Jump to content

CrashRoX

Members
  • Posts

    4
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thank you! Everything seems to be running great now!
  2. Thank you! The random named version was able to clear out around 200 malware items. Below are the logs... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:01:29 AM, on 3/1/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\BitKinex\bitkinexsvc.exe C:\Program Files\UltraMon\UltraMon.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe C:\Documents and Settings\Adam\Application Data\Dropbox\bin\Dropbox.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {18b77125-0248-4567-8c12-520b34edb731} - kagavuva.dll (file missing) O4 - HKLM\..\Run: [ultraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Adam\Application Data\Dropbox\bin\Dropbox.exe O4 - Global Startup: Jungle Disk Desktop.lnk = C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe O8 - Extra context menu item: &Download with BitKinex - C:\Program Files\BitKinex\ieext_cp.htm O8 - Extra context menu item: &Register in BitKinex - C:\Program Files\BitKinex\ieext_reg.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Companion.JS - {0402343A-B530-482b-AA27-A61CEC3E4D2E} - C:\Program Files\Core Services\Companion.JS\CompanionJS.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200111902500 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CS1\Services\Tcpip\..\{268E7731-4DA2-45B3-B435-8908DF5B9CDE}: NameServer = 83.149.115.157,4.2.2.1 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: BitKinex File Transfer Service (BitKinex) - Unknown owner - C:\Program Files\BitKinex\bitkinexsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: JungleDiskService - Jungle Disk, Inc. - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe -- End of file - 6815 bytes Malwarebytes' Anti-Malware 1.44 Database version: 3808 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 3/1/2010 12:54:22 AM mbam-log-2010-03-01 (00-54-22).txt Scan type: Quick Scan Objects scanned: 151147 Time elapsed: 18 minute(s), 17 second(s) Memory Processes Infected: 6 Memory Modules Infected: 9 Registry Keys Infected: 14 Registry Values Infected: 15 Registry Data Items Infected: 9 Folders Infected: 0 Files Infected: 154 Memory Processes Infected: C:\Documents and Settings\Adam\Local Settings\Temp\winamp.exe (Trojan.Clicker) -> Unloaded process successfully. C:\Documents and Settings\Adam\Local Settings\Temp\notepad.exe (Trojan.Clicker) -> Unloaded process successfully. C:\Documents and Settings\Adam\Local Settings\Temp\smss.exe (Trojan.Clicker) -> Unloaded process successfully. C:\Documents and Settings\Adam\Local Settings\Temp\msinits.exe (Trojan.Downloader) -> Unloaded process successfully. C:\Documents and Settings\Adam\Local Settings\Temp\csrss.exe (Trojan.Clicker) -> Unloaded process successfully. C:\Documents and Settings\Adam\Local Settings\Temp\drweb.exe (Trojan.Clicker) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\dafanole.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\gakilime.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\laraguji.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\samodamu.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\webateha.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\yijewinu.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\zamehubi.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\zipayivi.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\mqrfko.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{d1c0943e-8028-493d-9f26-a20686f5b741} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c7ada943-ccfc-4b90-a71f-ba42516cbbca} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1c82c889-05d9-4853-8171-ddf12f15e32f} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2bad3e6f-95bf-4355-b196-42bcb8fca87c} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{a3ba40a2-74f0-42bd-f434-00b15a2c8953} (Trojan.Agent) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ba40a2-74f0-42bd-f434-00b15a2c8953} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3ba40a2-74f0-42bd-f434-00b15a2c8953} (Trojan.Agent) -> Delete on reboot. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Clicker) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Clicker) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wemitegat (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d1c0943e-8028-493d-9f26-a20686f5b741} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kumuwolif (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c7ada943-ccfc-4b90-a71f-ba42516cbbca} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tofelodez (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{1c82c889-05d9-4853-8171-ddf12f15e32f} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pepuludut (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{2bad3e6f-95bf-4355-b196-42bcb8fca87c} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fijogirol (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a3ba40a2-74f0-42bd-f434-00b15a2c8953} (Trojan.Agent) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remote system protection (Trojan.Agent) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\behipolone (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: laraguji.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{268e7731-4da2-45b3-b435-8908df5b9cde}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{34dc55fa-0233-4261-9551-787402e18839}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1,8.8.8.8 8.8.4.4 208.59.247.45 208.59.247.46 192.168.1.1 8.8.8.8 8.8.4.4 8.8.8.8 8.8.4.4 208.59.247.45 208.59.247.46 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad869e3d-526b-4eb1-8cde-08721d6bff95}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\bafavoli.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\besehevi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dafanole.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\danifiye.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dinipuro.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dotomeka.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fowirezi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\gakilime.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\gulemudi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\gurinuwe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jevaziji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\kagavuva.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\kofidina.