Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.WindowsUpdates will not delete... help!


  • This topic is locked This topic is locked
21 replies to this topic

#1 amber8949

amber8949

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:01:21 PM

Posted 05 February 2010 - 09:20 PM

I posted in another part of this forum and they advised me to post here. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/290691/hijackwindowsupdates/ ~ OB Here's my story...

I assume my virus scanners (AVG, Ad-aware) were disable while I was away by my brother who shares this computer with me. When I arrived back home my computer had literally been eaten alive by about a dozen trojans. I finally got a virus scanner to delete them except for this one stubborn virus/malware that Malwarebytes detects. It tells me my Windows Updates have been disabled and there's no way I can re-enable them. Also, I get the occasional pop-up in both Firefox and IE8. Here is one of my most recent logs from Malwarebytes:

Malwarebytes' Anti-Malware 1.44
Database version: 3686
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

2/3/2010 10:32:32 PM
mbam-log-2010-02-03 (22-32-32).txt

Scan type: Quick Scan
Objects scanned: 153952
Time elapsed: 16 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I followed the instructions in downloading the DDS...

Here are the logs it gave me.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 21:05:06.73 on Fri 02/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.116 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning enabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = EGhost_Reg_Fail
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {55f90cdf-02cc-42af-bea0-d40db6cc2cbe} - No File
BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
TB: {7EFBC57C-CD57-481F-B794-648FCE9C9116} - No File
TB: {71870C4C-7F22-4BA9-A8A6-25A535CD6122} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Wisdom-soft AutoScreenRecorder 3.1 Pro] 0
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: []
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoThemesTab = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoColorChoice = 0 (0x0)
mPolicies-system: NoSizeChoice = 0 (0x0)
mPolicies-system: NoVisualStyleChoice = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219c3416-8cb2-491a-a3c7-d9fcddc9d600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: aol.com\free
Trusted Zone: ebay.com\half
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263865713515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263865999125
DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - hxxp://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-0016-0000-0014-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.0.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: tudovusop - {fba24f6b-8036-48ad-bed5-d66eeb8c3335} - No File
SSODL: lejugemut - {d7fabee6-8f56-4500-aebb-52ba0ab002d7} - No File
SSODL: kasikapap - {80c6dfa5-081c-4c36-ba8b-ab391e65d4db} -
STS: {fba24f6b-8036-48ad-bed5-d66eeb8c3335} - No File
STS: {d7fabee6-8f56-4500-aebb-52ba0ab002d7} - No File
STS: {80c6dfa5-081c-4c36-ba8b-ab391e65d4db}: tokatiluy
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll, digeste.dll
mASetup: {a509b1ff-37ff-4bff-8cff-4f3a747040ff} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 69.50.166.11 google.com
Hosts: 69.50.166.11 google.co.uk
Hosts: 69.50.166.11 www.google.ca
Hosts: 69.50.166.11 google.ca

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dmtkbx2y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxps://universe.chacha.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\FFConnectorLauncher.dll
FF - component: c:\program files\mozilla firefox\components\FFSource.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScope42.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScopeDRM11.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-7 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-7 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-7 360584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-28 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-28 25160]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-7 285392]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-12-28 723632]
R2 cshelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-2-14 266240]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
S1 d44a1d46;d44a1d46;c:\windows\system32\drivers\d44a1d46.sys --> c:\windows\system32\drivers\d44a1d46.sys [?]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-9-11 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-9-11 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-9-11 60816]
S3 nielgfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2005-3-16 805808]

=============== Created Last 30 ================

2100-02-23 19:35:34 768 -c--a-w- c:\program files\x73_lut.dat
2100-02-08 21:03:54 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2010-02-06 01:33:31 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-02-06 00:59:09 0 d-----w- c:\program files\Cobian Backup 8
2010-01-31 03:47:31 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-29 01:10:45 43008 -c--a-w- c:\windows\system32\dllcache\ksxbar.ax
2010-01-29 01:10:45 43008 ----a-w- c:\windows\system32\ksxbar.ax
2010-01-28 16:49:30 0 d-----w- c:\program files\Xenocode
2010-01-28 16:49:29 0 d-----w- c:\windows\XSxS
2010-01-28 16:31:52 0 d-----w- c:\program files\Deskshare
2010-01-26 19:20:28 0 d-----w- c:\program files\ESET
2010-01-17 02:24:21 0 dc----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-17 02:24:21 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 02:04:25 36 ---h--r- c:\windows\sued.dat
2010-01-16 05:43:51 0 ----a-w- c:\windows\system32\32757.exe
2010-01-16 05:23:50 0 ----a-w- c:\windows\system32\32662.exe
2010-01-16 05:03:49 0 ----a-w- c:\windows\system32\27644.exe
2010-01-16 04:43:47 0 ----a-w- c:\windows\system32\25547.exe
2010-01-16 04:23:45 0 ----a-w- c:\windows\system32\6868.exe
2010-01-16 04:03:44 0 ----a-w- c:\windows\system32\28253.exe
2010-01-16 03:43:34 0 ----a-w- c:\windows\system32\7711.exe
2010-01-16 03:23:32 0 ----a-w- c:\windows\system32\15141.exe
2010-01-16 03:03:31 0 ----a-w- c:\windows\system32\4664.exe
2010-01-16 02:43:29 0 ----a-w- c:\windows\system32\17673.exe
2010-01-16 02:23:26 0 ----a-w- c:\windows\system32\30333.exe
2010-01-16 02:03:20 0 ----a-w- c:\windows\system32\31322.exe
2010-01-16 01:43:18 0 ----a-w- c:\windows\system32\23811.exe
2010-01-16 01:23:17 0 ----a-w- c:\windows\system32\28703.exe
2010-01-16 01:03:15 0 ----a-w- c:\windows\system32\9894.exe
2010-01-16 00:43:14 0 ----a-w- c:\windows\system32\17035.exe
2010-01-16 00:23:12 0 ----a-w- c:\windows\system32\26299.exe
2010-01-16 00:03:10 0 ----a-w- c:\windows\system32\25667.exe
2010-01-15 23:43:08 0 ----a-w- c:\windows\system32\19912.exe
2010-01-15 23:23:07 0 ----a-w- c:\windows\system32\1869.exe
2010-01-15 23:03:05 0 ----a-w- c:\windows\system32\11538.exe
2010-01-15 22:43:03 0 ----a-w- c:\windows\system32\14771.exe
2010-01-15 22:23:02 0 ----a-w- c:\windows\system32\21726.exe
2010-01-15 22:03:00 0 ----a-w- c:\windows\system32\5447.exe
2010-01-15 21:42:58 0 ----a-w- c:\windows\system32\19895.exe
2010-01-15 21:22:57 0 ----a-w- c:\windows\system32\19718.exe
2010-01-15 21:02:56 0 ----a-w- c:\windows\system32\18716.exe
2010-01-15 11:36:09 0 ----a-w- c:\windows\system32\17421.exe
2010-01-15 11:16:08 0 ----a-w- c:\windows\system32\12382.exe
2010-01-15 10:56:08 0 ----a-w- c:\windows\system32\292.exe
2010-01-15 10:36:08 0 ----a-w- c:\windows\system32\153.exe
2010-01-15 10:16:08 0 ----a-w- c:\windows\system32\3902.exe
2010-01-15 09:56:07 0 ----a-w- c:\windows\system32\14604.exe
2010-01-15 09:36:06 0 ----a-w- c:\windows\system32\32391.exe
2010-01-15 09:16:06 0 ----a-w- c:\windows\system32\5436.exe
2010-01-15 08:56:06 0 ----a-w- c:\windows\system32\4827.exe
2010-01-15 08:36:05 0 ----a-w- c:\windows\system32\11942.exe
2010-01-15 08:16:04 0 ----a-w- c:\windows\system32\2995.exe
2010-01-15 07:56:04 0 ----a-w- c:\windows\system32\491.exe
2010-01-15 07:36:04 0 ----a-w- c:\windows\system32\9961.exe
2010-01-15 07:16:03 0 ----a-w- c:\windows\system32\16827.exe
2010-01-15 06:56:03 0 ----a-w- c:\windows\system32\23281.exe
2010-01-15 06:36:03 0 ----a-w- c:\windows\system32\28145.exe
2010-01-15 06:16:03 0 ----a-w- c:\windows\system32\5705.exe
2010-01-15 05:56:02 0 ----a-w- c:\windows\system32\24464.exe
2010-01-15 05:36:02 0 ----a-w- c:\windows\system32\26962.exe
2010-01-15 05:16:02 0 ----a-w- c:\windows\system32\29358.exe
2010-01-15 04:56:01 0 ----a-w- c:\windows\system32\11478.exe
2010-01-15 02:31:48 0 ----a-w- c:\windows\system32\15724.exe
2010-01-15 00:33:12 0 ----a-w- c:\windows\system32\19169.exe
2010-01-15 00:13:12 0 ----a-w- c:\windows\system32\26500.exe
2010-01-14 23:53:11 0 ----a-w- c:\windows\system32\6334.exe
2010-01-14 23:33:11 0 ----a-w- c:\windows\system32\18467.exe
2010-01-11 16:36:12 0 d-----w- c:\program files\Orbitdownloader
2010-01-08 04:08:05 0 dc-h--w- C:\$AVG
2010-01-08 04:07:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-08 04:07:32 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-08 04:07:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-08 04:07:11 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-08 04:06:45 0 dc----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-08 00:08:36 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-02-06 01:56:25 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-02-03 00:58:50 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-03 00:58:37 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-03 00:58:35 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-26 19:16:34 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 03:52:17 30784 ----a-w- c:\windows\system32\drivers\tdnlutaw.sys
2008-05-06 16:15:27 774144 -c--a-w- c:\program files\RngInterstitial.dll
2001-07-26 21:58:46 47 -c--a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 17:46:44 8116 -c--a-w- c:\program files\OSLO3071b2.USB
2001-05-08 21:36:42 114688 -c--a-w- c:\program files\lxarscan.dll
2001-04-23 19:22:14 1437 -c--a-w- c:\program files\gtx73.ini
1601-01-01 00:03:52 0 --sha-w- c:\windows\lanimaye.dll
1601-01-01 00:03:52 0 --sha-w- c:\windows\momiwuyo.dll
1601-01-01 00:03:52 0 --sha-w- c:\windows\vebuzahu.dll

============= FINISH: 21:09:07.15 ===============

It gave another log but asks for me to wait until this board needs it.


I hope you all can help me. I'm tempted to take it to someone that's probably going to charge me an arm and a leg to fix it unless this works. *fingers crossed*

Edited by Orange Blossom, 05 February 2010 - 10:41 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 PM

Posted 13 February 2010 - 03:41 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 amber8949

amber8949
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:01:21 PM

Posted 15 February 2010 - 07:08 PM

For some reason it will not let me post my log and description of my problem....

Attached Files


Edited by amber8949, 15 February 2010 - 07:11 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 PM

Posted 16 February 2010 - 05:27 AM

Please try it in different posts (i.e. one post with description, one post with dds.txt and one post with GMER log). Let me know if that works.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 amber8949

amber8949
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:01:21 PM

Posted 16 February 2010 - 09:55 AM

Since the end of December my computer has been giving me major problems. I deleted quite a few trojans using Ad-Aware and Microsoft OneCare Center. I still have one that is hanging around.

It will not delete even after a reboot. I get occasional popups in IE 8 and Firefox that aren't really annoying they just freak me out because I do a lot of online shopping and my banking. (I've held off since the virus started). It will not update my Windows Updates, I still have the little red armor thing in my taskbar.

When I run GMER it freezes up my computer when it gets to windows\system32\drivers\atapi.svs. I tried it in safemode with no luck, it still freezes. I run it without the internet on and no programs running. I've tried it numerous times and it still freezes at that exact point.

My DDS log will not post in the forum... it gives me an error page. When I try to upload it it acts like it's not responding. Just another obstacle!

Edited by amber8949, 16 February 2010 - 10:04 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 PM

Posted 16 February 2010 - 11:05 AM

Okay, at this point I have enough information for additional steps smile.gif

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 amber8949

amber8949
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:01:21 PM

Posted 16 February 2010 - 12:06 PM

I get an error when I try to run this program. I've posted a picture. Could this be the virus stopping it?


Edited by amber8949, 16 February 2010 - 12:07 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 PM

Posted 16 February 2010 - 12:08 PM

Thats quite possible....

Please right click on combofix.exe and select "rename". Change the name of the file in winlogon.exe and try to run it now.


Please download and run WUS_Fix.exe: http://users.telenet.be/marcvn/tools/WUS_Fix.exe
This should restore the default registry settings related with BITS and Automatic updates.

Edited by elise025, 16 February 2010 - 12:11 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 amber8949

amber8949
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:01:21 PM

Posted 16 February 2010 - 01:53 PM

It's still giving me the same error...

How will I know if the WUS_Fix.exe has restored my updates?

I feel like this is a losing battle.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 PM

Posted 16 February 2010 - 03:03 PM

No worries here smile.gif We'll get at it all. Wus_fix restores the %fystemroot% problem that MBAM detected.

Download and run Win32kDiag:
  1. Download Win32kDiag from any of the following locations and save it to your Desktop.
  2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 amber8949

amber8949
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:01:21 PM

Posted 16 February 2010 - 03:12 PM

Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\drivers\sfi.dat



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 PM

Posted 16 February 2010 - 03:39 PM

Please try to right-click on the Combofix download link and select "save target as..."

Save the file as winlogon.exe to your desktop.

After that, try to run the renamed Combofix now.


If this still does not work, we can try this a bit different. However that means you need to download a 270 MB file and burn this to a CD. Let me know if you are able to do this.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 amber8949

amber8949
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:01:21 PM

Posted 17 February 2010 - 08:04 PM

It's still giving me that same error... I'm sorry it's being a hassle. What's the next step?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 PM

Posted 18 February 2010 - 06:13 AM

Hello, lets do this the fail-safe way smile.gif

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 amber8949

amber8949
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:01:21 PM

Posted 22 February 2010 - 09:12 AM

Sorry for the delay... I left my printed instructions at work over the weekend and was scared to attempt this without them. I will try to do this tonight and get you some results. BTW, that one thing you had me download to restore my Automatic Updates worked!!! Yay!!! Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users