Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mabm.exe missing NEED HELP


  • This topic is locked This topic is locked
5 replies to this topic

#1 Evoprobe

Evoprobe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 26 January 2010 - 01:34 PM

I think I have a torjan and or a malware infection, Per Combofix log:
ComboFix 10-01-26.01 - crossfam 01/26/2010 12:13:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.468 [GMT -6:00]
Running from: c:\documents and settings\crossfam\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\Cache
c:\windows\system32\gefuvihu.dll
c:\windows\system32\hariyobi.dll
c:\windows\system32\kipojamo.dll
c:\windows\system32\lelohute.dll
c:\windows\system32\nulojaka.dll
c:\windows\system32\piyojomi.dll
c:\windows\system32\rahuguzi.dll
c:\windows\system32\satevowa.dll
c:\windows\system32\selohuno.dll
c:\windows\system32\sukireze.dll
c:\windows\system32\timimume.dll
c:\windows\system32\wutokivu.dll
c:\windows\system32\wuwijaba.dll.vir
c:\windows\system32\yahosuze.dll
c:\windows\system32\yerofata.dll.vir
c:\windows\system32\zozazudo.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.34
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD


((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 18:03 . 2009-12-12 00:05 3613560 ----a-w- c:\documents and settings\crossfam\Application Data\Simply Super Software\Trojan Remover\vru254.exe
2010-01-26 17:45 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 17:45 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 17:45 . 2010-01-26 17:46 -------- d-----w- c:\program files\winner
2010-01-26 06:51 . 2010-01-26 06:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 06:41 . 2009-12-12 00:05 3613560 ----a-w- c:\documents and settings\crossfam\Application Data\Simply Super Software\Trojan Remover\ksi1.exe
2010-01-26 06:33 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-26 06:33 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-26 06:33 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-26 06:33 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-26 06:33 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-26 06:32 . 2010-01-26 06:33 -------- d-----w- c:\program files\Trojan Remover
2010-01-26 06:32 . 2010-01-26 06:32 -------- d-----w- c:\documents and settings\crossfam\Application Data\Simply Super Software
2010-01-26 06:32 . 2010-01-26 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-01-24 16:23 . 2010-01-24 16:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{649BC22C-C7CE-4135-877C-D2AB174B063F}
2010-01-24 16:23 . 2010-01-20 19:00 3190545 -c--a-w- c:\documents and settings\All Users\Application Data\{649BC22C-C7CE-4135-877C-D2AB174B063F}\PSTInstall.exe
2010-01-24 16:23 . 2010-01-24 16:23 -------- d-----w- C:\dbs
2010-01-24 13:05 . 2010-01-24 13:05 95232 --sh--w- c:\windows\system32\fovidogo.dll
2010-01-22 21:15 . 2010-01-24 15:56 -------- d-----w- c:\program files\PokerStars
2010-01-21 19:55 . 2010-01-21 20:06 -------- d-----w- c:\program files\Risk II
2010-01-21 19:55 . 2010-01-21 19:55 -------- d-----w- c:\program files\ReflexiveArcade
2010-01-21 19:22 . 2010-01-21 22:28 -------- d-----w- c:\program files\GameSpy Arcade
2010-01-12 19:29 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-07 19:50 . 2010-01-09 04:01 -------- d-----w- c:\program files\EA GAMES
2010-01-05 15:07 . 2010-01-05 15:07 -------- d-----w- c:\documents and settings\crossfam\Local Settings\Application Data\My Games
2010-01-04 18:03 . 2007-10-22 09:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2010-01-04 18:03 . 2007-06-21 02:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-01-04 18:03 . 2007-05-16 22:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-01-04 18:03 . 2007-05-16 22:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-01-04 18:03 . 2007-05-16 22:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-01-04 17:42 . 2007-04-05 00:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-01-04 17:42 . 2007-04-05 00:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2010-01-04 17:42 . 2007-03-15 22:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2010-01-04 17:42 . 2007-03-12 22:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2010-01-04 17:41 . 2007-03-12 22:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2010-01-04 17:41 . 2007-01-24 21:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2010-01-04 17:41 . 2006-12-08 18:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2010-01-04 17:41 . 2006-11-29 19:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-01-04 17:41 . 2007-03-05 18:42 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2010-01-04 17:41 . 2006-09-28 22:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2010-01-04 17:41 . 2006-07-28 15:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2010-01-04 17:41 . 2006-07-28 15:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2010-01-04 16:58 . 2005-05-26 21:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-01-04 03:25 . 2010-01-04 03:25 -------- d-----w- c:\program files\VALVe
2010-01-03 09:09 . 2010-01-03 09:09 -------- d-----w- c:\windows\system32\XPSViewer
2010-01-03 09:09 . 2010-01-03 09:09 -------- d-----w- c:\program files\MSBuild
2010-01-03 09:08 . 2010-01-03 09:08 -------- d-----w- c:\program files\Reference Assemblies
2010-01-03 09:08 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-03 09:08 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-03 09:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-03 09:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-03 09:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-03 09:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-03 09:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-03 09:08 . 2010-01-03 09:08 -------- d-----w- C:\b6b763c13916dbdefb2093f330562f
2010-01-03 09:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-03 09:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-03 04:11 . 2010-01-03 05:22 -------- d-----w- c:\documents and settings\crossfam\Local Settings\Application Data\Ahead
2010-01-03 04:05 . 2010-01-07 19:47 -------- d-----w- c:\documents and settings\crossfam\Application Data\Ahead
2010-01-03 04:05 . 2010-01-03 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2010-01-03 04:02 . 2010-01-03 04:04 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-03 04:02 . 2010-01-03 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-03 04:02 . 2010-01-03 04:02 -------- d-----w- c:\program files\Nero
2010-01-02 04:51 . 2010-01-02 04:51 -------- d-----w- C:\Downloads
2010-01-02 02:53 . 2010-01-02 02:59 -------- d-----w- C:\WebUpdater
2010-01-02 01:26 . 2010-01-02 01:26 -------- d-----w- c:\program files\directx
2010-01-02 00:46 . 2010-01-02 00:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-01-02 00:45 . 2010-01-02 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-01-01 23:20 . 2010-01-01 23:20 -------- d-----w- c:\program files\Garmin GPS Plugin
2010-01-01 23:20 . 2010-01-01 23:20 -------- d-----w- c:\program files\Garmin
2010-01-01 21:37 . 2010-01-02 03:01 -------- d-----w- c:\documents and settings\crossfam\Application Data\GARMIN
2010-01-01 21:36 . 2010-01-01 21:36 -------- d-----w- c:\program files\DIFX
2010-01-01 21:36 . 2010-01-02 02:59 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-30 23:41 . 2009-12-31 01:04 -------- d-----w- C:\DVD
2009-12-30 23:05 . 2009-12-30 23:05 -------- d-----w- c:\program files\DVD Shrink
2009-12-29 22:49 . 2010-01-11 02:45 -------- d-----w- c:\documents and settings\crossfam\Application Data\DVD Flick
2009-12-29 22:47 . 2003-01-26 19:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2009-12-29 22:45 . 2009-12-29 22:47 -------- d-----w- c:\program files\DVD Flick
2009-12-29 22:08 . 2009-12-29 22:08 -------- d-----w- c:\documents and settings\crossfam\Local Settings\Application Data\WMTools Downloaded Files
2009-12-29 16:38 . 2009-12-29 16:38 -------- d-----w- c:\documents and settings\crossfam\Application Data\AVS4YOU
2009-12-29 16:38 . 2009-12-29 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-12-29 16:36 . 2009-12-29 20:41 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-12-29 16:36 . 2009-12-29 20:41 -------- d-----w- c:\program files\AVS4YOU
2009-12-29 16:36 . 2008-08-13 16:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-12-29 16:36 . 2008-08-13 16:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-12-29 16:02 . 2010-01-11 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-12-29 04:10 . 2009-12-29 04:10 -------- d-----w- c:\documents and settings\crossfam\Application Data\DivX
2009-12-28 20:05 . 2009-12-28 20:05 -------- d-----w- c:\documents and settings\crossfam\Application Data\Sonic
2009-12-28 20:05 . 2009-12-28 20:05 -------- d-----w- c:\documents and settings\crossfam\Application Data\Leadertech
2009-12-28 15:57 . 2009-12-28 15:57 -------- d-----w- c:\windows\system32\custom matrices
2009-12-28 15:57 . 2009-12-28 15:58 -------- d-----w- c:\windows\system32\C2MP
2009-12-28 15:57 . 2009-12-28 15:57 -------- d-----w- c:\windows\system32\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 18:22 . 2009-08-18 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-01-26 18:22 . 2009-08-18 02:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-01-26 18:19 . 2009-08-16 19:26 40 ----a-w- c:\windows\system32\profile.dat
2010-01-26 18:03 . 2009-11-26 21:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-26 07:50 . 2009-08-18 02:17 -------- d-----w- c:\documents and settings\crossfam\Application Data\VMware
2010-01-26 07:39 . 2007-01-08 15:13 -------- d-----w- c:\program files\Modem Diagnostic Tool
2010-01-26 06:09 . 2009-08-16 19:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-26 04:28 . 2009-08-16 19:59 -------- d-----w- c:\program files\Nitto 1320 Legends
2010-01-26 04:27 . 2009-12-14 23:06 -------- d-----w- c:\program files\SpeedFan
2010-01-24 06:15 . 2009-12-23 16:12 -------- d-----w- c:\documents and settings\crossfam\Application Data\uTorrent
2010-01-21 19:44 . 2007-01-08 15:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-05 16:39 . 2007-01-08 15:13 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-04 18:18 . 2007-01-08 15:29 72496 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-02 21:27 . 2009-11-27 21:01 -------- d-----w- c:\program files\NVIDIA Corporation
2010-01-02 00:46 . 2009-10-06 18:31 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-01-02 00:46 . 2009-10-06 18:26 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-28 06:32 . 2009-12-28 06:31 4447744 --sha-w- c:\program files\ehthumbs.db
2009-12-28 06:32 . 2009-12-12 02:30 -------- d-----w- c:\program files\Virtools
2009-12-28 06:32 . 2009-12-23 16:12 -------- d-----w- c:\program files\uTorrent
2009-12-22 05:21 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-19 04:00 . 2009-09-01 03:25 -------- d-----w- c:\documents and settings\crossfam\Application Data\Corel
2009-12-19 03:57 . 2009-09-01 03:25 88 --sh--r- c:\windows\system32\128EF31701.sys
2009-12-14 23:04 . 2009-12-14 23:00 -------- d-----w- c:\program files\Motherboard Monitor 5
2009-12-12 06:29 . 2007-01-08 15:17 -------- d-----w- c:\program files\QuickTime
2009-12-12 05:59 . 2005-08-17 02:58 -------- d-----w- c:\program files\RGB
2009-12-11 03:04 . 2009-12-11 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-12-11 03:00 . 2009-12-11 03:00 -------- d-----w- c:\program files\SystemRequirementsLab
2009-12-11 03:00 . 2009-12-11 03:00 -------- d-----w- c:\documents and settings\crossfam\Application Data\SystemRequirementsLab
2009-12-11 03:00 . 2009-12-11 03:00 290816 ----a-w- c:\documents and settings\crossfam\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-12-11 03:00 . 2009-12-11 03:00 290816 ----a-w- c:\documents and settings\crossfam\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-12-11 03:00 . 2009-12-11 03:00 290816 ----a-w- c:\documents and settings\crossfam\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-12-11 03:00 . 2009-12-11 03:00 290816 ----a-w- c:\documents and settings\crossfam\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-12-10 23:36 . 2007-01-08 15:22 -------- d-----w- c:\program files\Yahoo!
2009-12-10 23:36 . 2009-10-09 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-10 23:33 . 2009-11-14 22:25 -------- d-----w- c:\program files\PokerStars.NET
2009-12-10 23:26 . 2009-12-10 23:26 -------- d-----w- c:\documents and settings\crossfam\Application Data\Template
2009-12-10 23:26 . 2009-12-10 23:26 0 ----a-w- c:\documents and settings\crossfam\Application Data\wklnhst.dat
2009-12-10 19:04 . 2009-10-19 21:16 1244 ----a-w- c:\windows\checkip.dat
2009-12-07 22:00 . 2009-10-09 16:08 -------- d-----w- c:\documents and settings\crossfam\Application Data\Yahoo!
2009-12-02 17:02 . 2009-12-02 17:02 1632887 ----a-w- c:\windows\system32\ffmpegmt.dll
2009-12-02 16:56 . 2009-12-02 16:56 4840081 ----a-w- c:\windows\system32\libavcodec.dll
2009-11-30 19:25 . 2007-01-08 15:13 -------- d-----w- c:\program files\Dell
2009-11-29 05:12 . 2009-08-16 19:05 -------- d--h--w- c:\documents and settings\crossfam\Application Data\Gtek
2009-11-29 05:12 . 2007-01-08 15:25 -------- d--h--w- c:\documents and settings\Administrator\Application Data\GTek
2009-11-27 21:00 . 2009-11-27 21:00 -------- d-----w- c:\program files\NVIDIA nTune Performance Application
2009-11-27 20:21 . 2009-11-27 20:21 -------- d-----w- c:\program files\CPUID
2009-11-26 23:09 . 2005-08-16 10:41 88263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-21 15:51 . 2005-08-16 10:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 22:29 . 2009-11-19 22:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-04 18:45 . 2009-11-04 18:45 611638 ----a-w- c:\windows\system32\libmplayer.dll
2009-11-04 18:43 . 2009-11-04 18:43 324096 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2009-11-03 20:11 . 2009-11-03 20:11 113152 ----a-w- c:\windows\system32\ff_unrar.dll
2009-11-03 20:11 . 2009-11-03 20:11 146944 ----a-w- c:\windows\system32\ff_tremor.dll
2009-11-03 20:10 . 2009-11-03 20:10 183296 ----a-w- c:\windows\system32\ff_samplerate.dll
2009-11-03 20:09 . 2009-11-03 20:09 178688 ----a-w- c:\windows\system32\ff_libmad.dll
2009-11-03 20:08 . 2009-11-03 20:08 484864 ----a-w- c:\windows\system32\ff_libfaad2.dll
2009-11-03 20:08 . 2009-11-03 20:08 257024 ----a-w- c:\windows\system32\ff_libdts.dll
2009-11-03 20:07 . 2009-11-03 20:07 142848 ----a-w- c:\windows\system32\ff_liba52.dll
2009-11-03 19:36 . 2009-11-03 19:36 145408 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2009-11-03 19:34 . 2009-11-03 19:34 100864 ----a-w- c:\windows\system32\ff_wmv9.dll
2009-11-03 19:34 . 2009-11-03 19:34 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-03 18:07 . 2009-11-03 18:07 895308 ----a-w- c:\windows\system32\xvidcore.dll
2009-11-03 18:05 . 2009-11-03 18:05 957047 ----a-w- c:\windows\system32\ff_x264.dll
1998-04-27 06:00 . 1998-04-27 06:00 570128 ----a-w- c:\program files\Common Files\DAO350.DLL
1601-01-01 00:03 . 1601-01-01 00:03 95232 --sha-w- c:\windows\system32\dagewoyo.dll
1601-01-01 00:03 . 1601-01-01 00:03 92160 --sha-w- c:\windows\system32\huyowoza.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\jenorogu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\system32\jepuzuwe.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\lerodeze.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\megafale.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\system32\rahurite.dll
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\system32\sewabune.dll
1601-01-01 00:03 . 1601-01-01 00:03 92160 --sha-w- c:\windows\system32\wubarihe.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"ClockGen"="c:\documents and settings\crossfam\My Documents\Downloads\ClockGen_1.0.5.3\ClockGen.exe" [2007-02-23 816841]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-11-19 1657448]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-03-17 124656]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2008-05-16 55856]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-08 26112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-8 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-23 18:12 7630848 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\crossfam\\My Documents\\Downloads\\utorrent.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/6/2009 12:26 PM 691696]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [11/27/2009 2:21 PM 12672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/11/2009 8:05 PM 102448]
S3 cg;cg;\??\c:\documents and settings\crossfam\My Documents\Downloads\CG-NVNF4\cg.sys --> c:\documents and settings\crossfam\My Documents\Downloads\CG-NVNF4\cg.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070108
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
FF - ProfilePath - c:\documents and settings\crossfam\Application Data\Mozilla\Firefox\Profiles\95c015m1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{2a7ceb3f-7f66-423a-b52c-a3805a13229a} - surojupu.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-wotukasabe - selohuno.dll
HKLM-Run-rijimozok - c:\windows\system32\wuwijaba.dll
SharedTaskScheduler-{9610d92c-84df-4927-93ff-77b8781c64ee} - (no file)
SharedTaskScheduler-{cc559d7b-3169-451a-9cd3-82b591c05dfd} - c:\windows\system32\wuwijaba.dll
SSODL-birefalis-{ccf046d1-b831-4f3c-aa35-d9ddb3396ac9} - (no file)
SSODL-movonupag-{cc559d7b-3169-451a-9cd3-82b591c05dfd} - c:\windows\system32\wuwijaba.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 12:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spnr.sys >>UNKNOWN [0x861F6938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7253cb8
\Driver\atapi -> atapi.sys @ 0xf71e8b40
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf70f1bb0
PacketIndicateHandler -> NDIS.sys @ 0xf70fea21
SendHandler -> NDIS.sys @ 0xf70dc87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2732)
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\windows\system32\nvwddi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\rundll32.exe
c:\windows\System32\snmp.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2010-01-26 12:26:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-26 18:26

Pre-Run: 40,000,106,496 bytes free
Post-Run: 39,918,190,592 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 015271ED2D07398836C5E562DA70EE5E
Please help me and Thank you

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Evoprobe

Evoprobe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 26 January 2010 - 01:51 PM

After running combofix was able to get malware back here is a malware log
Malwarebytes' Anti-Malware 1.44
Database version: 3641
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/26/2010 12:42:00 PM
mbam-log-2010-01-26 (12-42-00).txt

Scan type: Quick Scan
Objects scanned: 120413
Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dagewoyo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fovidogo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\huyowoza.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jepuzuwe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rahurite.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sewabune.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wubarihe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\crossfam\My Documents\downloads\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


#3 Evoprobe

Evoprobe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 26 January 2010 - 02:01 PM

Sorry did not mean to post in wrong place thank you for the move
Ran malware again and here is the no log, I think something is wrong,

Malwarebytes' Anti-Malware 1.44
Database version: 3641
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/26/2010 12:55:09 PM
mbam-log-2010-01-26 (12-55-09).txt

Scan type: Quick Scan
Objects scanned: 120605
Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#4 Evoprobe

Evoprobe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 26 January 2010 - 03:08 PM

Please help me

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 26 January 2010 - 07:41 PM.


#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:29 PM

Posted 31 January 2010 - 06:46 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 07 February 2010 - 10:01 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users