Jump to content

Here is my hijack this log - help!


Recommended Posts

Hi folks - I cannot get online, can't get mbam.exe to run, can't get randmbam.exe to run, and as a newbie, I am frustrated. I know there is something I am not doing - I first started off with virus melt on the system. I ran regedit to enable my task manager, then deleted the VMelt.exe process, but can't do anything further. I was able to run hijack this - and here is my log - hijack this did tell me to do something with the O1 host google entries but I didn't know what it meant... so here is the whole enchilada - please help, this is hard, but I know there is a way to beat it, hopefully with your help. Thanks ahead of time.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:15:20 PM, on 3/14/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\System32\keyhook.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\frmwrk32.exe

C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exe

C:\WINDOWS\system32\sistray.exe

C:\WINDOWS\system32\ntdll64.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\WINDOWS\system32\ntdll64.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ntdll64.exe

F:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 89.149.227.223 google.ae

O1 - Hosts: 89.149.227.223 google.as

O1 - Hosts: 89.149.227.223 google.at

O1 - Hosts: 89.149.227.223 google.az

O1 - Hosts: 89.149.227.223 google.ba

O1 - Hosts: 89.149.227.223 google.be

O1 - Hosts: 89.149.227.223 google.bg

O1 - Hosts: 89.149.227.223 google.bs

O1 - Hosts: 89.149.227.223 google.ca

O1 - Hosts: 89.149.227.223 google.cd

O1 - Hosts: 89.149.227.223 google.com.gh

O1 - Hosts: 89.149.227.223 google.com.gi

O1 - Hosts: 89.149.227.223 google.com.hk

O1 - Hosts: 89.149.227.223 google.com.jm

O1 - Hosts: 89.149.227.223 google.com.ly

O1 - Hosts: 89.149.227.223 google.com.mx

O1 - Hosts: 89.149.227.223 google.com.my

O1 - Hosts: 89.149.227.223 google.com.na

O1 - Hosts: 89.149.227.223 google.com.nf

O1 - Hosts: 89.149.227.223 google.com.ng

O1 - Hosts: 89.149.227.223 google.ch

O1 - Hosts: 89.149.227.223 google.com.np

O1 - Hosts: 89.149.227.223 google.com.om

O1 - Hosts: 89.149.227.223 google.com.pa

O1 - Hosts: 89.149.227.223 google.com.pr

O1 - Hosts: 89.149.227.223 google.com.qa

O1 - Hosts: 89.149.227.223 google.com.sg

O1 - Hosts: 89.149.227.223 google.com.tj

O1 - Hosts: 89.149.227.223 google.com.tr

O1 - Hosts: 89.149.227.223 google.com.tw

O1 - Hosts: 89.149.227.223 google.com.ua

O1 - Hosts: 89.149.227.223 google.dj

O1 - Hosts: 89.149.227.223 google.com.vc

O1 - Hosts: 89.149.227.223 google.it.ao

O1 - Hosts: 89.149.227.223 google.de

O1 - Hosts: 89.149.227.223 google.dk

O1 - Hosts: 89.149.227.223 google.dm

O1 - Hosts: 89.149.227.223 google.dz

O1 - Hosts: 89.149.227.223 google.ee

O1 - Hosts: 89.149.227.223 google.fi

O1 - Hosts: 89.149.227.223 google.fm

O1 - Hosts: 89.149.227.223 google.fr

O1 - Hosts: 89.149.227.223 google.ge

O1 - Hosts: 89.149.227.223 google.gg

O1 - Hosts: 89.149.227.223 google.gm

O1 - Hosts: 89.149.227.223 google.gr

O1 - Hosts: 89.149.227.223 google.gy

O1 - Hosts: 89.149.227.223 google.ht

O1 - Hosts: 89.149.227.223 google.ie

O1 - Hosts: 89.149.227.223 google.im

O1 - Hosts: 89.149.227.223 google.in

O1 - Hosts: 89.149.227.223 google.it

O1 - Hosts: 89.149.227.223 google.ki

O1 - Hosts: 89.149.227.223 google.kz

O1 - Hosts: 89.149.227.223 google.la

O1 - Hosts: 89.149.227.223 google.li

O1 - Hosts: 89.149.227.223 google.lk

O1 - Hosts: 89.149.227.223 google.lv

O1 - Hosts: 89.149.227.223 google.ma

O1 - Hosts: 89.149.227.223 google.md

O1 - Hosts: 89.149.227.223 google.ms

O1 - Hosts: 89.149.227.223 google.mu

O1 - Hosts: 89.149.227.223 google.mv

O1 - Hosts: 89.149.227.223 google.mw

O1 - Hosts: 89.149.227.223 google.nl

O1 - Hosts: 89.149.227.223 google.no

O1 - Hosts: 89.149.227.223 google.nr

O1 - Hosts: 89.149.227.223 google.nu

O1 - Hosts: 89.149.227.223 google.pl

O1 - Hosts: 89.149.227.223 google.pn

O1 - Hosts: 89.149.227.223 google.pt

O1 - Hosts: 89.149.227.223 google.ro

O1 - Hosts: 89.149.227.223 google.ru

O1 - Hosts: 89.149.227.223 google.rw

O1 - Hosts: 89.149.227.223 google.sc

O1 - Hosts: 89.149.227.223 google.se

O1 - Hosts: 89.149.227.223 google.sh

O1 - Hosts: 89.149.227.223 google.si

O1 - Hosts: 89.149.227.223 google.sm

O1 - Hosts: 89.149.227.223 google.sn

O1 - Hosts: 89.149.227.223 google.st

O1 - Hosts: 89.149.227.223 google.tl

O1 - Hosts: 89.149.227.223 google.tm

O1 - Hosts: 89.149.227.223 google.tt

O1 - Hosts: 89.149.227.223 google.us

O1 - Hosts: 89.149.227.223 google.vg

O1 - Hosts: 89.149.227.223 google.vu

O1 - Hosts: 89.149.227.223 google.ws

O1 - Hosts: 89.149.227.223 google.co.bw

O1 - Hosts: 89.149.227.223 google.co.ck

O1 - Hosts: 89.149.227.223 google.co.id

O1 - Hosts: 89.149.227.223 google.co.il

O1 - Hosts: 89.149.227.223 google.co.in

O1 - Hosts: 89.149.227.223 google.co.jp

O1 - Hosts: 89.149.227.223 google.co.ke

O1 - Hosts: 89.149.227.223 google.co.kr

O1 - Hosts: 89.149.227.223 google.co.ls

O1 - Hosts: 89.149.227.223 google.co.ma

O1 - Hosts: 89.149.227.223 google.co.mz

O1 - Hosts: 89.149.227.223 google.co.nz

O1 - Hosts: 89.149.227.223 google.co.th

O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dll

O2 - BHO: C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll - {c5bf40a2-94f3-42bd-f434-1604812c8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing)

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s

O4 - HKLM\..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare

O4 - HKLM\..\Run: [00abcf24] rundll32.exe "C:\WINDOWS\system32\bagahone.dll",b

O4 - HKLM\..\Run: [Kxawo] rundll32.exe "C:\WINDOWS\Qyucepinukonejiq.dll",e

O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe

O4 - HKLM\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exe

O4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",a

O4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",e

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Virus Melt] "C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe" /s

O4 - HKCU\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exe

O4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll

O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{4CAE0260-F926-4FB2-94D1-83BF3EB976F8}: NameServer = 205.171.3.65,205.171.2.65

O20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll ainmgw.dll pdpbpt.dll c:\windows\system32\yihuhote.dll

O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll

O22 - SharedTaskScheduler: klj3r93iorkemnfaja93riemef - {C5BF40A2-94F3-42BD-F434-1604812C8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing)

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--

End of file - 10709 bytes

Link to post
Share on other sites

  • Root Admin

STEP 01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP 02

It may not let you, but if it will please delete the following file.