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\kopeboya.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\laraguji.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\miwufahu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nojovahu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\poyeyeni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rohamako.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\roredopu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\samodamu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\tedegeru.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tiyanezi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\turakana.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tuwejipe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vevesadi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\webateha.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\wurimomi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yihaguta.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yijewinu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\zamehubi.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\zipayivi.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\zofudaga.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\zopimiwo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mqrfko.dll (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\Adam\Local Settings\Temp\winamp.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\notepad.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\smss.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\msinits.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\csrss.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\drweb.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tiboteya.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\huyahife.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\_VOIDd.sys (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\debug.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\drweb.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\win.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1026684824.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1027194054.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1201321654.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1217328472.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\122157638.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1270885806.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1275904014.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\debug.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\setup.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\_VOID3e9b.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\_VOID4b7c.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1874708242.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2251994140.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\n0emu.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\updnl.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\user.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\avp.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\cmd.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\4032887668.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\4046859524.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\4074370682.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\410108180.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\4120420283.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\4204177251.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\43741772.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\574388912.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\nvsvc32.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\services.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\spoolsv.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1437815430.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\153527472.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1554264948.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1572586348.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1612851560.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\163738346.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1792182786.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\install.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\eventcreatexp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\vwwixjz.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\win.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\win16.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\win32.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\winlogon.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\nfqa.exe (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\nkmarj.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\894868512.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\dhdhtrdhdrtr5y (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\bwk2e7pq.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\svchost.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\system.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\taskmgr.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\login.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\lsass.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\mdm.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2d55.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3040428016.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3093748778.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3127724280.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3210816686.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3251503558.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3267309956.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\333560066.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\339868116.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\682095766.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\690097110.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1878782120.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1967357354.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1994519398.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2020413432.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2236064130.