Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/Rootkit infection; possible multiple


  • This topic is locked This topic is locked
10 replies to this topic

#1 macbethx24

macbethx24

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 30 March 2010 - 04:05 PM

Hi, thanks for the help in advance. I have been infected by malware by clicking a link to a malicious page; I believe I have multiple infections. Originally, I believed virtumonde to be the main culprit (and still may be) as S&D found it, but after booting into safe mode and running MBAM to remove it; there are still problems. I have had to system recover twice because my keyboard has stopped working--reinstalling the hardware for the keyboard does not remedy the problem, the only solution I could find was to system restore to an earlier date, however other problems will remain. I will get error boxes upon normal startup that read RUNDLL at the top and then say Error loading: rufijabu.dll, about 3-4 of these boxes appear with different .dll files in the message box, all obviously malicious. Also firefox will not run, only IE will. Having just run MBAM again; it comes up with Trojan.vundo, Trojan.dropper, Trojan.agent, Trojan.
downloader. I've run MBAM a few times in both safe mode and normal mode to try and remove it; but obviously the problem keeps returning.

Here is the DDS tool log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 17:02:22.04 on Tue 03/30/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1446 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {85010304-b268-4888-a8c4-23298d794822} - nemawiwe.dll
BHO: {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\docume~1\andrew\locals~1\temp\iexplarer.exe
mRun: [suyemuzul] Rundll32.exe "c:\windows\system32\godidusa.dll",a
mRun: [vitarabito] Rundll32.exe "rufijabu.dll",s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: pehorutes - {8aa11ca7-b237-42ec-a7ee-c8c5f5dc5b17} - c:\windows\system32\godidusa.dll
STS: mujuzedij: {8aa11ca7-b237-42ec-a7ee-c8c5f5dc5b17} - c:\windows\system32\godidusa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\zvty4e8u.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-3-30 30280]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-3-30 53088]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-30 38224]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-3-30 24368]
S3 sndcast;sndcast;c:\windows\system32\sndcast.sys [2004-8-4 2304]
S4 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-3-30 6349008]

=============== Created Last 30 ================

2010-03-30 20:50:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-30 20:50:28 411368 ----a-w- c:\windows\system32\REN29.tmp
2010-03-30 20:43:12 0 d-----w- c:\docume~1\andrew\applic~1\Malwarebytes
2010-03-30 20:43:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 20:43:06 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 19:56:08 112 ----a-w- c:\docume~1\alluse~1\applic~1\gpEpEqel.dat
2010-03-30 19:45:06 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-30 19:44:57 0 d-----w- C:\ComboFix
2010-03-30 19:44:49 0 d-----w- c:\program files\Prevx
2010-03-30 19:44:49 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-03-30 19:20:22 0 d-----w- C:\ComboFix(2)
2010-03-30 19:10:08 0 d-----w- C:\RECYCLER(3)
2010-03-30 19:03:24 0 d-----w- C:\Autoruns
2010-03-30 17:59:29 0 d-----w- c:\docume~1\andrew\applic~1\Malwarebytes(2)
2010-03-30 10:00:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 10:00:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-30 09:40:16 0 d-sh--w- C:\RECYCLER(2)
2010-03-30 09:12:07 171008 ----a-w- c:\windows\system32\srsvc.dll
2010-03-30 09:03:46 98816 ----a-w- c:\windows\sed.exe
2010-03-30 09:03:46 77312 ----a-w- c:\windows\MBR.exe
2010-03-30 09:03:46 261632 ----a-w- c:\windows\PEV.exe
2010-03-30 09:03:46 161792 ----a-w- c:\windows\SWREG.exe
2010-03-30 08:23:21 43032 ---ha-w- c:\windows\system32\TVJvC.com
2010-03-30 08:23:21 43032 ---ha-w- c:\documents and settings\andrew\TVJvC.com
2010-03-30 08:23:21 43032 ---ha-w- c:\docume~1\alluse~1\applic~1\TVJvC.com
2010-03-30 07:40:06 53160 ----a-w- c:\windows\system32\PxSecure.dll
2010-03-30 07:40:06 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-30 07:40:06 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-03-30 07:40:06 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-30 07:40:01 49 ----a-w- c:\windows\wininit.ini
2010-03-30 06:56:33 0 d-----w- C:\!KillBox
2010-03-30 06:46:23 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-30 06:46:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-30 06:21:45 0 dc----w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-30 06:06:26 0 d-----w- c:\windows\pss
2010-03-30 05:59:50 176640 ----a-w- c:\windows\Ufeqia.exe
2010-03-30 03:51:16 0 d-----w- c:\program files\Combined Community Codec Pack
2010-03-11 01:49:24 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 05:28:51 0 d-----w- c:\program files\NVIDIA nTune Performance Application
2010-03-05 05:20:38 9047 ----a-w- c:\windows\system32\nvinfo.pb
2010-03-05 05:20:38 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-03-05 05:20:36 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-03-05 05:17:17 24576 ----a-r- c:\windows\system32\AsIO.dll
2010-03-05 05:17:17 12664 ----a-r- c:\windows\system32\drivers\AsIO.sys
2010-03-05 05:17:16 12096 ----a-w- c:\windows\system32\drivers\AsInsHelp64.sys
2010-03-05 05:17:16 10304 ----a-w- c:\windows\system32\drivers\AsInsHelp32.sys
2010-03-05 05:17:16 0 d-----w- c:\program files\ASUS

==================== Find3M ====================

2010-03-30 19:53:50 43060 ----a-w- c:\windows\system32\rundll32.exe.tmp
2010-03-30 08:23:55 43056 ----a-w- c:\windows\system32\Rundll32 .exe
2010-03-30 08:23:55 43056 ----a-w- c:\windows\fonts\TVJvC.com
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet(2).dll
2010-02-25 06:24:37 1209344 ----a-w- c:\windows\system32\urlmon(2).dll
2010-02-25 06:24:35 25600 ----a-w- c:\windows\system32\jsproxy(2).dll
2010-01-12 04:03:33 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03:33 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03:33 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03:33 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03:33 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03:33 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 03:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 03:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 03:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 03:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 03:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 03:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2006-06-23 18:48:54 32768 ----a-w- c:\windows\inf\UpdateUSB.exe
1601-01-01 00:03:28 48640 --sha-w- c:\windows\system32\bibegipe.dll

============= FINISH: 17:02:31.87 ===============









Here is the GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-30 16:37:19
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Andrew\LOCALS~1\Temp\pxtdrpob.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs sujaheja.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Andrew\Recent\Untitled 1.odt.lnk 557 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 PM

Posted 30 March 2010 - 07:46 PM

Hello Victim,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

I see you have Prevx installed on your machine as your Antivirus. Prevx is known to have many false positives and not a very good detection rate. I would uninstall Prevx unless you have paid for it. I will give you a couple of good free Antivirus's. One of these I actually use myself. Please don't run 2 Antivirus at the same time as they will conflict with each other and cause them to detect each other.
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

2.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire and BitTornado). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


3.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Rkill log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 PM

Posted 01 April 2010 - 06:41 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 macbethx24

macbethx24
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 01 April 2010 - 11:42 PM

Hi, thanks for the help so far. To answer the last quest first; I would say my computer is running fairly smoothly, however IE will randomly close, and overnight the computer will lock me out; it will say that the computer has been locked and I have to put in a password (I do not lock my computer, and none of the password that I have ever used work). Overall however the computer is fairly usable but I don't think it's clean yet, although perhaps Combofix fixed that. I'll be heading to bed now but will post back tomorrow. Here is the rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Andrew on 04/02/2010 at 0:35:06.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Andrew\Desktop\rkill.com


Rkill completed on 04/02/2010 at 0:35:09.


And here is the combofix log:

ComboFix 10-03-29.04 - Andrew 04/02/2010 0:28.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1702 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.

2010-03-31 08:34 . 2010-04-01 17:38 65026 ----a-w- c:\documents and settings\All Users\Application Data\AdiSFfSQ.exe
2010-03-31 05:04 . 2010-03-31 05:04 4736 ----a-w- c:\windows\system32\o.sys
2010-03-30 20:50 . 2010-03-30 20:50 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 20:50 . 2010-03-30 20:50 -------- d-----w- c:\program files\Java
2010-03-30 20:43 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 20:43 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 19:45 . 2010-03-30 19:45 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-30 19:44 . 2010-03-30 19:44 -------- d-----w- c:\program files\Prevx
2010-03-30 19:44 . 2010-03-30 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-03-30 19:22 . 2010-03-30 19:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-30 19:20 . 2010-03-30 19:44 -------- d-----w- C:\ComboFix(2)
2010-03-30 19:10 . 2010-03-30 19:44 -------- d-----w- C:\RECYCLER(3)
2010-03-30 19:03 . 2010-03-30 19:44 -------- d-----w- C:\Autoruns
2010-03-30 10:00 . 2010-03-30 20:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 10:00 . 2010-03-30 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-30 09:40 . 2010-03-30 19:44 -------- d-----w- C:\RECYCLER(2)
2010-03-30 09:12 . 2008-04-14 00:12 171008 ------w- c:\windows\system32\srsvc.dll
2010-03-30 08:23 . 2010-03-30 08:23 43032 ---ha-w- c:\windows\system32\TVJvC.com
2010-03-30 08:23 . 2010-03-30 08:23 43032 ---ha-w- c:\documents and settings\Andrew\TVJvC.com
2010-03-30 08:23 . 2010-03-30 08:23 43032 ---ha-w- c:\documents and settings\All Users\Application Data\TVJvC.com
2010-03-30 08:22 . 2010-03-30 08:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-30 08:22 . 2010-03-30 08:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2010-03-30 07:46 . 2010-03-30 07:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-30 07:40 . 2010-03-30 07:40 53160 ----a-w- c:\windows\system32\PxSecure.dll
2010-03-30 07:40 . 2010-03-30 07:40 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-30 07:40 . 2010-03-30 07:40 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-03-30 07:40 . 2010-03-30 07:40 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-30 07:31 . 2010-03-30 07:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2010-03-30 07:16 . 2010-03-30 07:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-03-30 07:06 . 2010-03-30 07:06 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-30 06:56 . 2010-03-30 18:22 -------- d-----w- C:\!KillBox
2010-03-30 06:46 . 2010-03-30 19:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-30 06:46 . 2010-03-30 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-30 06:21 . 2010-03-30 06:21 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-30 05:59 . 2010-03-30 05:59 176640 ----a-w- c:\windows\Ufeqia.exe
2010-03-30 03:51 . 2010-03-30 03:51 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-03-11 01:49 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 05:29 . 2010-03-05 05:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\NVIDIA Corporation
2010-03-05 05:29 . 2010-03-05 05:29 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\NVIDIA Corporation
2010-03-05 05:28 . 2010-03-05 05:28 -------- d-----w- c:\program files\NVIDIA nTune Performance Application
2010-03-05 05:20 . 2010-01-12 04:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-03-05 05:20 . 2010-01-12 04:03 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-03-05 05:17 . 2006-10-19 08:12 12664 ----a-r- c:\windows\system32\drivers\AsIO.sys
2010-03-05 05:17 . 2006-01-10 21:50 24576 ----a-r- c:\windows\system32\AsIO.dll
2010-03-05 05:17 . 2010-03-05 05:17 -------- d-----w- c:\program files\ASUS
2010-03-05 05:17 . 2006-10-19 08:11 12096 ----a-w- c:\windows\system32\drivers\AsInsHelp64.sys
2010-03-05 05:17 . 2006-10-19 08:11 10304 ----a-w- c:\windows\system32\drivers\AsInsHelp32.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 17:38 . 2010-03-30 19:56 112 ----a-w- c:\documents and settings\All Users\Application Data\gpEpEqel.dat
2010-04-01 04:32 . 2010-03-30 09:13 43060 ----a-w- c:\windows\Fonts\TVJvC.com
2010-04-01 04:32 . 2004-08-04 12:00 43060 ----a-w- c:\windows\system32\rundll32.exe.tmp
2010-03-30 20:50 . 2009-10-15 20:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 06:02 . 2009-11-28 02:30 -------- d-----w- c:\program files\Steam
2010-03-05 05:30 . 2009-10-13 21:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-05 05:29 . 2009-10-13 20:42 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-05 05:17 . 2009-10-13 20:07 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-01 01:52 . 2009-10-14 00:06 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet(2).dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-25 06:24 . 2004-08-04 12:00 1209344 ----a-w- c:\windows\system32\urlmon(2).dll
2010-02-25 06:24 . 2004-08-04 12:00 25600 ----a-w- c:\windows\system32\jsproxy(2).dll
2010-02-20 22:22 . 2010-02-20 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-02-20 03:53 . 2010-02-20 03:28 -------- d-----w- c:\program files\Shareaza
2010-02-20 03:52 . 2010-02-20 03:52 -------- d-----w- c:\program files\BitTornado
2010-02-20 03:28 . 2010-02-20 03:18 -------- d-----w- c:\program files\Winmx
2010-02-19 01:04 . 2009-10-13 21:38 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-12 04:03 . 2009-10-13 20:26 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-12 04:03 . 2009-09-27 20:12 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2009-09-27 20:12 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03 . 2009-09-27 20:12 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03 . 2009-09-27 20:12 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03 . 2009-09-27 20:12 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2009-09-27 20:12 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03 . 2009-09-27 20:12 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2009-09-27 20:12 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2008-04-14 00:12 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 03:17 . 2010-01-12 03:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 03:17 . 2010-01-12 03:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 03:17 . 2010-01-12 03:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 03:17 . 2010-01-12 03:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 03:17 . 2010-01-12 03:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 03:17 . 2010-01-12 03:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
1601-01-01 00:03 . 1601-01-01 00:03 48640 --sha-w- c:\windows\system32\bibegipe.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\NVIDIA Corporation\nTune\nTuneCmd .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Steam\Steam .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-04-02_04.20.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-02 04:25 . 2010-04-02 04:25 16384 c:\windows\Temp\Perflib_Perfdata_52c.dat
+ 2010-04-02 04:25 . 2010-04-02 04:25 16384 c:\windows\Temp\Perflib_Perfdata_484.dat
+ 2004-08-04 12:00 . 2008-04-14 00:12 33280 c:\windows\system32\rundll32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85010304-b268-4888-a8c4-23298d794822}]
nemawiwe.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"suyemuzul"="c:\windows\system32\godidusa.dll" [N/A]
"vitarabito"="rufijabu.dll" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-04-02 43064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{8aa11ca7-b237-42ec-a7ee-c8c5f5dc5b17}"= "c:\windows\system32\godidusa.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pehorutes"= {8aa11ca7-b237-42ec-a7ee-c8c5f5dc5b17} - c:\windows\system32\godidusa.dll [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-03-30 06:04 43020 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 22:43 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ewrgetuj]
c:\docume~1\Andrew\LOCALS~1\Temp\geurge.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-12-10 00:19 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
c:\docume~1\Andrew\LOCALS~1\Temp\win16.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2010-03-30 06:04 43020 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
c:\program files\Windows Live\Messenger\msnmsgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-12 03:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2010-03-30 06:04 43020 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-12 03:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-01-07 04:27 1657448 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-12-19 15:12 16062464 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 22:04 2879488 ----a-r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srv]
c:\windows\system32\srv.net [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-03-30 06:04 43020 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\Java\jre6\bin\jusched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vitarabito]
rufijabu.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YVIBBBHA8C]
c:\docume~1\Andrew\LOCALS~1\Temp\Umg .exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"d:\\Program Files\\World of Warcraft\\Launcher.exe"=
"d:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"d:\\Program Files\\World of Warcraft\\WoW-3.3.0.11159-to-3.3.2.11403-enUS-downloader.exe"=
"e:\\winmx354b4.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [3/30/2010 3:40 AM 30280]
R2 k;k;c:\windows\system32\o.sys [3/31/2010 1:04 AM 4736]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [3/30/2010 3:40 AM 53088]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [3/30/2010 3:40 AM 24368]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/30/2010 4:43 PM 38224]
S3 sndcast;sndcast;c:\windows\system32\sndcast.sys [8/4/2004 8:00 AM 2304]
S4 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [3/30/2010 3:40 AM 6349008]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\zvty4e8u.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-02 00:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(13136)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
Completion time: 2010-04-02 00:34:32
ComboFix-quarantined-files.txt 2010-04-02 04:34

Pre-Run: 30,788,845,568 bytes free
Post-Run: 30,756,503,552 bytes free

- - End Of File - - 7AC75C56F052FC080A6EED39BABC621C





Thanks again, you guys are the best!

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 PM

Posted 02 April 2010 - 11:39 PM

Hello,

We still have a little work to do.


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

File::
c:\windows\system32\o.sys
c:\windows\system32\godidusa.dll
c:\windows\system32\rufijabu.dll
c:\docume~1\Andrew\LOCALS~1\Temp\geurge.exe
c:\docume~1\Andrew\LOCALS~1\Temp\win16.exe
c:\docume~1\Andrew\LOCALS~1\Temp\Umg .exe
c:\documents and settings\All Users\Application Data\AdiSFfSQ.exe
c:\windows\Ufeqia.exe
c:\windows\system32\nemawiwe.dll

Driver::
k

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"suyemuzul"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vitarabito"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{8aa11ca7-b237-42ec-a7ee-c8c5f5dc5b17}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pehorutes"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ewrgetuj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vitarabito]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YVIBBBHA8C]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85010304-b268-4888-a8c4-23298d794822}]
[-HKEY_CLASSES_ROOT\CLSID\{85010304-b268-4888-a8c4-23298d794822}]

Renv::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\NVIDIA Corporation\nTune\nTuneCmd .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Steam\Steam .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Things to include in your next reply:
Combofix.txt
MBAM log
A new DDS log
No need for Attach.txt
How is your machine running now?

Things to include in your next reply:

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 macbethx24

macbethx24
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 03 April 2010 - 02:17 PM

Ok, I went ahead and did the second round of steps; I had to do the ComboFix step twice--the first time gave me a blue screen after it restarted (while it was trying to generate the log). I tried it again and it worked fine. I attached the combofix log as Combofix.txt. The computer seems to be running better now; no unusual things happening (such as the browsers closing, keyboard problems, etc.). No errors upon startup anymore either. Once again, I can't thank you guys enough for providing this service.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3950

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/3/2010 3:03:19 PM
mbam-log-2010-04-03 (15-03-19).txt

Scan type: Quick scan
Objects scanned: 105379
Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Andrew\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bibegipe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.


---


And here is the DDS log after all above steps have been completed.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 15:13:47.10 on Sat 04/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1670 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\zvty4e8u.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
S3 sndcast;sndcast;c:\windows\system32\sndcast.sys [2004-8-4 2304]

=============== Created Last 30 ================

2010-04-03 18:49:22 0 d-----w- C:\ComboFix
2010-04-03 18:14:14 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-03 17:57:32 0 d-----w- C:\ComboFix(3)
2010-03-30 20:50:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-30 20:43:12 0 d-----w- c:\docume~1\andrew\applic~1\Malwarebytes
2010-03-30 20:43:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 20:43:06 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 19:56:08 112 ----a-w- c:\docume~1\alluse~1\applic~1\gpEpEqel.dat
2010-03-30 19:20:22 0 d-----w- C:\ComboFix(2)
2010-03-30 19:10:08 0 d-----w- C:\RECYCLER(3)
2010-03-30 19:03:24 0 d-----w- C:\Autoruns
2010-03-30 17:59:29 0 d-----w- c:\docume~1\andrew\applic~1\Malwarebytes(2)
2010-03-30 10:00:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 10:00:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-30 09:40:16 0 d-----w- C:\RECYCLER(2)
2010-03-30 09:12:07 171008 ------w- c:\windows\system32\srsvc.dll
2010-03-30 09:03:46 98816 ----a-w- c:\windows\sed.exe
2010-03-30 09:03:46 77312 ----a-w- c:\windows\MBR.exe
2010-03-30 09:03:46 261632 ----a-w- c:\windows\PEV.exe
2010-03-30 09:03:46 161792 ----a-w- c:\windows\SWREG.exe
2010-03-30 08:23:21 43032 ---ha-w- c:\windows\system32\TVJvC.com
2010-03-30 08:23:21 43032 ---ha-w- c:\documents and settings\andrew\TVJvC.com
2010-03-30 08:23:21 43032 ---ha-w- c:\docume~1\alluse~1\applic~1\TVJvC.com
2010-03-30 07:40:06 53160 ----a-w- c:\windows\system32\PxSecure.dll-484203
2010-03-30 07:40:01 49 ----a-w- c:\windows\wininit.ini
2010-03-30 06:56:33 0 d-----w- C:\!KillBox
2010-03-30 06:46:23 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-30 06:46:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-30 06:21:45 0 dc----w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-30 06:06:26 0 d-----w- c:\windows\pss
2010-03-30 03:51:16 0 d-----w- c:\program files\Combined Community Codec Pack
2010-03-11 01:49:24 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 05:28:51 0 d-----w- c:\program files\NVIDIA nTune Performance Application
2010-03-05 05:20:38 9047 ----a-w- c:\windows\system32\nvinfo.pb
2010-03-05 05:20:38 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-03-05 05:20:36 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-03-05 05:17:17 24576 ----a-r- c:\windows\system32\AsIO.dll
2010-03-05 05:17:17 12664 ----a-r- c:\windows\system32\drivers\AsIO.sys
2010-03-05 05:17:16 12096 ----a-w- c:\windows\system32\drivers\AsInsHelp64.sys
2010-03-05 05:17:16 10304 ----a-w- c:\windows\system32\drivers\AsInsHelp32.sys
2010-03-05 05:17:16 0 d-----w- c:\program files\ASUS

==================== Find3M ====================

2010-04-01 04:32:44 43060 ----a-w- c:\windows\fonts\TVJvC.com
2010-04-01 04:32:33 43060 ----a-w- c:\windows\system32\rundll32.exe.tmp
2010-03-30 20:50:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet(2).dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-25 06:24:37 1209344 ----a-w- c:\windows\system32\urlmon(2).dll
2010-02-25 06:24:35 25600 ----a-w- c:\windows\system32\jsproxy(2).dll
2010-01-12 04:03:33 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03:33 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03:33 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03:33 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03:33 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03:33 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 03:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 03:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 03:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 03:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 03:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 03:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2006-06-23 18:48:54 32768 ----a-w- c:\windows\inf\UpdateUSB.exe

============= FINISH: 15:13:55.28 ===============

Attached Files



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 PM

Posted 03 April 2010 - 04:28 PM

Hello,

The main infection is gone. thumbup2.gif How ever it has done some damage they may be unrepairable to Windows Live Messenger. We will try one more time to try to fix it. If we can't fix it you will have to reinstall it.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Renv::
c:\program files\Windows Live\Messenger\msnmsgr  .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please update Malwarebytes-Anti-Malware and run a FullScan. We like to see all 0's

3.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply:
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 macbethx24

macbethx24
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 03 April 2010 - 07:57 PM

I'm posting from my laptop now. I tried the above steps--the combofix step went fine, but when I ran MBAM full scan, it hung up while scanning through my E drive (it had found like 40 some infected files--mostly HJT backup dlls I think?). There was no blue screen, the computer simply hung (would not respond to any commands even after I waited a really long time). When I restarted, the keyboard support had again disappeared when entering windows. The keyboard still works in BIOS but will not work in either safe mode or normal mode windows. As I mentioned earlier, this has happened before, but this time when I tried to system restore, system restore failed. It restarts like it's restoring, but at the end the system restore message says that System Restore failed and no files have been changed, I've tried all the restore points I have and none work. I've also tried both a USB and PS2 keyboard and neither works.

The USB mouse ironically still works, and I can still do things on the computer fine--the only symptom is the keyboard problem. When I run the keyboard diagnostic (mskey), in the drivers it says in one line kbdhid.sys Error--and in the drivers it says that the driver is missing or corrupted. I'm assuming that somehow whatever was/is on my computer corrupted this driver and it needs to be replaced? Right now the computer is running SFC with the windows CD in, hopefully that remedies the problem. I don't know if this is something you can help with or not.

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 PM

Posted 03 April 2010 - 08:09 PM

Hello,

Lets deal with one problem at a time. One thing you can try is to uninstall the driver for the keyboard then turn off your computer wait 30 seconds and restart it it should find the keyboard and reinstall the driver. Lets get your desktop clean first then we will worry about your laptop. Also now that you have run Combofix without assistance you may have corrupted the system. Combofix is not meant to be run on all infections and computers. What is your E drive? Can you post the combofix log and mbam log?


Ahh I see your posting from laptop and desktop is the one with no keyboard.

Edited by fireman4it, 03 April 2010 - 08:14 PM.
Laptop not infected

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 PM

Posted 05 April 2010 - 08:50 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 PM

Posted 08 April 2010 - 07:33 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users