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts

STEP 03

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dll
  • O2 - BHO: C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll - {c5bf40a2-94f3-42bd-f434-1604812c8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing)
  • O4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s
  • O4 - HKLM\..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare
  • O4 - HKLM\..\Run: [00abcf24] rundll32.exe "C:\WINDOWS\system32\bagahone.dll",b
  • O4 - HKLM\..\Run: [Kxawo] rundll32.exe "C:\WINDOWS\Qyucepinukonejiq.dll",e
  • O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
  • O4 - HKLM\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exe
  • O4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",a
  • O4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",e
  • O4 - HKCU\..\Run: [Virus Melt] "C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe" /s
  • O4 - HKCU\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exe
  • O4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE')
  • O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE')
  • O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll
  • O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll
  • O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{4CAE0260-F926-4FB2-94D1-83BF3EB976F8}: NameServer = 205.171.3.65,205.171.2.65
  • O20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll ainmgw.dll pdpbpt.dll c:\windows\system32\yihuhote.dll
  • O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
  • O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll
  • O22 - SharedTaskScheduler: klj3r93iorkemnfaja93riemef - {C5BF40A2-94F3-42BD-F434-1604812C8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing)
  • O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 04

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup217.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 05

Restart the computer now and see if MBAM will install or run.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

I followed all your instructions - however, I cannot get online to download malwarebytes directly, and when I copy over the mbam.exe to disk then to its desktop, I get an error code 707(3) - please advise me? BTW, thank you for your quick response!

Link to post
Share on other sites

  • Root Admin

Please see if one of these options helps or not.

http://www.malwarebytes.org/forums/index.php?showtopic=12709

http://www.malwarebytes.org/forums/index.php?showtopic=12713

If not then please try to run this.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

When running the Combofix program the system gave me feedback that I had an incompatible OS, but continued to run... until the point of making a log file. At that point the system crashed, citing a physical memory dump, and then told me to restart the computer. I did, and got a couple of .dll errors as it started up, now I am reloaded, but don't know which way to go... do I re-run Combofix to try to get a log file? Or should I run HJT for a current log file to show you?

Link to post
Share on other sites

I decided to run another HJT log for you - thank you for helping me with this B)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:11, on 2009-03-18

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\System32\keyhook.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Documents and Settings\Phil Llapitan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dll (file missing)

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",e

O4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",a

O4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll

O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll c:\windows\system32\yihuhote.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing)

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing)

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--

End of file - 5236 bytes

Link to post
Share on other sites

  • Staff

Hi,

I'm taking this over since AdvancedSetup won't be able to reply (busy with other stuff).

I just want to make you aware of the fact that your computer is SEVERLY infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.

Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

As a matter of fact, it doesn't suprise me at all... You don't even seem to have an Antivirus installed!!

This is somewhat suicidal in today's digital world.

That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/

This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

In case you lost internet connection after running the scan...

Go to start > run and type cmd

A dos Window will appear.

Type next in the dos window: netsh winsock reset

hit enter.

This should solve your broken connection.

I just want to make you aware of the fact that you may not expect miracles. I cannot promise you that we will be able to clean or fix the damage it already caused. If you had an Antivirus previously, it would have prevented a lot of damage already...

Link to post
Share on other sites

thank you Miekiemoes, for your response, and sound lashing. I realize the importance of having a good antivirus program, but the computer that came to me from my daughter-in-law did not, obviously, have anything on it to protect it. Although I tried to add Avira originally, and also run Dr. Web, they did not find what was wrong. T

This time, the initial Avira run showed me there was a ntdll64 in my documents and settings folder error that I quarantined. After I reboot from running Avira fullscan, I received the error "C:\windows\system32\yumifesu.dll and c:\windows\system32\yihuhote.dll, specified modules could not be found", and many problems, of which I had Avira fix - and then it seemed to continue to run for a second time, without me rebooting it - so I have included BOTH log files.

