Total Security 2009

View previous topic View next topic Go down

Total Security 2009

Post by UCLAKoolman on 20th September 2009, 10:44 pm

I have been infected with this malware, and it seems like this site has people experienced with this issue. Following the experience of the user in this thread: [You must be registered and logged in to see this link.] , after malwarebytes failed to remove total security 2009, I downloaded and ran ComboFix. Here is the log from that run, and if you have further suggestions such as a CFScript file please let me know!:

ComboFix 09-09-18.02 - Owner 09/20/2009 15:09.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.610 [GMT -7:00]
Running from: c:\documents and settings\Owner\desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 090918-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ulanyso.dat
c:\program files\Common Files\hymo.reg
c:\program files\Download Plugin
c:\program files\download plugin\DlPlugin-Moz\buddy.dat
c:\program files\download plugin\DlPlugin-Moz\vendor.txt
c:\recycler\NPROTECT
c:\windows\Installer\56b83ac.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\mesuh.exe
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\42KJE738.ocx
c:\windows\system32\dawonoga.dll
c:\windows\system32\dewukobe.dll
c:\windows\system32\fugedepi.exe
c:\windows\system32\gehotimi.dll
c:\windows\system32\hodaluho.exe
c:\windows\system32\Ijl11.dll
c:\windows\system32\nimiwoga.dll
c:\windows\system32\petonuho.dll
c:\windows\system32\polelure.dll
c:\windows\system32\pupepume.dll
c:\windows\system32\toraheke.dll
c:\windows\system32\uninstall.exe
c:\windows\system32\zohewigu.dll
c:\windows\zodaru.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 08:22 . 2009-09-20 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\10867344
2009-09-19 20:11 . 2009-09-19 20:11 -------- d-----w- c:\program files\Trend Micro
2009-09-19 03:27 . 2009-09-19 03:27 -------- d-----w- c:\documents and settings\Owner\Application Data\GlarySoft
2009-09-19 03:03 . 2009-09-19 03:03 -------- d-----w- c:\program files\AskBarDis
2009-09-19 03:03 . 2009-09-19 03:03 -------- d-----w- c:\program files\Glary Utilities
2009-09-19 01:56 . 2009-09-19 01:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-19 01:55 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 01:55 . 2009-09-19 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 01:55 . 2009-09-19 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 01:55 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 01:33 . 2009-09-19 01:33 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-09-08 18:34 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 22:19 . 2006-04-24 22:37 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000002-80651102}.dat
2009-09-20 22:19 . 2006-04-24 22:37 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000001-00001102-00000002-80651102}.dat
2009-09-20 22:08 . 2009-06-20 22:08 89088 --sha-w- c:\windows\system32\javinete.dll
2009-09-20 21:57 . 2009-06-10 01:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-19 20:22 . 2009-06-19 20:22 50688 --sha-w- c:\windows\system32\ruketuno.dll
2009-09-19 10:32 . 2007-08-21 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-19 02:52 . 2008-04-20 19:00 -------- d-----w- c:\program files\Avast Antivirus
2009-08-23 02:13 . 2006-11-25 21:13 115688 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-21 10:06 . 2009-08-21 10:06 -------- d-----w- c:\program files\MSBuild
2009-08-21 10:06 . 2009-08-21 10:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 10:00 . 2009-08-21 10:00 -------- d-----w- c:\program files\MSXML 6.0
2009-08-17 16:10 . 2008-04-20 19:01 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2008-04-20 19:01 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2008-04-20 19:01 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-04-20 19:01 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-04-20 19:01 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2008-04-20 19:01 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-04-20 19:01 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2008-04-20 19:01 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2008-04-20 19:01 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-14 13:58 . 2009-09-19 19:28 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:11 . 2004-08-14 20:35 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 07:01 . 2009-07-31 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall
2009-07-17 18:55 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2004-05-29 07:04 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-02-07 01:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 1980-01-01 00:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:44 . 1980-01-01 00:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 1980-01-01 00:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 1980-01-01 00:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 1980-01-01 00:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 1980-01-01 00:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 1980-01-01 00:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2007-02-25 07:20 . 2007-02-11 03:36 11532 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-19 20:22 . 2009-06-19 20:22 50688 --sha-w- c:\windows\system32\putevama.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d6623e65-149d-4d2b-ba5e-2a7b392b1961}]
2009-06-19 20:22 50688 --sha-w- c:\windows\system32\putevama.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\AVASTA~1\ashDisp.exe" [2009-08-17 81000]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"gapafeguz"="c:\windows\system32\javinete.dll" [2009-09-20 89088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{12b81e1d-ec7e-4900-8a5f-d9f216392eef}"= "c:\windows\system32\javinete.dll" [2009-09-20 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rafavagam"= {12b81e1d-ec7e-4900-8a5f-d9f216392eef} - c:\windows\system32\javinete.dll [2009-09-20 89088]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HOTLLAMA Update Check.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HOTLLAMA Update Check.lnk
backup=c:\windows\pss\HOTLLAMA Update Check.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
backup=c:\windows\pss\Office Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2SWZKN82R5K47C
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader20tJ1JIlaYPJ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DGL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dsi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FilmLoop
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\junk log debug manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\laoogwtvxb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memoabout
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperProfessional
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WBL6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP Antispyware 2009