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2245587692.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3528167574.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3535235042.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3552797332.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3705485868.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3731590996.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1314035954.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\1362135498.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2455842142.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2622481098.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2660718486.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2753207416.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2810863974.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2897938580.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\2937811806.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3750391600.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3878571224.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3920322480.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\3966506874.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\2708290944.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\msinits.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\vwwixjz.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\win32.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\winlogon.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\BOBSYA9L\vzgomuf[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\BPDFNG2D\book[1].htm (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\G74RWIQI\bfzhfdywe[1].htm (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\G74RWIQI\mqlselg[1].htm (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\ITY0ECES\ysautnmg[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\M2514BL5\hyxrmxs[1].htm (Trojan.Ertfor) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\RVQICUJC\ycpxe[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\VC7VUMCO\z002102318801r0409J0d000601R29565b42Xb7a5e85aYfc2746eeZ03008f350[1] (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\mswintmp.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully. C:\Documents and Settings\Adam\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
  3. I appear to have some pretty bad root kit malware. Ive tried logging into safemode as the admin but I seem to be locked out of any worthwhile features. HJT runs but wont remove anything. Registry access was disabled for a while. I was able to gain access again, but HTJ still doesnt do anything. I ran GMER twice. The first time it rebooted at the end before I could save the log. The second time I periodically saved it, but in the end the program crashed. I think I got most if not all of it posted below. Attached are the attach.txt and ark.txt files. Thanks in advance! DDS (Ver_09-12-01.01) - NTFSx86 Run by Adam at 17:28:58.37 on Mon 02/22/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3046 [GMT -5:00] AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\BitKinex\bitkinexsvc.exe C:\Program Files\UltraMon\UltraMon.exe C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe C:\Documents and Settings\Adam\Application Data\Dropbox\bin\Dropbox.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Adam\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank BHO: c:\windows\system32\mqrfko.dll: {a3ba40a2-74f0-42bd-f434-00b15a2c8953} - c:\windows\system32\mqrfko.dll EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll EB: Companion.JS: {c30b6fcb-f8b0-4dd4-9207-aa4952bb3f52} - c:\program files\core services\companion.js\CompanionJS.dll uRun: [Remote System Protection] rundll32.exe c:\windows\system32\mqrfko.dll, HUI_proc mRun: [ultraMon] "c:\program files\ultramon\UltraMon.exe" /auto mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" mRun: [wemitegat] Rundll32.exe "c:\windows\system32\yihaguta.dll",a mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [behipolone] Rundll32.exe "gagepira.dll",s StartupFolder: c:\docume~1\adam\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\adam\application data\dropbox\bin\Dropbox.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\jungle~1.lnk - c:\program files\jungle disk desktop\JungleDiskMonitor.exe uPolicies-explorer: NoFolderOptions = 1 (0x1) IE: &Download with BitKinex - c:\program files\bitkinex\ieext_cp.htm IE: &Register in BitKinex - c:\program files\bitkinex\ieext_reg.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0402343A-B530-482b-AA27-A61CEC3E4D2E} - {C30B6FCB-F8B0-4DD4-9207-AA4952BB3F52} - c:\program files\core services\companion.js\CompanionJS.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200111902500 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: {268E7731-4DA2-45B3-B435-8908DF5B9CDE} = 83.149.115.157,4.2.2.1 TCP: {34DC55FA-0233-4261-9551-787402E18839} = 83.149.115.157,4.2.2.1,8.8.8.8 8.8.4.4 208.59.247.45 208.59.247.46 192.168.1.1 8.8.8.8 8.8.4.4 8.8.8.8 8.8.4.4 208.59.247.45 208.59.247.46 TCP: {AD869E3D-526B-4EB1-8CDE-08721D6BFF95} = 83.149.115.157,4.2.2.1 Notify: AtiExtEvent - Ati2evxx.dll Notify: klogon - c:\windows\system32\klogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: bejebomef - {9ae44cd0-06af-412f-be20-608a52385e8a} - c:\windows\system32\yihaguta.dll STS: c:\windows\system32\mqrfko.dll: {a3ba40a2-74f0-42bd-f434-00b15a2c8953} - c:\windows\system32\mqrfko.dll STS: mujuzedij: {9ae44cd0-06af-412f-be20-608a52385e8a} - c:\windows\system32\yihaguta.dll LSA: Notification Packages = scecli gagepira.dll norezufi.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\adam\applic~1\mozilla\firefox\profiles\s3w4cj8n.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - component: c:\documents and settings\adam\application data\mozilla\firefox\profiles\s3w4cj8n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - component: c:\documents and settings\adam\application data\mozilla\firefox\profiles\s3w4cj8n.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll FF - plugin: c:\documents and settings\adam\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872] R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808] R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2009-12-16 148184] R1 ExpanDrive;ExpanDrive;c:\windows\system32\drivers\ExpanDrive.sys [2009-3-19 294472] R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-8-25 213520] R2 BitKinex;BitKinex File Transfer Service;c:\program files\bitkinex\bitkinexsvc.exe dispatch --> c:\program files\bitkinex\bitkinexsvc.exe DISPATCH [?] R2 JungleDiskService;JungleDiskService;c:\program files\jungle disk desktop\JungleDiskMonitor.exe [2009-12-16 6753024] R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592] R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584] S?2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 208616] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064] S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?] =============== Created Last 30 ================ 2010-02-22 22:26:16 0 ----a-w- c:\documents and settings\adam\defogger_reenable 2010-02-22 22:16:04 0 d-s---w- C:\ComboFix 2010-02-22 20:02:01 98816 ----a-w- c:\windows\sed.exe 2010-02-22 20:02:01 77312 ----a-w- c:\windows\MBR.exe 2010-02-22 20:02:01 261632 ----a-w- c:\windows\PEV.exe 2010-02-22 20:02:01 161792 ----a-w- c:\windows\SWREG.exe 2010-02-22 19:34:07 0 d-----w- c:\program files\Malwarebytes1 2010-02-22 19:18:49 0 d-----w- c:\program files\Malwarebytes 2010-02-22 19:04:08 0 d-----w- c:\program files\Trend Micro 2010-02-22 18:08:48 0 d-----w- c:\docume~1\adam\applic~1\Malwarebytes 2010-02-22 18:08:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-22 18:08:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-02-22 18:08:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-22 18:08:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-22 17:44:41 8 --sha-r- c:\documents and settings\adam\ntuser.pol 2010-02-22 16:30:55 0 ----a-w- c:\documents and settings\adam\ntuser.tmp 2010-02-22 16:28:52 45568 --sh--w- c:\windows\system32\jevaziji.dll 2010-02-22 16:21:12 42496 ----a-w- c:\windows\system32\drivers\_VOIDd.sys 2010-02-22 16:21:01 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-02-22 16:20:52 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-02-22 16:20:52 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-02-22 16:20:27 20000 ----a-w- c:\windows\system32\mqrfko.dll 2010-02-22 16:20:26 8 ----a-w- c:\docume~1\alluse~1\applic~1\mswintmp.dat ==================== Find3M ==================== 2010-02-22 19:54:10 942112 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2010-02-22 19:54:09 4300 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2010-02-22 19:20:29 60964 --sha-w- c:\windows\system32\drivers\fidbox.idx 2010-02-22 19:20:28 7128608 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll 2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-12-08 09:23:28 474112 ----a-w- c:\windows\system32\SET481.tmp 2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll 2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll 2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll 2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll 2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll 2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll 2008-11-22 02:04:13 454656 ----a-w- c:\program files\putty.exe 2007-02-01 22:02:00 313344 ----a-w- c:\program files\hjsplit.exe 1601-01-01 00:03:52 52736 --sha-w- c:\windows\system32\gagepira.dll 1601-01-01 00:03:52 52736 --sha-w- c:\windows\system32\modaseke.dll 1601-01-01 00:03:52 52736 --sha-w- c:\windows\system32\norezufi.dll 1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\tuwejipe.dll 1601-01-01 00:03:28 93696 --sha-w- c:\windows\system32\yihaguta.dll 2008-09-15 04:57:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091520080916\index.dat ============= FINISH: 17:29:51.71 =============== attach.zip
  4. I seem to have a nasty rootkit destroying my machine. It removed all admin access from my main profile and the main admin account. Kapursky was unable to do anything but detect the problem. I ran HJT but every time I click fix the files return again. Malwarebytes wont run because the malware is killing it (iv seen it popup for a second or two). Please help! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:11:09 PM, on 2/22/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrss.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win32.exe C:\WINDOWS\system32\ctfmon.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msinits.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\cmd.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: C:\WINDOWS\system32\mqrfko.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\mqrfko.dll O4 - HKLM\..\Run: [ultraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [wemitegat] Rundll32.exe "c:\windows\system32\yihaguta.dll",a O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win32.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\mqrfko.dll, HUI_proc O4 - Global Startup: Jungle Disk Desktop.lnk = C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Companion.JS - {0402343A-B530-482b-AA27-A61CEC3E4D2E} - C:\Program Files\Core Services\Companion.JS\CompanionJS.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200111902500 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{268E7731-4DA2-45B3-B435-8908DF5B9CDE}: NameServer = 83.149.115.157,4.2.2.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{34DC55FA-0233-4261-9551-787402E18839}: NameServer = 83.149.115.157,4.2.2.1,8.8.8.8 8.8.4.4 208.59.247.45 208.59.247.46 192.168.1.1 8.8.8.8 8.8.4.4 8.8.8.8 8.8.4.4 208.59.247.45 208.59.247.46 O17 - HKLM\System\CCS\Services\Tcpip\..\{AD869E3D-526B-4EB1-8CDE-08721D6BFF95}: NameServer = 83.149.115.157,4.2.2.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{268E7731-4DA2-45B3-B435-8908DF5B9CDE}: NameServer = 83.149.115.157,4.2.2.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{268E7731-4DA2-45B3-B435-8908DF5B9CDE}: NameServer = 83.149.115.157,4.2.2.1 O17 - HKLM\System\CS3\Services\Tcpip\..\{268E7731-4DA2-45B3-B435-8908DF5B9CDE}: NameServer = 83.149.115.157,4.2.2.1 O20 - AppInit_DLLs: c:\windows\system32\yihaguta.dll O21 - SSODL: bejebomef - {9ae44cd0-06af-412f-be20-608a52385e8a} - c:\windows\system32\yihaguta.dll O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\mqrfko.dll O22 - SharedTaskScheduler: mujuzedij - {9ae44cd0-06af-412f-be20-608a52385e8a} - c:\windows\system32\yihaguta.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: BitKinex File Transfer Service (BitKinex) - Unknown owner - C:\Program Files\BitKinex\bitkinexsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: JungleDiskService - Jungle Disk, Inc. - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe -- End of file - 7176 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.