Avira AntiVir Personal

Report file date: 2009-03-19 14:17

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : PHIL-PIMIBA6H3J

Version information:

BUILD.DAT : 9.0.0.386 17962 Bytes 2009-03-11 15:55:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2009-02-24 19:13:28

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 17:58:26

LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 18:35:50

LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 17:58:54

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 19:30:38

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 03:33:28

ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 2009-03-03 14:41:16

ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 2009-03-05 21:58:22

Engineversion : 8.2.0.100

AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-28 00:36:42

AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2009-02-27 03:01:58

AESCN.DLL : 8.1.1.7 127347 Bytes 2009-02-12 18:44:26

AERDL.DLL : 8.1.1.3 438645 Bytes 2008-10-30 01:24:42

AEPACK.DLL : 8.1.3.10 397686 Bytes 2009-03-04 20:06:12

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-27 03:01:58

AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2009-02-25 22:49:16

AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-27 03:01:58

AEGEN.DLL : 8.1.1.24 336244 Bytes 2009-03-04 20:06:12

AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 21:32:40

AECORE.DLL : 8.1.6.6 176501 Bytes 2009-02-17 21:22:44

AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 21:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 15:48:00

AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 17:32:16

AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 21:34:30

AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 17:32:10

AVARKT.DLL : 9.0.0.1 292609 Bytes 2009-02-09 14:52:26

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 17:37:10

SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 22:03:50

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 15:21:34

NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 17:32:12

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2009-02-09 18:45:46

RCTEXT.DLL : 9.0.35.0 87297 Bytes 2009-03-11 22:55:14

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: on

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 2009-03-19 14:17

Initiating scan of system files:

Signed -> 'C:\WINDOWS\system32\svchost.exe'

Signed -> 'C:\WINDOWS\system32\winlogon.exe'

Signed -> 'C:\WINDOWS\explorer.exe'

Signed -> 'C:\WINDOWS\system32\smss.exe'

Signed -> 'C:\WINDOWS\system32\wininet.DLL'

Signed -> 'C:\WINDOWS\system32\wsock32.DLL'

Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'

Signed -> 'C:\WINDOWS\system32\services.exe'

Signed -> 'C:\WINDOWS\system32\lsass.exe'

Signed -> 'C:\WINDOWS\system32\csrss.exe'

Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'

Signed -> 'C:\WINDOWS\system32\spoolsv.exe'

Signed -> 'C:\WINDOWS\system32\alg.exe'

Signed -> 'C:\WINDOWS\system32\wuauclt.exe'

Signed -> 'C:\WINDOWS\system32\advapi32.DLL'

Signed -> 'C:\WINDOWS\system32\user32.DLL'

Signed -> 'C:\WINDOWS\system32\gdi32.DLL'

Signed -> 'C:\WINDOWS\system32\kernel32.DLL'

Signed -> 'C:\WINDOWS\system32\ntdll.DLL'

Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'

Signed -> 'C:\WINDOWS\system32\ctfmon.exe'

The system files were scanned ('21' files)

Starting search for hidden objects.

'31628' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'EasyShare.exe' - '1' Module(s) have been scanned

Scan process 'HPQTRA08.EXE' - '1' Module(s) have been scanned

Scan process 'SISTRAY.EXE' - '1' Module(s) have been scanned

Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'QTTASK.EXE' - '1' Module(s) have been scanned

Scan process 'TFSWCTRL.EXE' - '1' Module(s) have been scanned

Scan process 'HPCMPMGR.EXE' - '1' Module(s) have been scanned

Scan process 'hpwuSchd.exe' - '1' Module(s) have been scanned

Scan process 'WkUFind.exe' - '1' Module(s) have been scanned

Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned

Scan process 'Keyhook.exe' - '1' Module(s) have been scanned

Scan process 'AGRSMMSG.EXE' - '1' Module(s) have been scanned

Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'sprtlisten.exe' - '1' Module(s) have been scanned

Scan process 'SPKRMON.EXE' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'LSASS.EXE' - '1' Module(s) have been scanned

Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned

Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned

Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned

Scan process 'SMSS.EXE' - '1' Module(s) have been scanned

35 processes with 35 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '62' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\yiar.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\cyieqw.exe

[DETECTION] Is the TR/Tiny.705 Trojan

C:\ootpnl.exe

[DETECTION] Is the TR/Downloader.Gen Trojan

C:\mfvse.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\WINDOWS\instsp1.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\WINDOWS\system32\zujaviwi.dll

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe

[0] Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\psexec.cfexe

[1] Archive type: RSRC

--> Object

[DETECTION] Contains recognition pattern of the APPL/PsExec.E application

C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0030011.dll

[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031026.exe

[0] Archive type: NSIS

--> [PluginsDir]/InstallerHelperPlugin.dll

[DETECTION] Contains recognition pattern of the ADSPY/MartSho.dll.2 adware or spyware

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031027.dll

[DETECTION] Contains recognition pattern of the ADSPY/Shopper.V.1 adware or spyware

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0031749.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032023.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032044.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP158\A0035079.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP159\A0036197.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036409.dll

[DETECTION] Is the TR/Dldr.JLRL Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036413.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036416.exe

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036418.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036421.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036422.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036423.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036425.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036426.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036427.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036428.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036429.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036430.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036431.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036432.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036433.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036434.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036435.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036436.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036437.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036438.EXE

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036439.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\FOUND.002\FILE0001.CHK

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\FOUND.003\FILE0001.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0002.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0005.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0006.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0020.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0021.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0022.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0024.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0025.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0026.CHK

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\FOUND.003\FILE0027.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0028.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0030.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0031.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0032.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0033.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0034.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0035.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\FOUND.003\FILE0036.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\Qoobox\Quarantine\C\DOCUME~1\PHILLL~1\LOCALS~1\Temp\mousehook.dll.vir

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir

[DETECTION] Is the TR/Dldr.JLRL Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\Qoobox\LastRun\drevB.dat

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\ComboFix\psexec.cfexe

[0] Archive type: RSRC

--> Object

[DETECTION] Contains recognition pattern of the APPL/PsExec.E application

Beginning disinfection:

C:\yiar.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[NOTE] The file was moved to '4a23c0a0.qua'!

C:\cyieqw.exe

[DETECTION] Is the TR/Tiny.705 Trojan

[NOTE] The file was moved to '4a2bc0b1.qua'!

C:\ootpnl.exe

[DETECTION] Is the TR/Downloader.Gen Trojan

[NOTE] The file was moved to '4a36c0a7.qua'!

C:\mfvse.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4a38c0a1.qua'!

C:\WINDOWS\instsp1.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[NOTE] The file was moved to '4a35c0a9.qua'!

C:\WINDOWS\system32\zujaviwi.dll

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[NOTE] The file was moved to '4a2cc0b0.qua'!

C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4a27c089.qua'!

C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe

[NOTE] The file was moved to '4a2fc0ac.qua'!

C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a25c0a0.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0030011.dll

[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware

[NOTE] The file was moved to '49f2c06f.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031026.exe

[NOTE] The file was moved to '4a879970.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031027.dll

[DETECTION] Contains recognition pattern of the ADSPY/Shopper.V.1 adware or spyware

[NOTE] The file was moved to '49f2c070.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0031749.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4fcba1d9.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032023.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '48a581f1.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032044.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4fc8a901.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP158\A0035079.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a85b141.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP159\A0036197.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49f2c071.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036409.dll

[DETECTION] Is the TR/Dldr.JLRL Trojan

[NOTE] The file was moved to '49f2c073.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036413.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a8848fc.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036416.exe

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a895024.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036418.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a8e586c.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036421.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a8f5f94.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036422.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '49f2c074.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036423.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a8d6f05.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036425.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a72774d.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036426.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a737f75.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036427.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a7006bd.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036428.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '49f2c075.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036429.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a76162e.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036430.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a771e56.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036431.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a74259e.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036432.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a752dc6.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036433.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '49f2c076.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036434.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a7b3d37.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036435.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a79c57f.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036436.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a7ecca7.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036437.DLL

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '49f2c077.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036438.EXE

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a7cdc18.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036439.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a7de450.qua'!