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WebClient"=2 (0x2)
"AOL ACS"=2 (0x2)
"GEARSecurity"=2 (0x2)
"SBService"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"WANMiniportService"=2 (0x2)
"NProtectService"=2 (0x2)
"navapsvc"=2 (0x2)
"SavRoam"=3 (0x3)
"gearsec"=2 (0x2)
"RichVideo"=2 (0x2)
"IDriverT"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"DefWatch"=2 (0x2)
"CTDevice_Srv"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"ccSetMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ATI Smart"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"RetroWDSvc"=2 (0x2)
"RetroLauncher"=2 (0x2)
"KodakCCS"=2 (0x2)
"SandraAgentSrv"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"19517034"=c:\documents and settings\All Users\Application Data\19517034\19517034.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\uclax33\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avast Antivirus\\ashMaiSv.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Avast Antivirus\\ashWebSv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2190:TCP"= 2190:TCP:One
"2190:UDP"= 2190:UDP:Two
"8080:TCP"= 8080:TCP:Three
"8081:TCP"= 8081:TCP:4
"8082:TCP"= 8082:TCP:5
"8083:TCP"= 8083:TCP:6
"8084:TCP"= 8084:TCP:7
"8089:TCP"= 8089:TCP:8
"8088:TCP"= 8088:TCP:9
"8086:TCP"= 8086:TCP:0
"8085:TCP"= 8085:TCP:1
"8087:TCP"= 8087:TCP:blah

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/20/2008 12:01 PM 114768]
R1 LtcyCfgDrv;PCI Latency Tool Driver;c:\windows\system32\drivers\LtcyCfgDrv.sys [10/15/2005 10:49 PM 2816]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/20/2008 12:01 PM 20560]
R2 EBIOS32;EBIOS32 - NT Driver;c:\windows\system32\drivers\EBIOS32.SYS [4/20/2008 12:42 AM 13922]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [7/31/2006 7:44 PM 580992]
S3 EraserUtilDrv10502;EraserUtilDrv10502;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10502.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10502.sys [?]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 3:48 PM 50048]
S4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe [4/19/2008 8:35 PM 98488]
S4 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [8/4/2005 7:11 AM 848896]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/19/2009 7:16 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-09-19 23:09]

2009-09-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-10 00:32]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.zmi\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_03000F10.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-10867344 - c:\documents and settings\All Users\Application Data\10867344\10867344.exe
HKLM-Run-danirubewe - dewukobe.dll
Notify-NavLogon - (no file)
AddRemove-Doom II for Windows 95 - h:\jon's stuff\Downloads 2\Games\uninstl.exe
AddRemove-ffdshow - c:\windows\system32\uninstall.exe
AddRemove-PowerISO - h:\jon's stuff\Downloads 2\Programs\PowerISO v4.0(NEW-with serial keys)\PowerISO\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-20 15:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\XP *]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"09236.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1800)
c:\windows\system32\WININET.dll
c:\windows\system32\javinete.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avast Antivirus\aswUpdSv.exe
c:\program files\Avast Antivirus\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Avast Antivirus\ashMaiSv.exe
c:\program files\Avast Antivirus\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-20 15:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 22:32

Pre-Run: 18,285,535,232 bytes free
Post-Run: 18,430,558,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

356 --- E O F --- 2009-09-11 10:00

UCLAKoolman
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26363
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security 2009

Post by Belahzur on 20th September 2009, 11:49 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\javinete.dll
    c:\windows\system32\ruketuno.dll
    c:\windows\system32\putevama.dll

    Folder::
    c:\documents and settings\All Users\Application Data\10867344
    c:\program files\AskBarDis

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d6623e65-149d-4d2b-ba5e-2a7b392b1961}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "gapafeguz"="c:\windows\system32\javinete.dll" [2009-09-20 89088]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
    "{12b81e1d-ec7e-4900-8a5f-d9f216392eef}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "rafavagam"=-
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "19517034"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "UpdatesDisableNotify"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2190:TCP"=-
    "2190:UDP"=-
    "8080:TCP"=-
    "8081:TCP"=-
    "8082:TCP"=-
    "8083:TCP"=-
    "8084:TCP"=-
    "8089:TCP"=-
    "8088:TCP"=-
    "8086:TCP"=-
    "8085:TCP"=-
    "8087:TCP"=-

    Firefox::
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.zmi\
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum