Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection: Browser Redirects, Unable to run anti-malware applications


  • This topic is locked This topic is locked
22 replies to this topic

#1 avriethoff

avriethoff

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 30 January 2010 - 05:53 PM

When running in Standard Boot mode, The computer is abnormally slow to respond, Google search results will be redirected about 30% of the time, and popup advertisements will regularly appear. Additionally, I get an error that Malware Bytes' Anti-Malware cannot be found when I double click the icon, and apparently the same has now happened to Lavasoft's Ad-Aware. Although Spybot Search and Destroy will try to load, the status bar freezes near the end and will not boot. Last night my computer's desktop backround changed to a black image with writing on it saying that my system was infected and that I should run anti malware software to correct the issue. I wish I had a verbatim statement to type here, but I cannot view my system in Regular Boot mode anymore. The system now will load to a black screen with a cursor in Regular Boot mode, so I must now boot to Safe Mode. Although I notice that the web browser is more responsive, I still get the popup notifications, and the spyware/malware removal programs will not load. The popup ads seem to be tailored to my browsing habits, with the current ad being from Nexplore (http://www.nexplore.com/search.html#pid=aon-pop1&query=download+com&source=113120). I would have attached a log from any of the suggested online virus scanners, but they seemed to hang at around 24,000 files and would not continue to finish the scan. I hope I have been as clear as possible, but am ready and willing to help anyone who is willing to help me! Thank you very much for your time.

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Administrator at 14:29:59.42 on Sat 01/30/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.178 [GMT -8:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: {ffa622b6-8967-438a-8744-bbc4776acd68} - vemejofa.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [TopDesk] c:\program files\topdesk trial\topdesk.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_05\bin\jusched.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Getca] c:\program files\belkin usb wireless monitor\InfoMyCa.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [smss32.exe] c:\windows\system32\smss32.exe
mRun: [dasiyokey] Rundll32.exe "c:\windows\system32\fedeyipu.dll",a
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\pin.lnk - c:\hp\bin\CLOAKER.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: buy-internet-security10.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170748166000
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252409230984
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: gawifisu.dll c:\windows\system32\tevalili.dll c:\windows\system32\yumevuni.dll c:\windows\system32\fedeyipu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: dadofogos - {8d9f3706-ca69-478d-8704-5b920255fa9a} - c:\windows\system32\fedeyipu.dll
STS: tokatiluy: {8d9f3706-ca69-478d-8704-5b920255fa9a} - c:\windows\system32\fedeyipu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli gawifisu.dll geyubuzu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\c69ffnn2.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-1-26 28552]
S2 Belkin 54Mbps Wireless USB;Belkin 54Mbps Wireless USB Network Service;c:\program files\belkin usb wireless monitor\WLService.exe [2007-2-5 49152]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-29 133104]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-18 1174152]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-29 24652]
S2 WUSB300NSvc;WUSB300NSvc;c:\program files\linksys\wusb300n\WLService.exe [2007-2-10 53307]

=============== Created Last 30 ================

2010-01-30 17:35:27 0 d-sh--w- c:\windows\system32\lowsec
2010-01-30 07:48:55 0 ----a-w- c:\windows\system32\41.exe
2010-01-30 07:48:37 0 ----a-w- c:\windows\system32\IS15.exe
2010-01-30 07:48:10 0 ----a-w- c:\windows\system32\helper32.dll
2010-01-30 07:47:13 2931 ----a-w- c:\windows\system32\warning.html
2010-01-30 07:47:05 39424 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-26 23:23:25 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-01-26 23:22:47 0 d-----w- c:\program files\Panda Security
2010-01-26 21:30:50 0 d-----w- c:\program files\ESET
2010-01-26 06:12:39 98816 ----a-w- c:\windows\sed.exe
2010-01-26 06:12:39 77312 ----a-w- c:\windows\MBR.exe
2010-01-26 06:12:39 261632 ----a-w- c:\windows\PEV.exe
2010-01-26 06:12:39 161792 ----a-w- c:\windows\SWREG.exe
2010-01-26 06:02:35 3836757 ----a-r- C:\ComboFix.exe
2010-01-26 05:55:37 70 ---ha-w- C:\aaw7boot.cmd
2010-01-24 06:42:37 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-24 06:41:33 0 d-----w- c:\program files\Lavasoft
2010-01-24 06:21:11 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-24 06:21:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-23 06:28:32 0 d-----w- c:\program files\Trend Micro
2010-01-22 05:26:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2010-01-22 05:24:37 0 d-----w- c:\program files\common files\Research In Motion
2010-01-22 05:24:35 0 d-----w- c:\program files\Research In Motion
2010-01-22 05:08:10 92 ----a-w- c:\windows\CMISETUP.INI
2010-01-22 05:08:09 26 ----a-w- c:\windows\CMCDPLAY.INI
2010-01-22 05:08:01 28672 ----a-w- c:\windows\CMIRmDriver.dll
2010-01-22 05:08:01 266240 ----a-w- c:\windows\CMIUninstall.exe
2010-01-22 05:08:01 225280 ----a-w- c:\windows\CmiRmRedundDir.exe
2010-01-22 05:08:01 0 d-----w- c:\program files\C-Media 3D Audio
2010-01-22 04:49:09 0 d-----w- c:\program files\Microsoft
2010-01-22 04:48:35 0 d-----w- c:\program files\Windows Live SkyDrive
2010-01-22 04:45:44 0 d-----w- c:\program files\common files\Windows Live
2010-01-22 03:35:11 0 d-----w- c:\docume~1\alluse~1\applic~1\UAB
2010-01-22 03:35:05 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2010-01-22 03:24:31 0 d-----w- c:\program files\PC Drivers HeadQuarters
2010-01-20 19:00:37 0 d-----w- C:\dell
2010-01-12 21:24:36 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ----a-w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-12-07 18:26:49 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
1601-01-01 00:03:28 51712 --sha-w- c:\windows\system32\bujivisi.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\dataheme.dll
1601-01-01 00:03:28 37888 --sha-w- c:\windows\system32\disolada.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\fedeyipu.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\javinete.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\kidelihe.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\minotaze.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\pubunate.dll
1601-01-01 00:03:28 37888 --sha-w- c:\windows\system32\romezeju.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\siyipino.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\sugazeri.dll
1601-01-01 00:03:52 51712 --sha-w- c:\windows\system32\vemejofa.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\zosusewa.dll
2009-09-08 13:18:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090820090909\index.dat

============= FINISH: 14:30:33.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 07 February 2010 - 11:03 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log

Thanks

unite.jpg


#3 avriethoff

avriethoff
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 08 February 2010 - 05:48 PM

Thank you for your reply. My name is Anthony, by the way. I am still having to run in Safe Mode to maintain any semblance of a normal computing experience. I am constantly getting errors about certain processes not being able to load because they are infected, and a click on the fix button prompts me to scan with some unknown malware scanner and to buy it to remove the infections.

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 08 February 2010 - 06:29 PM

Hi Anthony,


Please download Kenco.exe and save it to your desktop.
  • Double-click on Kenco.exe to run it (if you get a security warning, click run).
  • You will see a black command window and shortly a logfile will be opened. Note - Kenco.log will be saved on your desktop.
  • In order to complete the cleaning process, Kenco.exe may need to reboot your computer.
Please copy/paste the contents of kenco.log in your next reply.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Then please post back here with the following logs:
  • kenco.log
  • Combofix.txt

Thanks

unite.jpg


#5 avriethoff

avriethoff
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 08 February 2010 - 07:09 PM

Syler,

Let me know in your next post if you require some, all, or none of these scans to be performed in Regular (Not Safe) Mode.

I was able to boot to the desktop in Regular Mode, however when I tried clicking the start button it appeared that explorer.exe crashed.

One strange note: I notice that the ComboFix log says that it had been created on January 25, Not February 8th as it should be.

Attached Files



#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 09 February 2010 - 10:11 AM

QUOTE
One strange note: I notice that the ComboFix log says that it had been created on January 25


That's because you had already run it on that date and you have posted the log from that run. Run it again in normal mode, if
you have problems running it let me know.

unite.jpg


#7 avriethoff

avriethoff
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 09 February 2010 - 04:59 PM

I only re-ran ComboFix (none of the others; you didn't specify if that was necessary or not). I have attached the log for you. Thank you for dealing with my and my family's computer ineptness. I know a thing or two about malware, but this is a little above me. Thanks again.

-Anthony

Attached Files



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 09 February 2010 - 05:47 PM

Please follow the instructions here to disable any CD emulation software, then run Gmer again in normal mode.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
collect::
c:\program files\skynet.dat
c:\windows\system32\pool.bin
c:\windows\system32\bujivisi.dll
c:\windows\system32\fedeyipu.dll
c:\windows\system32\fitozeba.dll
c:\windows\system32\gukejibu.dll
c:\windows\system32\kidelihe.dll
c:\windows\system32\kowogepu.dll
c:\windows\system32\sisazibo.dll
c:\windows\system32\vijibidi.dll
C:\WINDOWS\tasks\odthrmbz.job
Folder::
c:\program files\schtml
C:\Your PC Protector
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffa622b6-8967-438a-8744-bbc4776acd68}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dasiyokey"=-
"jasunalaho"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\explorer.exe"=-


Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


Then please post back here with the following logs:
  • Gmer log
  • Combofix.txt

Thanks

unite.jpg


#9 avriethoff

avriethoff
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 12 February 2010 - 08:06 PM

Syler,

When I ran ComboFix with the CFScript.txt file you had me use, ComboFix prompted me to install a new version that was available. ComboFix shut down, and then restarted to apply the update, but I am not sure that it used CFScript.txt in the log file I am posting today.

I have installed and am updating Avira AntiVir as we speak, I will let you know in a followup post if anything is found. I had no AV running before because whatever malware that was on my computer was preventing me from running Avira.

Attached Files



#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 12 February 2010 - 08:28 PM

Hi Anthony,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    CODE
    :filefind
    atapi.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

unite.jpg


#11 avriethoff

avriethoff
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 12 February 2010 - 11:28 PM

Syler,

I have provided the SystemLook log, as well as the Avira scan log if that is of any use to you. I cannot fathom how 100+ malicious pieces of code were found on this system. Time to keep my sister off of those darned myspace layout websites, ringtone websites, etc.

Thanks again,

Anthony

Attached Files



#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 13 February 2010 - 11:36 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
FCopy
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


  • Go to Start, open control panel.
  • Double click Internet Options, select the Security tab
  • Click on Trusted Sites and select Sites.
  • Now select the followng sites one at a time and click Remove then Close.
    buy-internet-security10.com
    is-soft-download.com
    is-software-download25.com
    buy-internet-security10.com
  • Then click Apply and Ok.

unite.jpg


#13 avriethoff

avriethoff
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 13 February 2010 - 06:02 PM

Syler,

Not sure if these two are relevant to eachother, but here are two logs that look like they pertain to this recent ComboFix scan.

Thanks,

Anthony

Attached Files



#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 13 February 2010 - 06:22 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    CODE
    :filefind
    iastor.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

unite.jpg


#15 avriethoff

avriethoff
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 16 February 2010 - 03:03 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:48 on 15/02/2010 by Compaq_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.*"
C:\hp\drivers\Intel_5_1_0_1022_PV\iastor.cat --a--- 8178 bytes [17:02 01/07/2005] [17:02 01/07/2005] EF34B8C6EAFC9822337D74C35FF5F00B
C:\hp\drivers\Intel_5_1_0_1022_PV\iastor.inf --a--- 3796 bytes [13:26 17/06/2005] [13:26 17/06/2005] CCFDFB6AB928C7187D00C2A90B5903F9
C:\hp\drivers\Intel_5_1_0_1022_PV\iastor.PNF --a--- 9284 bytes [07:03 05/12/2005] [03:41 06/02/2007] 24E822D90D48F6C2AF284A152879488F
C:\hp\drivers\Intel_5_1_0_1022_PV\iastor.sys --a--- 872064 bytes [13:33 17/06/2005] [13:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963
C:\WINDOWS\system32\drivers\iaStor.sys --a--- 872064 bytes [13:33 17/06/2005] [13:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963

-=End Of File=-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users