system32\6334.exe
2010-01-02 00:11:00 0 ----a-w- c:\windows\system32\18467.exe
2010-01-01 23:50:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-01 23:47:15 1 ----a-w- C:\s

==================== Find3M ====================

2010-01-08 00:40:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-08 00:40:01 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 17:25:49 1640400 ----a-w- c:\windows\is-H10JQ.tmp
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
1601-01-01 00:03:28 66560 --sha-w- c:\windows\system32\fumuguhu.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\ganoyapa.dll
1601-01-01 00:03:28 45568 --sha-w- c:\windows\system32\sajifuhe.dll

============= FINISH: 12:07:03.58 ===============

Just got a "Trojan Detected" notice from McAfee saying:
Detected: BackDoor-CDL.dll (Trojan)
Location: C:\WINDOWS\system32\helper32.dll

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 12 January 2010 - 07:46 PM.

BC AdBot (Login to Remove)

 

#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 17 January 2010 - 07:55 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 torreypnz

torreypnz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:02:32 AM

Posted 18 January 2010 - 08:57 AM

HI - I'm still here. I haven't done anything to my computer since posting my logs so hopefully someone can help me.

Thanks so much!
Amy

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 18 January 2010 - 04:50 PM

The PC has been quite infected and there are at least two trojans that I can identify.


We need to use a powerful tool called Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 torreypnz

torreypnz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:02:32 AM

Posted 19 January 2010 - 10:03 AM

Thank you so much! Okay - I got that done and here is the log from combofix:

ComboFix 10-01-18.03 - Amy 01/19/2010 8:40.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.527 [GMT -6:00]
Running from: c:\documents and settings\Amy\Desktop\ComFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\s
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\EventSystem.log
c:\windows\system32\10383.exe
c:\windows\system32\10597.exe
c:\windows\system32\1093.exe
c:\windows\system32\11323.exe
c:\windows\system32\11337.exe
c:\windows\system32\11478.exe
c:\windows\system32\1150.exe
c:\windows\system32\11538.exe
c:\windows\system32\11634.exe
c:\windows\system32\11840.exe
c:\windows\system32\11942.exe
c:\windows\system32\12052.exe
c:\windows\system32\12287.exe
c:\windows\system32\12316.exe
c:\windows\system32\12367.exe
c:\windows\system32\12382.exe
c:\windows\system32\12526.exe
c:\windows\system32\12623.exe
c:\windows\system32\12859.exe
c:\windows\system32\13030.exe
c:\windows\system32\13290.exe
c:\windows\system32\13931.exe
c:\windows\system32\13966.exe
c:\windows\system32\13977.exe
c:\windows\system32\14604.exe
c:\windows\system32\14677.exe
c:\windows\system32\14771.exe
c:\windows\system32\14945.exe
c:\windows\system32\15006.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15350.exe
c:\windows\system32\15457.exe
c:\windows\system32\15573.exe
c:\windows\system32\15574.exe
c:\windows\system32\15724.exe
c:\windows\system32\15890.exe
c:\windows\system32\15932.exe
c:\windows\system32\16118.exe
c:\windows\system32\16126.exe
c:\windows\system32\16413.exe
c:\windows\system32\16512.exe
c:\windows\system32\16541.exe
c:\windows\system32\1655.exe
c:\windows\system32\16827.exe
c:\windows\system32\16828.exe
c:\windows\system32\16837.exe
c:\windows\system32\16853.exe
c:\windows\system32\16941.exe
c:\windows\system32\16944.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\178.exe
c:\windows\system32\18007.exe
c:\windows\system32\1842.exe
c:\windows\system32\18467.exe
c:\windows\system32\18588.exe
c:\windows\system32\18636.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\18756.exe
c:\windows\system32\18762.exe
c:\windows\system32\19072.exe
c:\windows\system32\19169.exe
c:\windows\system32\19264.exe
c:\windows\system32\19629.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\19954.exe
c:\windows\system32\20014.exe
c:\windows\system32\20037.exe
c:\windows\system32\2082.exe
c:\windows\system32\21538.exe
c:\windows\system32\21724.exe
c:\windows\system32\21726.exe
c:\windows\system32\22190.exe
c:\windows\system32\22355.exe
c:\windows\system32\22386.exe
c:\windows\system32\22648.exe
c:\windows\system32\22704.exe
c:\windows\system32\22929.exe
c:\windows\system32\2306.exe
c:\windows\system32\23281.exe
c:\windows\system32\23655.exe
c:\windows\system32\23805.exe
c:\windows\system32\23811.exe
c:\windows\system32\23986.exe
c:\windows\system32\24084.exe
c:\windows\system32\24191.exe
c:\windows\system32\24221.exe
c:\windows\system32\24370.exe
c:\windows\system32\24393.exe
c:\windows\system32\24464.exe
c:\windows\system32\24626.exe
c:\windows\system32\24767.exe
c:\windows\system32\24946.exe
c:\windows\system32\25015.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26172.exe
c:\windows\system32\26299.exe
c:\windows\system32\26308.exe
c:\windows\system32\26500.exe
c:\windows\system32\26514.exe
c:\windows\system32\26777.exe
c:\windows\system32\26924.exe
c:\windows\system32\26962.exe
c:\windows\system32\27214.exe
c:\windows\system32\27311.exe
c:\windows\system32\27350.exe
c:\windows\system32\27392.exe
c:\windows\system32\27446.exe
c:\windows\system32\27506.exe
c:\windows\system32\27529.exe
c:\windows\system32\27644.exe
c:\windows\system32\27753.exe
c:\windows\system32\27958.exe
c:\windows\system32\28122.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28544.exe
c:\windows\system32\28703.exe
c:\windows\system32\28745.exe
c:\windows\system32\288.exe
c:\windows\system32\29065.exe
c:\windows\system32\29168.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\29658.exe
c:\windows\system32\29665.exe
c:\windows\system32\2995.exe
c:\windows\system32\30055.exe
c:\windows\system32\30106.exe
c:\windows\system32\30191.exe
c:\windows\system32\30333.exe
c:\windows\system32\3035.exe
c:\windows\system32\30526.exe
c:\windows\system32\31101.exe
c:\windows\system32\31107.exe
c:\windows\system32\31115.exe
c:\windows\system32\31322.exe
c:\windows\system32\31673.exe
c:\windows\system32\31946.exe
c:\windows\system32\32209.exe
c:\windows\system32\32391.exe
c:\windows\system32\32439.exe
c:\windows\system32\32591.exe
c:\windows\system32\32662.exe
c:\windows\system32\32757.exe
c:\windows\system32\3365.exe
c:\windows\system32\3430.exe
c:\windows\system32\3548.exe
c:\windows\system32\3902.exe
c:\windows\system32\4031.exe
c:\windows\system32\41.exe
c:\windows\system32\4639.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\4833.exe
c:\windows\system32\491.exe
c:\windows\system32\4966.exe
c:\windows\system32\5021.exe
c:\windows\system32\5097.exe
c:\windows\system32\5430.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5537.exe
c:\windows\system32\5705.exe
c:\windows\system32\5829.exe
c:\windows\system32\5930.exe
c:\windows\system32\6082.exe
c:\windows\system32\6270.exe
c:\windows\system32\6334.exe
c:\windows\system32\6422.exe
c:\windows\system32\6729.exe
c:\windows\system32\6868.exe
c:\windows\system32\7217.exe
c:\windows\system32\7376.exe
c:\windows\system32\7711.exe
c:\windows\system32\778.exe
c:\windows\system32\8723.exe
c:\windows\system32\8909.exe
c:\windows\system32\8942.exe
c:\windows\system32\900.exe
c:\windows\system32\9040.exe
c:\windows\system32\9161.exe
c:\windows\system32\9741.exe
c:\windows\system32\9758.exe
c:\windows\system32\9894.exe
c:\windows\system32\9930.exe
c:\windows\system32\9961.exe
c:\windows\system32\bwsb.gio
c:\windows\system32\drivers\dybrz.sys
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\flags.ini
c:\windows\system32\fumuguhu.dll
c:\windows\system32\Install.txt
c:\windows\system32\IS15.exe
c:\windows\system32\kbdsock.dll
c:\windows\system32\kihagora.dll
c:\windows\system32\lsm32.sys
c:\windows\system32\mshlps.dll
c:\windows\system32\opeia.exe
c:\windows\system32\uses32.dat
c:\windows\Tasks\qnbccrqw.job
c:\windows\TEMP\mta13187.dll
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://85.12.18.119
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_FASTNETSRV
-------\Legacy_WINSTS
-------\Service_fastnetsrv
-------\Legacy_dybrz
-------\Service_dybrz


((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-12 17:56 . 2010-01-12 17:56 -------- d-----w- c:\documents and settings\Amy\DoctorWeb
2010-01-12 14:42 . 2010-01-12 14:42 -------- d-----w- c:\program files\ESET
2010-01-12 13:57 . 2010-01-12 13:57 27911 ----a-w- c:\windows\system32\D0JG0HI43Z.dat
2010-01-12 13:57 . 2010-01-12 13:57 1860 ----a-w- c:\windows\system32\4PH00J30X.dat
2010-01-12 13:57 . 2010-01-12 13:57 27911 ----a-w- c:\windows\system32\7O0ZQ7Y9T5.dat
2010-01-12 13:57 . 2010-01-12 13:57 1860 ----a-w- c:\windows\system32\VX6Z00S0G.dat
2010-01-09 19:36 . 2010-01-09 19:36 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\yujvjx
2010-01-09 05:57 . 2010-01-09 05:57 45568 --sh--w- c:\windows\system32\domagihi.dll
2010-01-09 05:52 . 2010-01-09 05:52 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\bxqmco
2010-01-07 23:16 . 2010-01-07 23:16 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\pxrhjj
2010-01-06 17:01 . 2010-01-06 17:01 -------- d-----w- c:\program files\Coupons
2010-01-05 14:42 . 2009-11-04 22:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-01-05 14:42 . 2009-11-04 22:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-01-05 14:42 . 2009-11-04 22:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-05 14:42 . 2009-07-16 18:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-05 14:41 . 2010-01-05 14:42 -------- d-----w- c:\program files\Common Files\McAfee
2010-01-05 14:41 . 2010-01-05 14:42 -------- d-----w- c:\program files\McAfee.com
2010-01-05 14:41 . 2010-01-08 00:25 -------- d-----w- c:\program files\McAfee
2010-01-05 14:38 . 2009-11-04 22:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-01-01 23:57 . 2010-01-01 23:57 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-01 23:50 . 2010-01-09 05:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-01 23:48 . 2010-01-01 23:48 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\PCHealth
2010-01-01 23:48 . 2010-01-01 23:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-01 23:47 . 2010-01-04 14:37 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\fyvuxs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 16:19 . 2008-05-13 20:28 -------- d-----w- c:\program files\DYMO Label
2010-01-12 18:35 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-12 18:35 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-01-12 14:35 . 2009-12-02 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 14:15 . 2009-12-04 18:17 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2009-12-02 18:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-12-02 18:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 17:43 . 2008-05-09 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-04 16:47 . 2009-11-10 15:58 -------- d-----w- c:\program files\Common Files\Apple
2010-01-04 16:47 . 2009-05-19 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-04 14:43 . 2009-03-24 17:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-04 14:40 . 2009-01-26 18:02 -------- d-----w- c:\program files\Safari
2010-01-04 14:39 . 2009-03-24 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-10 09:03 . 2008-05-13 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-02 18:29 . 2009-12-02 17:25 -------- d-----w- c:\program files\Spyware Doctor
2009-12-02 18:28 . 2009-12-02 17:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-02 18:13 . 2009-12-02 18:13 -------- d-----w- c:\documents and settings\Amy\Application Data\Malwarebytes
2009-12-02 18:12 . 2009-12-02 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-02 17:25 . 2009-12-02 17:25 1640400 ----a-w- c:\windows\is-H10JQ.tmp
2009-12-02 17:25 . 2008-05-09 12:35 -------- d-----w- c:\program files\Google
2009-11-04 22:54 . 2009-11-04 22:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-03 02:42 . 2009-10-02 20:40 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\system32\ganoyapa.dll
1601-01-01 00:03 . 1601-01-01 00:03 45568 --sha-w- c:\windows\system32\sajifuhe.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-07-20 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-18 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2001-04-07 135168]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-05 40960]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SmartNetMonitor for Client.lnk - c:\program files\RMClient\PMClient.exe [2008-5-15 1036288]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-09 12:41 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Amy\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 11:51 AM 14336]
R2 peersvc;peersvc Service;c:\windows\system32\PeerSvc.exe [8/4/2004 4:00 AM 36352]
S0 ukxnezw;ukxnezw; [x]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/9/2008 6:35 AM 30192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSVC
*NewlyCreated* - PEERSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSvc
.
Contents of the 'Scheduled Tasks' folder

2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-01-05 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-05 18:22]

2010-01-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-05 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {33F189C5-59EC-4031-B02F-288437CB068D} = 193.104.110.38,4.2.2.1,192.168.0.1
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-selayajam - c:\windows\system32\lukonoke.dll
SharedTaskScheduler-{e47046eb-bee7-4178-8c90-56be783d350e} - c:\windows\system32\lukonoke.dll
SSODL-digekadom-{e47046eb-bee7-4178-8c90-56be783d350e} - c:\windows\system32\lukonoke.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 08:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\lsm32.sys 32768 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(4064)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\RTHDCPL.EXE
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\opeia.exe
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2010-01-19 08:58:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 14:58

Pre-Run: 228,118,147,072 bytes free
Post-Run: 229,767,278,592 bytes free

- - End Of File - - F5818BB852A1E80B5B496D8AA2DAB292

Attached Files


#6 torreypnz

torreypnz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:02:32 AM

Posted 19 January 2010 - 10:57 AM

Just tried surfing the internet and got a google redirect.

Amy

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 19 January 2010 - 03:05 PM

Yes, there is something there which cannot be fixed. sad.gif

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558
QUOTE(AVG Technologies)
There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034
QUOTE(Network Associates)
W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

Do you have any questions?
Posted Image
m0le is a proud member of UNITE

#8 torreypnz

torreypnz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:02:32 AM

Posted 19 January 2010 - 03:47 PM

Aww - I'm so sad about it!

I do have a couple questions though:
Does it steal passwords?
Can I save documents for reloading or could they be infected too?
How did I get this?

I really appreciate all your help ~ Thanks so much!

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 19 January 2010 - 05:11 PM

It is a file infector and does not steal passwords

You can save data but follow the rules carefully to avoid transferring Virut across to the newly reformatted drive.

Caution: If you are considering reformatting and backing up your data, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system.

If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process.

The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too.

Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.


How you got it is a bit more difficult. The usual suspects are P2P file sharing, hacked websites, malicious links in places such as Facebook seem a bit more popular now. It may have come from many sources.

I'll keep this topic open in case you have further questions. smile.gif
Posted Image
m0le is a proud member of UNITE

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 24 January 2010 - 07:21 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·