Virus/Spyware/Trojan

View previous topic View next topic Go down

Virus/Spyware/Trojan

Post by lewisloco on Wed Sep 23, 2009 4:31 pm

Hello,

I need help with i believe is the WIN32 Trojan-GEN RTK. I was unable to do Windows Update due to the fact that i was unable to turn on automatic updates as Microsoft requires. Not sure if this has something to do with the virus i have. Below is the HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:26 AM, on 9/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRA~1\Veritas\NETBAC~1\bin\bpinetd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\Veritas\NETBAC~1\bin\BPJAVA-msvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\CMD.exe
C:\Program Files\VERITAS\VxPBX\bin\pbx_exchange.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 [You must be registered and logged in to see this link.]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Mqaxejef] rundll32.exe "C:\WINDOWS\agexehotepopeg.dll",Startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /Get1noarp
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.23; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://supervert.com/shockwave/colortest/view"
O4 - HKUS\S-1-5-19\..\Run: [vavukesezu] Rundll32.exe "C:\WINDOWS\system32\jeganido.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [vavukesezu] Rundll32.exe "C:\WINDOWS\system32\jeganido.dll",s (User 'NETWORK SERVICE')
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBE16D58-28B1-4467-BB8D-093948F496BF}: NameServer = 151.164.1.7,151.164.1.8
O20 - AppInit_DLLs: c:\windows\system32\mikajiji.dll c:\windows\system32\duyojaye.dll c:\windows\system32\leveboju.dll setewobu.dll c:\windows\system32\monekuho.dll
O21 - SSODL: begejutuv - {b1c1682d-9af5-43a9-b1e2-885e84ab4111} - (no file)
O21 - SSODL: jolofemil - {559a9886-131e-4246-9869-00efaa409794} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {b1c1682d-9af5-43a9-b1e2-885e84ab4111} - (no file)
O22 - SharedTaskScheduler: jugezatag - {559a9886-131e-4246-9869-00efaa409794} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate1c99e81748ddcd6) (gupdate1c99e81748ddcd6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetBackup Client Service (NetBackup INET Daemon) - Symantec Corporation - C:\PROGRA~1\Veritas\NETBAC~1\bin\bpinetd.exe
O23 - Service: NetBackup SAN Client Fibre Transport Service - Symantec Corporation - C:\PROGRA~1\Veritas\NETBAC~1\bin\nbftclnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Symantec Private Branch Exchange (VRTSpbx) - Unknown owner - CMD /D /S /Q /C""C:\Program Files\VERITAS\VxPBX\bin\pbxservice.cmd" "C:\Program Files\VERITAS\VxPBX\bin\pbx_exchange.exe"" (file missing)

--
End of file - 13176 bytes

lewisloco
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-23
OS OS : WindowsXP
Points Points : 26319
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by Belahzur on Wed Sep 23, 2009 7:00 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.65.122 antiwareprotect.com
    O1 - Hosts: 91.212.65.122 [You must be registered and logged in to see this link.]
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - HKUS\S-1-5-19\..\Run: [vavukesezu] Rundll32.exe "C:\WINDOWS\system32\jeganido.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [vavukesezu] Rundll32.exe "C:\WINDOWS\system32\jeganido.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: c:\windows\system32\mikajiji.dll c:\windows\system32\duyojaye.dll c:\windows\system32\leveboju.dll setewobu.dll c:\windows\system32\monekuho.dll
    O21 - SSODL: begejutuv - {b1c1682d-9af5-43a9-b1e2-885e84ab4111} - (no file)
    O21 - SSODL: jolofemil - {559a9886-131e-4246-9869-00efaa409794} - (no file)
    O22 - SharedTaskScheduler: mujuzedij - {b1c1682d-9af5-43a9-b1e2-885e84ab4111} - (no file)
    O22 - SharedTaskScheduler: jugezatag - {559a9886-131e-4246-9869-00efaa409794} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by lewisloco on Wed Sep 23, 2009 7:52 pm

Thanks for the quick reply. Removed the entries that you listed from HijackThis. Here is log from Malwarebytes.

Malwarebytes' Anti-Malware 1.32
Database version: 1617
Windows 5.1.2600 Service Pack 3

9/23/2009 2:50:04 PM
mbam-log-2009-09-23 (14-50-04).txt

Scan type: Quick Scan
Objects scanned: 72366
Time elapsed: 20 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Cookies\mobuzequp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvibibu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

lewisloco
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-23
OS OS : WindowsXP
Points Points : 26319
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by Belahzur on Wed Sep 23, 2009 11:15 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by lewisloco on Thu Sep 24, 2009 3:40 am

Sorry forgot to update. Here is the scan log..

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

9/23/2009 3:13:03 PM
mbam-log-2009-09-23 (15-13-03).txt

Scan type: Quick Scan
Objects scanned: 110753
Time elapsed: 11 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: kaprdr.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\kaprdr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\ddbpu.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nereteva.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sufasamo.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vufosesa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

lewisloco
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-23
OS OS : WindowsXP
Points Points : 26319
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by Belahzur on Thu Sep 24, 2009 6:50 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by lewisloco on Fri Sep 25, 2009 2:27 pm

Hello,

Here is DDS.txt:

DDS (Ver_09-09-24.01) - NTFSx86
Run by Administrator at 9:20:46.07 on Fri 09/25/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2301 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090924-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRA~1\Veritas\NETBAC~1\bin\bpinetd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\Veritas\NETBAC~1\bin\BPJAVA-msvc.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VERITAS\VxPBX\bin\pbx_exchange.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Veritas\java\jre\bin\java.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SansaDispatch] c:\documents and settings\administrator\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.23; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://supervert.com/shockwave/colortest/view"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Mqaxejef] rundll32.exe "c:\windows\agexehotepopeg.dll",Startup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [movigojeb] Rundll32.exe "c:\windows\system32\raripizu.dll",a
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\sdktra~1.lnk - c:\sun\sdk\jdk\bin\javaw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.32.0\gears.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - [You must be registered and logged in to see this link.]
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - [You must be registered and logged in to see this link.]
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - [You must be registered and logged in to see this link.]
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - [You must be registered and logged in to see this link.]
DPF: {cafeefac-0016-0000-0015-abcdeffedcba} - [You must be registered and logged in to see this link.]
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
TCP: {FBE16D58-28B1-4467-BB8D-093948F496BF} = 77.74.48.113
AppInit_DLLs: c:\windows\system32\raripizu.dll,ronogiga.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: basudirer - {e087872b-7a93-48ca-93bf-5b6c8a2b3e06} - c:\windows\system32\raripizu.dll
STS: tokatiluy: {e087872b-7a93-48ca-93bf-5b6c8a2b3e06} - c:\windows\system32\raripizu.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXRLBur
LSA: Notification Packages = scecli vevozere.dll

============= SERVICES / DRIVERS ===============

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-21 206256]
R0 VSP;Veritas Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [2006-5-4 51896]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-7 114768]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-8-8 41456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-7 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-1-25 138680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-21 348752]
R2 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-21 1097096]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-25 24652]
R2 VRTSpbx;Symantec Private Branch Exchange;CMD /D /S /Q /C""c:\program files\veritas\vxpbx\bin\pbxservice.cmd" "c:\program files\veritas\vxpbx\bin\pbx_exchange.exe"" --> CMD [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-1-25 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-1-25 352920]
S2 gupdate1c99e81748ddcd6;Google Update Service (gupdate1c99e81748ddcd6);c:\program files\google\update\GoogleUpdate.exe [2009-3-6 133104]
S2 NetBackup SAN Client Fibre Transport Service;NetBackup SAN Client Fibre Transport Service;c:\progra~1\veritas\netbac~1\bin\nbftclnt.exe [2008-8-25 765952]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-6-3 120168]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [2008-9-29 453120]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-09-25 01:14 --d----- c:\docume~1\alluse~1\applic~1\16290314
2009-09-25 01:13 53,162 a--sh--- c:\windows\system32\winupdate.exe
2009-09-23 11:04 23,108 a------- c:\windows\system32\productregistry
2009-09-23 11:02 --d----- C:\Sun
2009-09-22 15:47 --d----- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2009-09-22 11:00 4,224 a------- c:\windows\system32\drivers\OLD26.tmp
2009-09-22 08:30 --d----- c:\windows\pss
2009-09-22 08:25 4,224 ac------ c:\windows\system32\dllcache\beep.sys
2009-09-22 08:25 4,224 a------- c:\windows\system32\drivers\beep.sys
2009-09-21 14:00 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-21 14:00 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-21 14:00 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-21 14:00 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-21 13:59 --d----- c:\program files\common files\PC Tools
2009-09-21 13:59 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-21 13:59 --d----- c:\program files\Spyware Doctor
2009-09-21 13:59 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-21 13:59 --d----- c:\docume~1\admini~1\applic~1\PC Tools
2009-09-21 13:59 --d----- c:\program files\Trend Micro
2009-09-21 11:09 19,425 a------- c:\docume~1\admini~1\applic~1\ykaxejiky.com
2009-09-21 11:09 17,936 a------- c:\program files\common files\akywatorud.dll
2009-09-21 11:09 17,011 a------- c:\docume~1\alluse~1\applic~1\alovivype.dat
2009-09-21 11:09 16,750 a------- c:\windows\ubaw.dl
2009-09-21 11:09 16,531 a------- c:\windows\fuwutada.bin
2009-09-21 11:09 15,530 a------- c:\windows\system32\kigovoweb._sy
2009-09-21 11:09 15,521 a------- c:\docume~1\admini~1\applic~1\yroli.reg
2009-09-21 11:09 14,273 a------- c:\windows\yhoquq.ban
2009-09-21 11:09 11,985 a------- c:\docume~1\admini~1\applic~1\renivemeh.bat
2009-09-21 11:09 10,135 a------- c:\windows\alisasof.com
2009-09-21 11:09 19,658 a------- c:\windows\usery._sy
2009-09-21 11:09 14,055 a------- c:\windows\ovebitehux.inf
2009-09-21 11:09 12,576 a------- c:\windows\hyjesenyb.lib
2009-09-21 11:09 10,837 a------- c:\windows\mugyjeg.dat
2009-09-21 11:03 120 a------- c:\windows\Sjigimen.dat
2009-09-21 11:03 0 a------- c:\windows\Ibizexam.bin
2009-09-09 22:36 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-25 01:14 53,248 a--sh--- c:\windows\system32\juretasu.dll
2009-09-25 01:14 1,082,404 a--sh--- c:\windows\system32\gimujewa.exe
2009-09-25 01:14 1,081,892 a--sh--- c:\windows\system32\tihifipa.exe
2009-09-25 01:13 90,624 a--sh--- c:\windows\system32\raripizu.dll
2009-09-25 01:13 53,162 a--sh--- c:\windows\system32\bizituwu.exe
2009-09-25 01:13 39,424 a--sh--- c:\windows\system32\nahatona.dll
2009-09-23 13:13 53,248 a--sh--- c:\windows\system32\yohujoku.dll
2009-09-21 11:09 16,967 a------- c:\program files\common files\kabupoce.inf
2009-09-21 11:09 12,848 a------- c:\program files\common files\anud.ban
2009-09-21 11:09 12,365 a------- c:\program files\common files\alaqitavel.inf
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 -------- c:\windows\system32\corpol.dll
2008-07-08 15:36 87,608 a------- c:\docume~1\admini~1\applic~1\inst.exe
2008-07-08 15:36 47,360 a------- c:\docume~1\admini~1\applic~1\pcouffin.sys
2009-06-25 01:14 53,248 a--sh--- c:\windows\system32\fibunihu.dll
2006-05-03 04:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 05:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2009-06-25 01:14 53,248 a--sh--- c:\windows\system32\ronogiga.dll
2007-12-17 07:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
2009-06-25 01:14 53,248 a--sh--- c:\windows\system32\vevozere.dll
2008-08-05 08:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat

============= FINISH: 9:24:21.50 ===============

lewisloco
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-23
OS OS : WindowsXP
Points Points : 26319
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by Belahzur on Fri Sep 25, 2009 6:33 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by lewisloco on Mon Sep 28, 2009 1:28 pm

Hello, hope you had a good weekend. Here is the output from Combofix.

Thanks.

ComboFix 09-09-24.01 - Administrator 09/25/2009 14:07.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2751 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090924-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\Application Data\renivemeh.bat
c:\documents and settings\Administrator\Application Data\ykaxejiky.com
c:\documents and settings\Administrator\Application Data\yroli.reg
c:\documents and settings\Administrator\Cookies\aceti.db
c:\documents and settings\Administrator\Cookies\ecosijoqyg.ban
c:\documents and settings\Administrator\Cookies\irori.bat
c:\documents and settings\Administrator\Cookies\iseted.ban
c:\documents and settings\Administrator\Cookies\xusumej.pif
c:\documents and settings\Administrator\Local Settings\Application Data\jevo.pif
c:\documents and settings\Administrator\Local Settings\Application Data\vewax.sys
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\jisymeje.dat
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\kubevazuxi.inf
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\oxenuzasew.db
c:\documents and settings\All Users\Application Data\16985934
c:\documents and settings\All Users\Application Data\16985934\16985934
c:\documents and settings\All Users\Application Data\16985934\16985934.exe
c:\documents and settings\All Users\Application Data\16985934\pc16985934ins
c:\documents and settings\All Users\Application Data\etujylahit.ban
c:\program files\Common Files\akywatorud.dll
c:\program files\Common Files\alaqitavel.inf
c:\program files\Common Files\anud.ban
c:\program files\Common Files\kabupoce.inf
c:\windows\fuwutada.bin
c:\windows\Installer\2fdf001a.msi
c:\windows\ovebitehux.inf
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\fibunihu.dll
c:\windows\system32\juretasu.dll
c:\windows\system32\raziwanu.exe
c:\windows\system32\ronogiga.dll
c:\windows\system32\skinboxer43.dll
c:\windows\system32\tohagugu.dll
c:\windows\system32\vevozere.dll
c:\windows\system32\vfijdbmj.ini
c:\windows\system32\yohujoku.dll
c:\windows\system32\yolopusu.dll
c:\windows\ubaw.dl
c:\windows\yhoquq.ban

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))
.

2009-09-25 19:11 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-25 19:11 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-24 20:42 . 2009-09-24 20:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo!
2009-09-23 16:12 . 2009-09-23 16:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-23 16:11 . 2009-09-23 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-23 16:02 . 2009-09-23 16:02 -------- d-----w- C:\Sun
2009-09-22 20:47 . 2009-09-22 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-22 13:25 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-22 13:25 . 2006-02-28 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-21 19:00 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-21 19:00 . 2009-08-24 19:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-21 19:00 . 2009-08-19 16:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-21 18:59 . 2009-09-21 19:01 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-21 18:59 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-21 18:59 . 2009-09-23 16:00 -------- d-----w- c:\program files\Spyware Doctor
2009-09-21 18:59 . 2009-09-21 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-21 18:59 . 2009-09-21 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-09-21 18:59 . 2009-09-21 18:59 -------- d-----w- c:\program files\Trend Micro
2009-09-21 16:09 . 2009-09-21 16:09 10135 ----a-w- c:\windows\alisasof.com
2009-09-21 16:09 . 2009-09-21 16:09 10837 ----a-w- c:\windows\mugyjeg.dat
2009-09-21 16:03 . 2009-09-28 13:18 0 ----a-w- c:\windows\Ibizexam.bin
2009-09-21 16:03 . 2009-09-25 18:47 120 ----a-w- c:\windows\Sjigimen.dat
2009-09-21 16:03 . 2009-09-21 16:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{D040A788-0C25-4BD5-B70B-27E79B076C4B}
2009-09-10 03:36 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 18:56 . 2009-09-08 18:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 13:18 . 2008-07-07 13:46 -------- d-----w- c:\program files\DNA
2009-09-28 13:18 . 2008-07-07 13:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2009-09-28 13:17 . 2008-03-13 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-25 19:03 . 2008-03-17 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\StumbleUpon
2009-09-25 19:02 . 2008-04-23 20:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-23 19:56 . 2009-01-05 15:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 16:18 . 2008-01-25 17:11 329424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 16:10 . 2008-01-25 17:16 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-22 19:16 . 2008-11-21 21:56 -------- d-----w- c:\program files\Common Files\Intuit
2009-09-22 16:36 . 2008-03-17 18:38 -------- d-----w- c:\program files\Java
2009-09-22 16:31 . 2008-02-12 15:01 -------- d-----w- c:\program files\Creative
2009-09-21 19:27 . 2008-01-31 15:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent
2009-09-21 16:09 . 2009-09-21 16:09 17011 ----a-w- c:\documents and settings\All Users\Application Data\alovivype.dat
2009-09-21 15:57 . 2009-01-22 05:55 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 19:54 . 2009-01-05 15:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-01-05 15:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 18:56 . 2008-03-13 15:12 -------- d-----w- c:\program files\Google
2009-08-14 11:58 . 2009-09-21 19:00 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 05:21 . 2008-10-15 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 05:20 . 2008-10-15 04:34 -------- d-----w- c:\program files\MSBuild
2009-07-25 10:23 . 2008-12-15 14:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-05-03 09:06 . 2008-06-06 15:51 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-06-06 15:51 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-06-06 15:51 27648 --sh--w- c:\windows\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"SansaDispatch"="c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-03-25 79872]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-04 7204864]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-04 86016]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-08-08 91432]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-23 122368]
"Mqaxejef"="c:\windows\agexehotepopeg.dll" [2008-04-14 163840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-11-04 1519616]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2009-9-23 139264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\c:^documents and settings^administrator^start menu^programs^startup^magicdisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\c:^documents and settings^administrator^start menu^programs^startup^picture motion browser media check tool.lnk]
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\12155784
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\19220154
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antivirus pro 2010
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\creative webcam tray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\movigojeb

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\VERITAS\\NetBackup\\bin\\admincmd\\nbproxyreq.exe"=
"c:\\Program Files\\VERITAS\\NetBackup\\bin\\admincmd\\nbpemreq.exe"=
"c:\\Program Files\\VERITAS\\NetBackup\\bin\\NBConsole.EXE"=
"c:\\Program Files\\VERITAS\\Volmgr\\bin\\vmupdate.exe"=
"c:\\Program Files\\VERITAS\\NetBackup\\bin\\admincmd\\bpmedialist.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\WINDOWS\\system32\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\temp\\janinblr\\iTunnel\\iTunnel.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\Itunnel\\iTunnel\\iTunnel.exe"=

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/21/2009 2:00 PM 206256]
R0 VSP;Veritas Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [5/4/2006 4:16 PM 51896]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/7/2008 11:46 AM 114768]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [8/8/2008 10:15 AM 41456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/7/2008 11:46 AM 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/25/2008 12:21 PM 24652]
R2 VRTSpbx;Symantec Private Branch Exchange;CMD /D /S /Q /C""c:\program files\VERITAS\VxPBX\bin\pbxservice.cmd" "c:\program files\VERITAS\VxPBX\bin\pbx_exchange.exe"" --> CMD [?]
S2 gupdate1c99e81748ddcd6;Google Update Service (gupdate1c99e81748ddcd6);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2009 12:31 PM 133104]
S2 NetBackup SAN Client Fibre Transport Service;NetBackup SAN Client Fibre Transport Service;c:\progra~1\Veritas\NETBAC~1\bin\nbftclnt.exe [8/25/2008 10:51 AM 765952]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/21/2009 1:59 PM 348752]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [6/3/2009 3:52 PM 120168]
S3 WN111v2;NETGEAR WN111v2 USB2.0 reƖ Card Service;c:\windows\system32\drivers\WN111v2.sys [9/29/2008 7:24 PM 453120]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-13 16:53]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 17:31]

2009-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
TCP: {FBE16D58-28B1-4467-BB8D-093948F496BF} = 77.74.48.113
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

BHO-{a2e0ed9e-47ea-4bd7-8997-7ee138e0fc9a} - fibunihu.dll
HKLM-Run-movigojeb - c:\windows\system32\tohagugu.dll
HKLM-Run-vavukesezu - vevozere.dll
SharedTaskScheduler-{c586f4d2-3d71-436d-9319-654f9bb45c3a} - c:\windows\system32\tohagugu.dll
SSODL-duyiwujim-{c586f4d2-3d71-436d-9319-654f9bb45c3a} - c:\windows\system32\tohagugu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-28 08:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VRTSpbx]
"ImagePath"="CMD /D /S /Q /C\"\"c:\program files\VERITAS\VxPBX\bin\pbxservice.cmd\" \"c:\program files\VERITAS\VxPBX\bin\pbx_exchange.exe\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:82,d9,ea,10,6c,5f,53,26,e8,b2,11,62,db,b3,cf,d7,db,d5,e6,90,9e,
b2,d0,aa,8b,f9,1b,10,e4,7d,aa,a1,c7,75,27,db,0a,06,32,67,b9,0b,d3,1b,d0,d2,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:82,d9,ea,10,6c,5f,53,26,e8,b2,11,62,db,b3,cf,d7,db,d5,e6,90,9e,
b2,d0,aa,8b,f9,1b,10,e4,7d,aa,a1,c7,75,27,db,0a,06,32,67,b9,0b,d3,1b,d0,d2,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4080)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.158\qsb.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\progra~1\VERITAS\NETBAC~1\bin\bpinetd.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\VERITAS\NETBAC~1\bin\bpjava-msvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-09-28 8:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-28 13:26

Pre-Run: 129,943,887,872 bytes free
Post-Run: 130,935,705,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
312 --- E O F --- 2009-09-10 08:02

lewisloco
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-23
OS OS : WindowsXP
Points Points : 26319
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by Origin on Mon Sep 28, 2009 2:25 pm

I see that you are running BitTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BitTorrent is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • BitTorrent



  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\alisasof.com
    c:\windows\mugyjeg.dat
    c:\windows\Ibizexam.bin
    c:\windows\Sjigimen.dat
    c:\documents and settings\All Users\Application Data\alovivype.dat

    Folder::
    c:\program files\DNA
    c:\documents and settings\Administrator\Application Data\DNA
    c:\documents and settings\Administrator\Application Data\BitTorrent

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"=-
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"=-
    "NoActiveDesktopChanges"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\DNA\\btdna.exe"=-
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-

    Driver::
    Viewpoint Manager Service

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by lewisloco on Mon Sep 28, 2009 7:10 pm

Hello,

I removed BitTorrent. And reran combofix. Here is the log.

ComboFix 09-09-27.05 - Administrator 09/28/2009 13:53.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2695 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090927-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\documents and settings\All Users\Application Data\alovivype.dat"
"c:\windows\alisasof.com"
"c:\windows\Ibizexam.bin"
"c:\windows\mugyjeg.dat"
"c:\windows\Sjigimen.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\DNA
c:\documents and settings\Administrator\Application Data\DNA\dht.dat
c:\documents and settings\Administrator\Application Data\DNA\dht.dat.old
c:\documents and settings\Administrator\Application Data\DNA\dna.lng
c:\documents and settings\Administrator\Application Data\DNA\resume.dat
c:\documents and settings\Administrator\Application Data\DNA\resume.dat.old
c:\documents and settings\Administrator\Application Data\DNA\rss.dat
c:\documents and settings\Administrator\Application Data\DNA\rss.dat.old
c:\documents and settings\Administrator\Application Data\DNA\settings.dat
c:\documents and settings\Administrator\Application Data\DNA\settings.dat.old
c:\documents and settings\All Users\Application Data\alovivype.dat
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\windows\alisasof.com
c:\windows\Ibizexam.bin
c:\windows\mugyjeg.dat
c:\windows\Sjigimen.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))
.

2009-09-25 19:11 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-25 19:11 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-24 20:42 . 2009-09-24 20:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo!
2009-09-23 16:12 . 2009-09-23 16:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-23 16:11 . 2009-09-23 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-23 16:02 . 2009-09-23 16:02 -------- d-----w- C:\Sun
2009-09-22 20:47 . 2009-09-22 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-22 13:25 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-22 13:25 . 2006-02-28 12:00 4224 ------w- c:\windows\system32\drivers\beep.sys
2009-09-21 19:00 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-21 19:00 . 2009-08-24 19:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-21 19:00 . 2009-08-19 16:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-21 18:59 . 2009-09-21 19:01 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-21 18:59 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-21 18:59 . 2009-09-23 16:00 -------- d-----w- c:\program files\Spyware Doctor
2009-09-21 18:59 . 2009-09-21 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-21 18:59 . 2009-09-21 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-09-21 18:59 . 2009-09-21 18:59 -------- d-----w- c:\program files\Trend Micro
2009-09-21 16:03 . 2009-09-21 16:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{D040A788-0C25-4BD5-B70B-27E79B076C4B}
2009-09-10 03:36 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 18:56 . 2009-09-08 18:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 18:50 . 2008-03-17 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\StumbleUpon
2009-09-28 18:46 . 2008-01-31 15:23 -------- d-----w- c:\program files\BitTorrent
2009-09-28 13:22 . 2008-04-23 20:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-28 13:17 . 2008-03-13 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-23 19:56 . 2009-01-05 15:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 16:18 . 2008-01-25 17:11 329424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 16:10 . 2008-01-25 17:16 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-22 19:16 . 2008-11-21 21:56 -------- d-----w- c:\program files\Common Files\Intuit
2009-09-22 16:36 . 2008-03-17 18:38 -------- d-----w- c:\program files\Java
2009-09-22 16:31 . 2008-02-12 15:01 -------- d-----w- c:\program files\Creative
2009-09-21 15:57 . 2009-01-22 05:55 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 19:54 . 2009-01-05 15:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-01-05 15:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 18:56 . 2008-03-13 15:12 -------- d-----w- c:\program files\Google
2009-08-14 11:58 . 2009-09-21 19:00 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 05:21 . 2008-10-15 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 05:20 . 2008-10-15 04:34 -------- d-----w- c:\program files\MSBuild
2009-07-25 10:23 . 2008-12-15 14:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-05-03 09:06 . 2008-06-06 15:51 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-06-06 15:51 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-06-06 15:51 27648 --sh--w- c:\windows\system32\Smab0.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-28 16:25 . 2009-09-28 16:25 16384 c:\windows\Temp\Perflib_Perfdata_da4.dat
+ 2009-09-28 18:59 . 2009-09-28 18:59 16384 c:\windows\Temp\Perflib_Perfdata_768.dat
+ 2009-09-28 18:59 . 2009-09-28 18:59 16384 c:\windows\Temp\Perflib_Perfdata_61c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 68856]
"SansaDispatch"="c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-03-25 79872]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-04 7204864]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-04 86016]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-08-08 91432]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-23 122368]
"Mqaxejef"="c:\windows\agexehotepopeg.dll" [2008-04-14 163840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-11-04 1519616]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2009-9-23 139264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\c:^documents and settings^administrator^start menu^programs^startup^magicdisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\c:^documents and settings^administrator^start menu^programs^startup^picture motion browser media check tool.lnk]
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\VERITAS\\NetBackup\\bin\\admincmd\\nbproxyreq.exe"=
"c:\\Program Files\\VERITAS\\NetBackup\\bin\\admincmd\\nbpemreq.exe"=
"c:\\Program Files\\VERITAS\\NetBackup\\bin\\NBConsole.EXE"=
"c:\\Program Files\\VERITAS\\Volmgr\\bin\\vmupdate.exe"=
"c:\\Program Files\\VERITAS\\NetBackup\\bin\\admincmd\\bpmedialist.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\WINDOWS\\system32\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\temp\\janinblr\\iTunnel\\iTunnel.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\Itunnel\\iTunnel\\iTunnel.exe"=

