Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Several Trojans (TR/Dldr, TR/Agent, TR/Spy)


  • This topic is locked This topic is locked
10 replies to this topic

#1 mhjkpj

mhjkpj

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 23 February 2010 - 01:40 AM

The virus redirects my browser. I have gotten rid of a few threats, but it keeps mutating and spreading. Keeps loading *.dll's and sometime a few *.exe's into the root directory, such as....

ES15.exe; yatodimi.exe; wotupogo.dll; wokozupi.dll; yubiwojo.dll; buyenayo.dll; mazihihe.dll; senifetu.dll; vipadefu.dll; yisiwusu.dll; 6to4v32.dll; jovivumo.dll; rigagine.dll; vipuliji.dll;

A few new registry keys are also stubbornly hanging in there, such as.....

HKLM\..\Run: [keputovet] Rundll32.exe "c:\windows\system32\wotupogo.dll",a
AppInit_DLLs: c:\windows\system32\wotupogo.dll,vipadefu.dll
Winlogon Notify: ACNotify - ACNotify.dll (file missing)
SSODL: delupeyuh - {a7a7f809-795f-4fe2-8bb9-cc5c0e372b6e} - c:\windows\system32\wotupogo.dll
SharedTaskScheduler: mujuzedij - {a7a7f809-795f-4fe2-8bb9-cc5c0e372b6e} - c:\windows\system32\wotupogo.dll

My meddling may have lost a few system files, including my "Restore" capability. Thanks for any assistance you can provide.

------------------------
Here is my DDS.txt
------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 22:04:05.42 on Mon 02/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.430 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\system32\lxeacoms.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {C46C49EA-914A-4E69-A6E2-E2776F158A87} = 83.149.115.157,4.2.2.1,68.105.28.11 68.105.29.11 68.105.28.12
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli nelvcn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\kt0hd9js.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {5BC6129F-7358-4EC2-8B95-74716836CD87} - c:\windows\system32\config\systemprofile\local settings\application data\{5bc6129f-7358-4ec2-8b95-74716836cd87}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [2009-3-26 308248]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-2-19 28552]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-7-29 17968]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-20 11608]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-10-13 91136]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-20 56816]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-11 1078632]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-15 55152]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2008-11-21 12560]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100219.002\NAVENG.sys [2010-2-19 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100219.002\NAVEX15.sys [2010-2-19 1324720]
R3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2005-11-18 58624]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2010-1-1 98984]
S3 pcidisk;pcidisk;\??\c:\windows\system32\pcidisk.sys --> c:\windows\system32\pcidisk.sys [?]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2009-11-29 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2009-11-29 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2009-11-29 20953]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-10-13 23180]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2005-8-5 73600]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-20 108289]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-20 185089]
S4 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2007-12-13 50984]

=============== Created Last 30 ================

2010-02-23 05:01:25 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-02-22 05:40:13 0 d-sha-r- C:\cmdcons
2010-02-22 02:10:40 2384 ----a-w- c:\windows\oqaqoziyi.dll
2010-02-22 01:37:04 77312 ----a-w- c:\windows\MBR.exe
2010-02-22 01:37:04 261632 ----a-w- c:\windows\PEV.exe
2010-02-22 01:37:04 161792 ----a-w- c:\windows\SWREG.exe
2010-02-22 01:37:03 98816 ----a-w- c:\windows\sed.exe
2010-02-22 01:32:31 2384 ----a-w- c:\windows\oquyimaxeqayofi.dll
2010-02-20 21:59:07 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-20 21:59:02 0 d-----w- c:\program files\Avira
2010-02-20 21:59:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-02-20 04:09:31 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-20 04:09:24 0 d-----w- c:\program files\Panda Security
2010-02-20 02:49:47 0 d-----w- c:\program files\Trend Micro
2010-02-20 02:49:20 0 d-----w- C:\!KillBox
2010-02-19 02:43:19 0 ----a-w- c:\windows\Lfufiruburuy.bin
2010-02-19 02:43:18 120 ----a-w- c:\windows\Jbomuray.dat
2010-02-15 00:19:04 0 d-----w- c:\program files\Blue Coat K9 Web Protection
2010-02-14 01:06:02 119 ----a-w- c:\windows\NNS.INI
2010-02-14 01:05:59 446464 ----a-w- c:\windows\system32\HHActiveX.dll
2010-02-01 03:14:50 0 d-----w- c:\docume~1\admini~1\applic~1\Stellarium
2010-02-01 03:14:19 0 d-----w- c:\program files\Stellarium

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2008-10-16 15:44:50 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 22:05:24.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 AM

Posted 23 February 2010 - 04:31 AM

Hi,

Please delete your existing copy of ComboFix.

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3





IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 mhjkpj

mhjkpj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 23 February 2010 - 09:28 PM

Thank you for your quick response. You attached C:\ComboFix.txt. There were no problems during the running of this program. Thank you.

#4 mhjkpj

mhjkpj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 23 February 2010 - 09:30 PM

Thank you for your quick response. You attached C:\ComboFix.txt. There were no problems during the running of this program. Thank you.

Attached Files



#5 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 AM

Posted 24 February 2010 - 05:32 AM

Hi,

You appear to have Limewire installed - this is a great way to get yourself infected. I strongly recommend you consider removing it, and at the very least please do not use it until we have finished cleaning.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
Collect::
c:\windows\oqaqoziyi.dll
c:\windows\oquyimaxeqayofi.dll

File::
c:\windows\Lfufiruburuy.bin
c:\windows\Jbomuray.dat

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kt0hd9js.default\
FF - HiddenExtension: XULRunner: {5BC6129F-7358-4EC2-8B95-74716836CD87} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{5BC6129F-7358-4EC2-8B95-74716836CD87}\


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post ComboFix.txt in your next reply.


Download TDSSKiller and save it to your Desktop.
  • Extract the file and run it (TDSSKiller.exe).
  • Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
  • Please post the content of that log in your next reply.
Let me know how things are running after this.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#6 mhjkpj

mhjkpj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 24 February 2010 - 10:45 PM

I uninstalled Limewire as suggested. I ran Combofix and TDSSKiller as instructed. Both log files are attached. Unfortunately I am still experiencing the same problems as before.

1. In my Process Explorer window, I see rundll32.exe, starting up every few seconds under Isass.exe. There are about 50 of them running right now.

2. I get a 404 error anytime I try to sign into Google to access my gmail account. I get the message "The requested URL /accounts/Login was not found on this server. Apache/2.2.3 (Red Hat) Server at www.google.com Port 443", but I am able to access it through my other computer.

3. I still see a four or so of those *.dll files in my root directory(buyenayo.dll, mazihihe.dll, rigagine.dll, wotupogo.dll). When I try to view the contents of this directory through Windows Explorer, it freezes.

Let me know what else I am able to do. Thanks for your patience.

Attached Files



#7 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 AM

Posted 25 February 2010 - 03:41 AM

TDSSKiller identified the main culprit, did you reboot after running it?

Please run GMER again and post the log, so we can check if the removal was successful Please also run DDS, and just post DDS.txt.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#8 mhjkpj

mhjkpj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 25 February 2010 - 11:18 PM

Yes I did reboot just before the previous post. Attached are the ark2.txt and DDS2.text as requested. I ran them in that order.

Something I just noticed.......

Prior to running any of the requested scans or utilities, I deactivated all blockers, virus scanners, Windows Services, and anything else that might interfere with the cleaning procedures. I also prevented them from automatically loading during start up in case the utility rebooted the computer.

I just realized that the rundll32.exe did not continually reload itself like I mentioned in my previous post, suggesting that something I deactivated was causing the loader to run wild. This is a list of what I deactivated prior to all past scans:

Services:
avguard.exe, sched.exe, DefWatch.exe, Rtvscan.exe, k9filter.exe

Thanks for your patience. I await further instruction.

Attached Files



#9 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 AM

Posted 26 February 2010 - 04:01 AM

Hi,

We need to run another CFScript, please do the same as before with this one:
CODE
Collect::
c:\windows\nelvcn.dll

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

RegLockDel::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08A98702-1FEF-80FC-DBDE-A2BC49567791}]



Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.
  • Please go here then click on:
    QUOTE
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on:
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Let me know how things are running now.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#10 mhjkpj

mhjkpj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 01 March 2010 - 09:01 PM

It worked. Its all clean. I deleted all quarantined files, ran defogger.exe again, turned back on my Window services, and ran several different virus scanners. All come up clean. Even my "Restore" is back on. I have posted the ESET log file, and attached the final ComboFix log for your review.

If you see anything that looks suspicious, let me know. Thanks very much for your help.


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7a57ed533fd1404394d124d5c40be0c0
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-02-27 04:08:19
# local_time=2010-02-26 09:08:19 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775146 100 94 0 39779998 20882 0
# compatibility_mode=3586 16764926 40 17 43227574 346314543 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=78394
# found=18
# cleaned=0
# scan_time=3018
C:\Documents and Settings\Administrator\My Documents\Downloads\SmitfraudFix.exe multiple threats 00000000000000000000000000000000 I
C:\Program Files\Trend Micro\HijackThis\backups\backup-20100221-223526-284.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\!KillBox\vipadefu.dll.vir a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\senifetu.dll.vir a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vipadefu.dll.vir a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wokozupi.dll.vir a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\yisiwusu.dll.vir a variant of Win32/Kryptik.CRP trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP1\A0001059.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP2\A0003467.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP2\A0003470.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP2\A0003472.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP2\A0003473.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP2\A0003475.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP2\A0003476.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP2\A0003478.dll a variant of Win32/Kryptik.CRP trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP5\A0004814.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP5\A0004815.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D77A8695-69BC-453A-B0D5-D24F4836EC87}\RP5\A0004817.dll a variant of Win32/Kryptik.CIQ trojan 00000000000000000000000000000000 I

Attached Files



#11 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 AM

Posted 02 March 2010 - 03:16 AM

Hi,

Log looks good thumbup2.gif

Click Start >> Run, and then type ComboFix /Uninstall and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.


Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.
  • Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.

  • Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.

  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.
Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users