Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Win32.Tdss/Google Redirect


  • This topic is locked This topic is locked
9 replies to this topic

#1 Scuppy

Scuppy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 19 February 2010 - 03:50 AM

Hello,

I originally had a problem with Generic Host Process Service svchost.exe shutting the computer down while connected to the internet. I ran Malwarebytes and Adaware and they stopped that issue except for the redirecting of google links. Now my Shield Deluxe finds a Trojan called Trojan.Win32.Tdss.avzr found in C:\WINDOWS\SYSTEM32\kogafere.dll and C:\WINDOWS\SYSTEM32\vureviha.dll but it can't get rid of the Trojan even after a restart. None of the other programs even recognize the Trojan including Spybot S&D. I've tried to fix the issue with what little I find through search engines and now I am here asking for help.

Thank you in advance,
I appreciate the help

Scuppy





DDS (Ver_09-12-01.01) - NTFSx86
Run by Russell at 1:29:56.68 on Fri 02/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.91 [GMT -6:00]

AV: The Shield Deluxe 2008 *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: The Shield Deluxe 2008 *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Russell.DDPRK171\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.my.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {5b521529-fbb4-4b42-9f3b-d2af5603bfcf} - vureviha.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: BitComet Toolbar Helper: {6a373b7e-496e-424f-a9be-486a5e9ab018} - c:\program files\bitcomet toolbar\v2.0.0.1\BitComet_Toolbar.dll
BHO: {8f6b98d1-3959-4f0b-ada4-5aff24c6ba64} - vureviha.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {df84cce5-0629-4f55-8693-08c2931d0508} - fafomati.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitComet Toolbar: {2e608f70-c430-4bc5-96f6-608e02eba5b2} - c:\program files\bitcomet toolbar\v2.0.0.1\BitComet_Toolbar.dll
TB: &ESPN: {ae6f2894-af10-4c9c-b16e-1dfc6ff8c0c6} - c:\program files\espn\toolbar\DIGToolBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: ImageShack Toolbar: {6932d140-abc4-4073-a44c-d4a541665e35} - c:\program files\imageshacktoolbar\ImageShackToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Auto EPSON Stylus Photo R300 Series on GREGANDCHERI] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P51 "Auto EPSON Stylus Photo R300 Series on GREGANDCHERI" /M "Stylus Photo R300" /EF "HKCU"
uRun: [A00F1AFFCE7C.exe] c:\docume~1\russel~1.ddp\locals~1\temp\_A00F1AFFCE7C.exe
uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Auto EPSON Stylus Photo R300 Series on GREGANDCHERI] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p51 "auto epson stylus photo r300 series on gregandcheri" /o23 "\\gregandcheri\EPSONSty" /M "Stylus Photo R300"
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p30 "epson stylus photo r300 series" /o23 "\\gregandcheri\Printer2" /M "Stylus Photo R300"
mRun: [\\GREGANDCHERI\EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p45 "\\gregandcheri\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [QuickTime Task] "c:\program files\quicktime\bak\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [bisihijoba] Rundll32.exe "kogafere.dll",s
StartupFolder: c:\docume~1\russel~1.ddp\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Add to EverNote - c:\program files\evernote\evernote\enbar.dll/2000
IE: Post Image to Blog - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5002
IE: Transload Image to ImageShack - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5004
IE: Upload All Images to ImageShack - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5001
IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597}\Software
IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597}\Software\Microsoft
IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597}\Software\Microsoft\Windows
IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597}\Software\Microsoft\Windows\CurrentVersion
IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597}\Software\Microsoft\Windows\CurrentVersion\Explorer
IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597}\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\pcsecurityshield\the shield deluxe 2008\scieplugin.dll
IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - {2151DA8C-C5B6-4B4F-86AB-BDA449BF8747} - c:\program files\evernote\evernote\enbar.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} - hxxp://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264654062296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\windows\system32\pihakejo.dll c:\windows\system32\puvibimo.dll,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: mozefumer - {e3b93043-0b51-43f0-a388-5a57c0578a45} - c:\windows\system32\pihakejo.dll
SSODL: zulirores - {26a8c7c9-5715-45c4-9a67-302f2a596a11} - c:\windows\system32\puvibimo.dll
STS: jugezatag: {e3b93043-0b51-43f0-a388-5a57c0578a45} - c:\windows\system32\pihakejo.dll
STS: kupuhivus: {26a8c7c9-5715-45c4-9a67-302f2a596a11} - c:\windows\system32\puvibimo.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll
LSA: Notification Packages = scecli vureviha.dll kogafere.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\russel~1.ddp\applic~1\mozilla\firefox\profiles\zv4whe2u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2371096&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\russell.ddprk171\application data\mozilla\firefox\profiles\zv4whe2u.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\russell.ddprk171\application data\mozilla\firefox\profiles\zv4whe2u.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-3-3 110360]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-28 64288]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-1-27 175888]
R2 AVP;The Shield Deluxe 2008;c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe [2007-8-23 200768]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-8-27 297472]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
UnknownUnknown ugoqogkimwvzytw;ugoqogkimwvzytw; [x]

=============== Created Last 30 ================

2010-02-19 07:25:10 0 ----a-w- c:\documents and settings\russell.ddprk171\defogger_reenable
2010-02-19 05:49:46 54156 ---ha-w- c:\windows\QTFont.qfn
2010-02-19 05:49:46 1409 ----a-w- c:\windows\QTFont.for
2010-02-19 04:11:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-17 23:43:21 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-17 23:43:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-11 09:13:53 0 d-sh--w- c:\documents and settings\russell.ddprk171\IECompatCache
2010-02-10 02:45:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-09 20:42:56 0 d-----w- c:\program files\Lavasoft
2010-02-09 19:52:43 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-02 19:17:36 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-02 19:14:56 0 d-----w- c:\program files\BitComet Toolbar
2010-02-01 04:20:38 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-02-01 04:20:35 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-02-01 03:42:49 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}(2)
2010-02-01 03:38:58 0 d-----w- c:\program files\Lavasoft(2)
2010-01-31 03:18:18 0 d-----w- c:\docume~1\russel~1.ddp\applic~1\Uniblue
2010-01-31 03:02:14 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-01-31 03:02:06 0 d-----w- c:\program files\Security Task Manager
2010-01-30 01:15:56 42 ----a-w- c:\windows\system32\RegistryEasy.lie
2010-01-30 00:48:50 0 d-----w- c:\program files\Registry Easy
2010-01-29 02:37:33 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-28 21:27:16 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-28 21:27:16 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-27 17:59:15 0 d-----w- c:\docume~1\russel~1.ddp\applic~1\Malwarebytes
2010-01-27 07:27:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-02-19 07:27:48 119345440 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-19 03:03:51 1599008 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-19 03:03:51 1598276 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-19 03:03:51 150764 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-16 23:12:53 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-16 23:12:53 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2008-03-25 19:40:58 6029648 ----a-w- c:\program files\Firefox Setup 2.0.0.12.exe
2005-10-16 15:23:18 1529 -c--a-w- c:\program files\SMax.log
2005-09-15 17:54:11 696320 -c--a-w- c:\program files\StubInstaller.exe
2005-03-22 19:43:14 87 -c--a-w- c:\program files\SystemInfo.ini
2005-03-22 19:24:36 1528 -c--a-w- c:\program files\SMax.log.bak
2005-03-22 19:18:20 6597 -c--a-w- c:\program files\IO96BC~.TMP
2004-08-10 19:14:36 4128 -c--a-w- c:\program files\INFCACHE.1
1601-01-01 00:03:28 91136 --sha-w- c:\windows\system32\fenozivi(2).dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-09-07 09:02:23 848 -csha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\vafowine(2).dll
1601-01-01 00:03:28 51720 --sha-w- c:\windows\system32\zarasane.exe
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\zopujihe.dll

============= FINISH: 1:33:42.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 19 February 2010 - 11:40 AM

QUOTE
WARNING!
Looking at your system now, one or more of the identified infections is a backdoor Trojan. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear




Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Scuppy

Scuppy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 19 February 2010 - 04:42 PM

Thank you for your help fenzodanl. I had changed all my passwords from another computer earlier in the week after viewing similar problems on the web and contacted my bank/cc today.



IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001
FF - ProfilePath - c:\documents and settings\Russell.DDPRK171\Application Data\Mozilla\Firefox\Profiles\zv4whe2u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2371096&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\Russell.DDPRK171\Application Data\Mozilla\Firefox\Profiles\zv4whe2u.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Russell.DDPRK171\Application Data\Mozilla\Firefox\Profiles\zv4whe2u.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{5b521529-fbb4-4b42-9f3b-d2af5603bfcf} - vureviha.dll
BHO-{8f6b98d1-3959-4f0b-ada4-5aff24c6ba64} - vureviha.dll
BHO-{df84cce5-0629-4f55-8693-08c2931d0508} - fafomati.dll
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SharedTaskScheduler-{e3b93043-0b51-43f0-a388-5a57c0578a45} - c:\windows\system32\pihakejo.dll
SharedTaskScheduler-{26a8c7c9-5715-45c4-9a67-302f2a596a11} - c:\windows\system32\puvibimo.dll
SSODL-mozefumer-{e3b93043-0b51-43f0-a388-5a57c0578a45} - c:\windows\system32\pihakejo.dll
SSODL-zulirores-{26a8c7c9-5715-45c4-9a67-302f2a596a11} - c:\windows\system32\puvibimo.dll
AddRemove-The Shield - c:\program files\The Shield Firewall\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 15:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Auto EPSON Stylus Photo R300 Series on GREGANDCHERI = c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P51 "Auto EPSON Stylus Photo R300 Series on GREGANDCHERI" /M "Stylus Photo R300" /EF "HKCU"??0?????????????p????????????????????b?w????p???????????8???????????h??w????p???????z??wp??????????????|???????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(1972)
c:\windows\system32\WININET.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2008\scrchpg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-19 15:33:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-19 21:32

Pre-Run: 34,254,655,488 bytes free
Post-Run: 34,711,646,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 86D95773AF11066CAA980B3FAB6EDD98

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 19 February 2010 - 09:10 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
http://www.bleepingcomputer.com/forums/index.php?showtopic=296879&view=findpost&p=1638110

KillAll::

Driver::
ugoqogkimwvzytw

AWF::
c:\dell\bak\bldbubg.exe
c:\program files\Analog Devices\Core\bak\smax4pnp.exe
c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
c:\program files\Dell\Media Experience\bak\PCMService.exe
c:\program files\Dell Support\bak\DSAgnt.exe
c:\program files\DIGStream\bak\digstream.exe
c:\program files\ESPNRunTime\bak\DIGServices.exe
c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe
c:\program files\McAfee\SpamKiller\bak\MSKDetct.exe
c:\program files\Messenger\bak\msmsgs.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe
c:\windows\SYSTEM32\bak\hkcmd.exe
c:\windows\SYSTEM32\bak\igfxpers.exe
c:\windows\SYSTEM32\bak\igfxtray.exe
c:\windows\SYSTEM32\bak\NeroCheck.exe
c:\windows\SYSTEM32\dla\bak\tfswctrl.exe


Collect::
c:\windows\SYSTEM32\fenozivi(2).dll
c:\windows\SYSTEM32\vafowine(2).dll
c:\windows\SYSTEM32\zarasane.exe
c:\windows\SYSTEM32\zopujihe.dll
c:\program files\QuickTime\bak\qttask.exe
c:\windows\TEMP\mzapoxydskpgx.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bisihijoba"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Scuppy

Scuppy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 20 February 2010 - 04:12 AM

I don't think the script ran. When I dragged the script into combo fix the only thing different that happened was a window telling me a new version of combo fix was available. I clicked no because I thought it would interfere with the command. I went ahead and uploaded the zip.


I've never submitted a Hijack This log only a gmer log. I wasn't sure if they gave you the same information you need. I can find and download HijackThis if you need me to next time.

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 20 February 2010 - 04:59 AM


Please download the OTM by OldTimer
  • Save it to your Desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    CODE
    :processes
    explorer.exe

    :files
    c:\program files\iTunes\bak\iTunesHelper.exe
    c:\program files\Messenger\bak\msmsgs.exe
    c:\qoobox\Quarantine\C\Program Files\QuickTime\bak\qttask.exe.vir

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]

  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Scuppy

Scuppy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 20 February 2010 - 12:39 PM

The google redirect is definitely fixed. My Shield Deluxe is showing all threats have been neutralized. On the ESET scan I delete all quarantined files. Let me know if I need to scan it again or reboot, then scan. The Trojan seems to be gone and not just dormant.

Thanks again for all your help.



All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
c:\program files\iTunes\bak\iTunesHelper.exe moved successfully.
c:\program files\Messenger\bak\msmsgs.exe moved successfully.
c:\qoobox\Quarantine\C\Program Files\QuickTime\bak\qttask.exe.vir moved successfully.
========== COMMANDS ==========
C:\Documents and Settings\Russell.DDPRK171\My Documents\Μicrosoft.NET folder moved successfully.
C:\Documents and Settings\Russell.DDPRK171\My Documents\Τasks\Τasks folder moved successfully.
C:\Documents and Settings\Russell.DDPRK171\My Documents\Τasks folder moved successfully.

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 3440234 bytes

User: All Users

User: Cheri
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Cheri.DDPRK171
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 12118833 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Greg
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Greg.DDPRK171
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 49674844 bytes
->FireFox cache emptied: 2190531 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 98438 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner

User: Russell
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Russell.DDPRK171
->Temp folder emptied: 22278 bytes
->Temporary Internet Files folder emptied: 32969 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 90137494 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 6026769 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 138533439 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 288.00 mb


OTM by OldTimer - Version 3.1.9.0 log created on 02202010_085309

Files moved on Reboot...

Registry entries deleted on Reboot...








































next is ESET log





ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f66643c3d1a40943b393fed71b0e8630
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-20 05:20:19
# local_time=2010-02-20 11:20:19 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=114542
# found=17
# cleaned=17
# scan_time=7257
C:\Documents and Settings\Russell.DDPRK171\My Documents\Downloads\RegistryEasy.exe a variant of Win32/Adware.RegistryEasy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kogafere.dll.vir a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vureviha.dll.vir a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.SJ virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0000598.dll a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0002613.dll a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0002614.dll a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0002631.dll a variant of Win32/Kryptik.CIP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0002632.dll a variant of Win32/Kryptik.CBQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0002633.dll a variant of Win32/Kryptik.CBQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0003666.dll a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0003667.dll a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0012812.dll a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0012813.dll a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000150.dll a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000307.dll a variant of Win32/Kryptik.CHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000313.dll a variant of Win32/Kryptik.CIP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C



#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 20 February 2010 - 08:43 PM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread smile.gif



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Scuppy

Scuppy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 21 February 2010 - 01:12 AM

Yes, everything seems to be running just peachy now. I truly appreciate all your help fenzodahl. You made this process so easy. I was worried about asking for help online, dreading some complex back and forth trail and error communication. And thank you for all the articles as well, especially the msconfig command and OpenDNS. I'll be bookmarking those links for future reference.

Is there anyway to donate to Bleeping Computer? I definitely want to support a great site such as this. (if not I'll be sure to donate to the cause in your sig)

Once again thank you and keep up the great work.



#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 21 February 2010 - 06:14 AM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users