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/21/2009 2:00 PM 206256]
R0 VSP;Veritas Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [5/4/2006 4:16 PM 51896]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/7/2008 11:46 AM 114768]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [8/8/2008 10:15 AM 41456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/7/2008 11:46 AM 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]
R2 VRTSpbx;Symantec Private Branch Exchange;CMD /D /S /Q /C""c:\program files\VERITAS\VxPBX\bin\pbxservice.cmd" "c:\program files\VERITAS\VxPBX\bin\pbx_exchange.exe"" --> CMD [?]
S2 gupdate1c99e81748ddcd6;Google Update Service (gupdate1c99e81748ddcd6);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2009 12:31 PM 133104]
S2 NetBackup SAN Client Fibre Transport Service;NetBackup SAN Client Fibre Transport Service;c:\progra~1\Veritas\NETBAC~1\bin\nbftclnt.exe [8/25/2008 10:51 AM 765952]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/21/2009 1:59 PM 348752]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [6/3/2009 3:52 PM 120168]
S3 WN111v2;NETGEAR WN111v2 USB2.0 reƖ Card Service;c:\windows\system32\drivers\WN111v2.sys [9/29/2008 7:24 PM 453120]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-13 16:53]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 17:31]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
TCP: {FBE16D58-28B1-4467-BB8D-093948F496BF} = 77.74.48.113
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-28 14:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VRTSpbx]
"ImagePath"="CMD /D /S /Q /C\"\"c:\program files\VERITAS\VxPBX\bin\pbxservice.cmd\" \"c:\program files\VERITAS\VxPBX\bin\pbx_exchange.exe\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:82,d9,ea,10,6c,5f,53,26,e8,b2,11,62,db,b3,cf,d7,db,d5,e6,90,9e,
b2,d0,aa,8b,f9,1b,10,e4,7d,aa,a1,c7,75,27,db,0a,06,32,67,b9,0b,d3,1b,d0,d2,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:82,d9,ea,10,6c,5f,53,26,e8,b2,11,62,db,b3,cf,d7,db,d5,e6,90,9e,
b2,d0,aa,8b,f9,1b,10,e4,7d,aa,a1,c7,75,27,db,0a,06,32,67,b9,0b,d3,1b,d0,d2,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1496)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.158\qsb.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\progra~1\VERITAS\NETBAC~1\bin\bpinetd.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\VERITAS\NETBAC~1\bin\bpjava-msvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-09-28 14:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-28 19:06
ComboFix2.txt 2009-09-28 13:26

Pre-Run: 130,890,780,672 bytes free
Post-Run: 130,865,094,656 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
278 --- E O F --- 2009-09-10 08:02

lewisloco
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-23
OS OS : WindowsXP
Points Points : 26319
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by Belahzur on Tue Sep 29, 2009 12:02 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus/Spyware/Trojan

Post by lewisloco on Tue Sep 29, 2009 1:15 pm

Its running great, thank you so much for your time and help.

One thing i noticed in my System Configuration Utility > Startup tab was this:

(i have unchecked the box for this item)

16985934 C:\Documents and Settings\All Users\Application Data\16985934\16985934.exe

When this whole thing started i had to kill this process as soon as i logged in or my box would automatically start up the antivirus2009 program and become unresponsive. What do you suggest?

lewisloco
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-23
OS OS : WindowsXP
Points Points : 26319
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum