Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ridiculous rogueware


  • This topic is locked This topic is locked
2 replies to this topic

#1 boundbytheearth

boundbytheearth

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 23 March 2010 - 01:18 PM

I have this XP Security Center 2010 virus which mainly operates with AVE.exe apparently, it won't let me access Firefox or IE, but I tricked it into having it stay on, so here I am. I can't use system restore, it deletes malware byte's primary EXE, aand I don't really know what to do besides post my log here.
edit: editing this with DDS log
also their is a program called antimalware doctor and total pc defender


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:59 PM, on 3/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netsc...com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: C:\WINDOWS\system32\zaq8epcpea.dll - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\zaq8epcpea.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [tiyumuloku] Rundll32.exe "yesakuno.dll",s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [tiyumuloku] Rundll32.exe "yesakuno.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tiyumuloku] Rundll32.exe "yesakuno.dll",s (User 'NETWORK SERVICE')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{38DF372D-AEE4-4BD6-B81C-092CEBB74099}: NameServer = 93.188.165.24,93.188.166.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{998ACC0F-51F6-4104-9228-B86075785A30}: NameServer = 93.188.165.24,93.188.166.167
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.24,93.188.166.167
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.24,93.188.166.167
O20 - AppInit_DLLs: app_dll.dll
O22 - SharedTaskScheduler: jsg9dgjisdogje94guiofjgd - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\zaq8epcpea.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COMServer - Unknown owner - C:\WINDOWS\system32\msapps\comsrvr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5061 bytes





DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 14:22:22.45 on Tue 03/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.385 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://aimhome.netscape.com/aimhome.adp
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Taskman=c:\documents and settings\administrator\application data\onbbw.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\zaq8epcpea.dll: {a9ba40a1-74f1-52bd-f434-00b15a2c8953} - c:\windows\system32\zaq8epcpea.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~2\MEGAUP~1.DLL
uRun: [Driver Updater]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\docume~1\admini~1\locals~1\temp\cmd .exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [net] "c:\windows\system32\net.net"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
mRun: [tiyumuloku] Rundll32.exe "yesakuno.dll",s
mRun: [Windows Logon Application] c:\windows\system32\logon.exe
mRun: [services] c:\windows\services.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 93.188.165.24,93.188.166.167
TCP: {38DF372D-AEE4-4BD6-B81C-092CEBB74099} = 217.23.14.75,4.2.2.1,93.188.165.24,93.188.166.167
TCP: {998ACC0F-51F6-4104-9228-B86075785A30} = 217.23.14.75,4.2.2.1,192.168.1.1
AppInit_DLLs: app_dll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\zaq8epcpea.dll: {a9ba40a1-74f1-52bd-f434-00b15a2c8953} - c:\windows\system32\zaq8epcpea.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
LSA: Notification Packages = scecli habetosu.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\q5q99s6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\q5q99s6g.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOlp32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2010-1-30 3968]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-2-24 588032]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 4096]
S2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 204800]
S2 COMServer;COMServer;c:\windows\system32\msapps\comsrvr.exe [2010-3-23 12288]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\a5agu.sys [2005-7-25 348352]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2005-7-25 43392]
S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2006-6-23 808448]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-1 34384]

============== File Associations ===============

regfile="regedit.exe" "%1"
.exe=secfile

=============== Created Last 30 ================

2010-03-23 18:20:38 108032 --sh--r- c:\docume~1\admini~1\applic~1\onbbw.exe
2010-03-23 18:15:05 2713 --sh--w- c:\windows\system32\gukevasi.dll
2010-03-23 18:07:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-23 17:48:22 27648 ----a-w- c:\documents and settings\administrator\rundll32.exe
2010-03-23 17:45:58 0 d-----w- c:\windows\pss
2010-03-23 16:22:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 16:22:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 16:22:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malwarea
2010-03-23 16:11:25 1593 ----a-w- c:\windows\system32\_VOIDmfeklnmal.dll
2010-03-23 16:11:12 94208 ----a-w- c:\windows\system32\app_dll.dll
2010-03-23 16:10:27 10367 ----a-w- c:\docume~1\alluse~1\applic~1\_VOIDmainqt.dll
2010-03-23 16:10:15 49152 ----a-w- c:\windows\system32\_VOIDnrdernoyxi.dll
2010-03-23 16:10:14 49152 ----a-w- c:\windows\system32\_VOIDmdvseberxo.dll
2010-03-23 16:10:12 29696 ----a-w- c:\windows\system32\_VOIDvakdvwtypx.dll
2010-03-23 16:10:12 192 ----a-w- c:\windows\system32\_VOIDtehqbclacq.dat
2010-03-23 16:10:10 0 d-----w- c:\windows\_VOIDuqfvnmcxju
2010-03-23 16:09:54 0 d-----w- c:\program files\Total PC Defender
2010-03-23 16:09:30 27648 ----a-w- c:\windows\system32\soundman.exe
2010-03-23 16:09:14 0 d-----w- C:\spoolerlogs
2010-03-23 16:09:12 164352 ----a-w- c:\windows\Evaxya.exe
2010-03-23 16:09:09 0 d-sh--w- c:\documents and settings\administrator\.COMMgr
2010-03-23 16:08:56 860672 ----a-w- c:\windows\system32\drivers\tkmcs.sys
2010-03-23 16:08:45 20000 ----a-w- c:\windows\system32\zaq8epcpea.dll
2010-03-23 16:08:42 0 d-----w- c:\windows\system32\msapps
2010-03-23 16:08:28 0 d-----w- c:\docume~1\admini~1\applic~1\94F9CAC861884F6B0D4B5FB622947BB1
2010-03-23 16:08:21 57729 ----a-w- c:\windows\system32\net.net
2010-03-23 03:51:30 0 d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-03-23 03:44:10 0 d-----w- c:\docume~1\admini~1\applic~1\WinFF
2010-03-23 03:44:08 0 d-----w- c:\program files\WinFF
2010-03-23 03:37:37 0 d-----w- c:\docume~1\admini~1\applic~1\Thinstall
2010-03-23 02:35:10 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-23 02:34:59 0 d-----w- c:\program files\MyWebSearch
2010-03-23 02:34:59 0 d-----w- c:\program files\FunWebProducts
2010-03-23 00:43:53 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-23 00:42:46 0 d-----w- c:\program files\Skype
2010-03-22 21:06:52 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-03-22 21:06:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 21:06:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-17 08:09:24 0 d-----w- c:\program files\WinDirStat
2010-03-12 12:09:46 0 d-----w- c:\docume~1\admini~1\applic~1\runic games
2010-03-12 12:06:17 0 d-----w- c:\program files\Runic Games
2010-03-12 11:41:23 0 d-----w- c:\program files\Depths Of Peril
2010-03-12 11:41:09 0 d-----w- c:\program files\ReflexiveArcade
2010-03-11 10:26:50 0 d-----w- c:\program files\common files\Blizzard Entertainment
2010-03-10 08:14:00 0 d-----w- c:\program files\FFB - Facebook Friend Bomber
2010-03-10 00:43:24 0 d-----w- c:\program files\Guitar Speed Trainer
2010-03-09 17:19:17 115920 ----a-w- c:\windows\system32\MSINET.OCX
2010-03-09 17:19:17 0 d-----w- c:\program files\Offline Course Player
2010-03-05 08:00:25 0 d-----w- c:\windows\ie8updates
2010-03-05 00:35:48 0 d-----w- c:\program files\AWS
2010-03-05 00:35:44 0 d-----w- c:\program files\Viewpoint
2010-03-05 00:35:44 0 d-----w- c:\program files\AOD
2010-03-05 00:35:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Viewpoint
2010-03-05 00:35:42 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-03-05 00:33:36 0 d-----w- c:\windows\Downloaded Installations
2010-03-04 21:48:09 0 d-----w- c:\program files\Guitar Pro 5
2010-03-04 21:18:07 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-04 21:18:07 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-04 21:18:06 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-04 21:18:06 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-04 21:18:06 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-04 21:18:04 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-04 19:33:01 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-03-04 19:30:52 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-03-04 19:27:04 0 dc-h--w- c:\windows\ie8
2010-03-04 18:47:59 0 d-----w- c:\program files\Microsoft
2010-03-02 17:31:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Screaming Bee
2010-03-02 14:24:22 0 d-----w- c:\program files\AV Vcs 4.0 DIAMOND
2010-03-01 14:42:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Megaupload
2010-03-01 14:42:42 0 d-----w- c:\docume~1\alluse~1\applic~1\EmailNotifier
2010-03-01 14:42:42 0 d-----w- c:\docume~1\admini~1\applic~1\EmailNotifier
2010-03-01 14:42:41 0 d-----w- c:\program files\MegauploadToolbar
2010-03-01 14:42:41 0 d-----w- c:\docume~1\admini~1\applic~1\MegauploadToolbar
2010-02-25 13:44:19 0 d-----w- c:\program files\common files\Software Update Utility
2010-02-25 13:44:10 464 ---ha-w- C:\IPH.PH
2010-02-25 06:10:33 0 d-----w- c:\windows\system32\LogFiles
2010-02-25 05:44:19 230424 ----a-w- C:\img2-001.raw
2010-02-24 21:22:24 0 d-----w- c:\program files\AIM7
2010-02-24 20:25:12 0 d-----w- c:\docume~1\alluse~1\applic~1\D-Link
2010-02-24 20:23:40 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
2010-02-24 20:23:40 0 d-----w- c:\windows\pcidevice
2010-02-22 23:26:43 0 d-----w- c:\docume~1\admini~1\applic~1\Screaming Bee
2010-02-22 23:25:58 0 d-----w- c:\program files\Screaming Bee

==================== Find3M ====================

2010-03-23 16:24:06 27648 ----a-w- c:\windows\vvx3000.exe
2010-03-23 16:09:32 27648 ----a-w- c:\windows\system32\s3trayp.exe
2010-03-23 16:09:31 27648 ----a-w- c:\windows\system32\vttimer.exe
2010-01-26 18:17:35 87608 ----a-w- c:\docume~1\admini~1\applic~1\inst.exe
2010-01-26 18:17:35 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-26 18:17:35 47360 ----a-w- c:\docume~1\admini~1\applic~1\pcouffin.sys
2010-01-20 00:56:45 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-20 00:46:21 410984 ----a-w- c:\windows\system32\deploytk.dll
1601-01-01 00:03:28 48640 --sha-w- c:\windows\system32\desoyahi.dll
1601-01-01 00:03:28 21504 --sha-w- c:\windows\system32\fozusayo.dll
1601-01-01 00:03:52 65536 --sha-w- c:\windows\system32\habetosu.dll
1601-01-01 00:03:28 193024 --sha-w- c:\windows\system32\mesafari.exe
1601-01-01 00:03:52 65536 --sha-w- c:\windows\system32\witeyaza.dll
1601-01-01 00:03:52 65536 --sha-w- c:\windows\system32\yesakuno.dll
1601-01-01 00:03:28 42496 --sha-w- c:\windows\system32\zumunope.dll

============= FINISH: 14:24:23.21 ===============

Edited by boundbytheearth, 23 March 2010 - 01:27 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:19 AM

Posted 26 March 2010 - 10:12 PM


Hello boundbytheearth smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



Let's see if we can get a ARK scan.

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.




Before you attempt to run the following disable your antivirus and any program like Windows Defender or Tea Timer.




Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




If GMER does not want to run add the following to those that you unchecked and try it again:

  • Registry
  • Files













Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:19 AM

Posted 31 March 2010 - 07:51 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users