C:\FOUND.002\FILE0001.CHK

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '4a0ec090.qua'!

C:\FOUND.003\FILE0001.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4b66e8f9.qua'!

C:\FOUND.003\FILE0002.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a0ec091.qua'!

C:\FOUND.003\FILE0005.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '499ff32a.qua'!

C:\FOUND.003\FILE0006.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '499cfb12.qua'!

C:\FOUND.003\FILE0020.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '499d83da.qua'!

C:\FOUND.003\FILE0021.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '499a8b82.qua'!

C:\FOUND.003\FILE0022.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '499b924a.qua'!

C:\FOUND.003\FILE0024.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a0ec092.qua'!

C:\FOUND.003\FILE0025.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4999a2fb.qua'!

C:\FOUND.003\FILE0026.CHK

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4996aaa3.qua'!

C:\FOUND.003\FILE0027.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4997b16b.qua'!

C:\FOUND.003\FILE0028.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a0ec093.qua'!

C:\FOUND.003\FILE0030.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4995411c.qua'!

C:\FOUND.003\FILE0031.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '499249c4.qua'!

C:\FOUND.003\FILE0032.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a0ec094.qua'!

C:\FOUND.003\FILE0033.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '49905875.qua'!

C:\FOUND.003\FILE0034.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4991603d.qua'!

C:\FOUND.003\FILE0035.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '49ae68e5.qua'!

C:\FOUND.003\FILE0036.CHK

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '49af70ad.qua'!

C:\Qoobox\Quarantine\C\DOCUME~1\PHILLL~1\LOCALS~1\Temp\mousehook.dll.vir

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a37c0ba.qua'!

C:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir

[DETECTION] Is the TR/Dldr.JLRL Trojan

[NOTE] The file was moved to '4a3bc0be.qua'!

C:\Qoobox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a26c0c0.qua'!

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '4a27c07a.qua'!

C:\Qoobox\LastRun\drevB.dat

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4a27c0be.qua'!

C:\ComboFix\psexec.cfexe

[NOTE] The file was moved to '4a27c0bf.qua'!

End of the scan: 2009-03-19 14:59

Used time: 36:34 Minute(s)

The scan has been done completely.

4217 Scanned directories

133669 Files were scanned

65 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

65 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

133603 Files not concerned

887 Archives were scanned

1 Warnings

66 Notes

31628 Objects were scanned with rootkit scan

0 Hidden objects were found

************************************************

AND THE SECOND LOG FILE:

************************************************

Avira AntiVir Personal

Report file date: 2009-03-19 14:17

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : PHIL-PIMIBA6H3J

Version information:

BUILD.DAT : 9.0.0.386 17962 Bytes 2009-03-11 15:55:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2009-02-24 19:13:28

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 17:58:26

LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 18:35:50

LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 17:58:54

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 19:30:38

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 03:33:28

ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 2009-03-03 14:41:16

ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 2009-03-05 21:58:22

Engineversion : 8.2.0.100

AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-28 00:36:42

AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2009-02-27 03:01:58

AESCN.DLL : 8.1.1.7 127347 Bytes 2009-02-12 18:44:26

AERDL.DLL : 8.1.1.3 438645 Bytes 2008-10-30 01:24:42

AEPACK.DLL : 8.1.3.10 397686 Bytes 2009-03-04 20:06:12

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-27 03:01:58

AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2009-02-25 22:49:16

AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-27 03:01:58

AEGEN.DLL : 8.1.1.24 336244 Bytes 2009-03-04 20:06:12

AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 21:32:40

AECORE.DLL : 8.1.6.6 176501 Bytes 2009-02-17 21:22:44

AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 21:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 15:48:00

AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 17:32:16

AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 21:34:30

AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 17:32:10

AVARKT.DLL : 9.0.0.1 292609 Bytes 2009-02-09 14:52:26

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 17:37:10

SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 22:03:50

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 15:21:34

NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 17:32:12

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2009-02-09 18:45:46

RCTEXT.DLL : 9.0.35.0 87297 Bytes 2009-03-11 22:55:14

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: on

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 2009-03-19 14:17

Initiating scan of system files:

Signed -> 'C:\WINDOWS\system32\svchost.exe'

Signed -> 'C:\WINDOWS\system32\winlogon.exe'

Signed -> 'C:\WINDOWS\explorer.exe'

Signed -> 'C:\WINDOWS\system32\smss.exe'

Signed -> 'C:\WINDOWS\system32\wininet.DLL'

Signed -> 'C:\WINDOWS\system32\wsock32.DLL'

Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'

Signed -> 'C:\WINDOWS\system32\services.exe'

Signed -> 'C:\WINDOWS\system32\lsass.exe'

Signed -> 'C:\WINDOWS\system32\csrss.exe'

Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'

Signed -> 'C:\WINDOWS\system32\spoolsv.exe'

Signed -> 'C:\WINDOWS\system32\alg.exe'

Signed -> 'C:\WINDOWS\system32\wuauclt.exe'

Signed -> 'C:\WINDOWS\system32\advapi32.DLL'

Signed -> 'C:\WINDOWS\system32\user32.DLL'

Signed -> 'C:\WINDOWS\system32\gdi32.DLL'

Signed -> 'C:\WINDOWS\system32\kernel32.DLL'

Signed -> 'C:\WINDOWS\system32\ntdll.DLL'

Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'

Signed -> 'C:\WINDOWS\system32\ctfmon.exe'

The system files were scanned ('21' files)

Starting search for hidden objects.

An ARK library instance is already running.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'EasyShare.exe' - '1' Module(s) have been scanned

Scan process 'HPQTRA08.EXE' - '1' Module(s) have been scanned

Scan process 'SISTRAY.EXE' - '1' Module(s) have been scanned

Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'QTTASK.EXE' - '1' Module(s) have been scanned

Scan process 'TFSWCTRL.EXE' - '1' Module(s) have been scanned

Scan process 'HPCMPMGR.EXE' - '1' Module(s) have been scanned

Scan process 'hpwuSchd.exe' - '1' Module(s) have been scanned

Scan process 'WkUFind.exe' - '1' Module(s) have been scanned

Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned

Scan process 'Keyhook.exe' - '1' Module(s) have been scanned

Scan process 'AGRSMMSG.EXE' - '1' Module(s) have been scanned

Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'sprtlisten.exe' - '1' Module(s) have been scanned

Scan process 'SPKRMON.EXE' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'LSASS.EXE' - '1' Module(s) have been scanned

Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned

Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned

Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned

Scan process 'SMSS.EXE' - '1' Module(s) have been scanned

35 processes with 35 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '62' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\yiar.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\cyieqw.exe

[DETECTION] Is the TR/Tiny.705 Trojan

C:\ootpnl.exe

[DETECTION] Is the TR/Downloader.Gen Trojan

C:\mfvse.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\WINDOWS\instsp1.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\WINDOWS\system32\zujaviwi.dll

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe

[0] Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\psexec.cfexe

[1] Archive type: RSRC

--> Object

[DETECTION] Contains recognition pattern of the APPL/PsExec.E application

C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037411.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037412.exe

[DETECTION] Is the TR/Tiny.705 Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037413.exe

[DETECTION] Is the TR/Downloader.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037414.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037415.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037416.dll

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037417.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037418.exe

[0] Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\psexec.cfexe

[1] Archive type: RSRC

--> Object

[DETECTION] Contains recognition pattern of the APPL/PsExec.E application

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037419.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

Beginning disinfection:

C:\yiar.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\cyieqw.exe

[DETECTION] Is the TR/Tiny.705 Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\ootpnl.exe

[DETECTION] Is the TR/Downloader.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\mfvse.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\WINDOWS\instsp1.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\WINDOWS\system32\zujaviwi.dll

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037411.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[NOTE] The file was moved to '49f2c23b.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037412.exe

[DETECTION] Is the TR/Tiny.705 Trojan

[NOTE] The file was moved to '411b185c.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037413.exe

[DETECTION] Is the TR/Downloader.Gen Trojan

[NOTE] The file was moved to '41182014.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037414.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '411e2bc4.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037415.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[NOTE] The file was moved to '4fa61854.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037416.dll

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[NOTE] The file was moved to '411f33fc.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037417.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '411c3bb4.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037418.exe

[NOTE] The file was moved to '4102c36c.qua'!

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037419.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] The file was moved to '411508ec.qua'!

End of the scan: 2009-03-19 15:07

Used time: 47:27 Minute(s)

The scan has been done completely.

4217 Scanned directories

133748 Files were scanned

18 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

9 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

133729 Files not concerned

887 Archives were scanned

10 Warnings

19 Notes

*******************************************

I appreciate that you have done all you and AdvancedSetup could to help me so far, and also the fact that this system may be toast. I have requested the drivers disk(s) and XP installation disk from her (well, now apparently the uncle she just got this system from, grrrrr he probably knew all of this) in the event that I have to reformat and reinstall. She doesn't have anything really on this to save, so that is a very viable solution too. I am glad to have learned all the tools and information that have been shared with me from you guys, although I hope to never have to use them again anytime soon.. :(

As far as establishing an internet connection on that system, it has QWest wireless, which she has told me doesn't work outside her home. I do not know about that and am looking into that further.

Here is the HJT log, and again, thank you for your help.

I should mention that I would like to try to fix the system so I can say I tried, if you are game!?

********************************************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:45, on 2009-03-19

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\System32\keyhook.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Avira\AntiVir Desktop\avcenter.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Phil Llapitan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dll (file missing)

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",e

O4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",a

O4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll c:\windows\system32\yihuhote.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing)

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--

End of file - 5640 bytes

Link to post
Share on other sites

  • Staff

Hi,

Avira already found a LOT, but, it looks like some real damage was already done - file/folder access, corrupted files etc... We'll see how everything behaves if we deal with the rest manually, but I can't promise anything.

The errors are normal after reboot. We'll fix that.

First of all, reboot your computer.

After reboot,

Can you try to run MalwareBytes again please? But, First of all, please update MalwareBytes, because the databaseversion may be outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a full scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In case you can't run MBAM,

Please read the following tutorial and perform the steps:

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Link to post
Share on other sites

Thank you for your quick response. I'm about to ask a real newbie question here - first, her computer will not go online so I cannot update malwarebytes from there, so, how can I get malwarebytes to update itself, then make a copy of that to transfer to the other computer? I updated to MY desktop, then copied the whole folder over to the other computer's desktop, but mbam.exe will not run - I am getting the following errors (vbAccelerator SGrid II Control, Run-time error '0') and (Malwarebytes' Anti-Malware, Run-time error '440'; Automation error). So - am I doing it wrong? I would like to get Malwarebytes to run before I go back to the other solutions.

Link to post
Share on other sites

Hi - I recopied both to the infected computer - still getting runtime errors '0' and '440'. Is it because I am using Vista and Malwarebytes 'knows' that, so it won't run on the XP when I copy it over? Or am I just doing it wrong? I have them both saved to desktop... is that a problem? Sigh. I appreciate your patience.

Link to post
Share on other sites

  • Staff

Just copy the MalwareBytes installer and database installer to the other pc.

If you get these errors, then it's most probably because malware is preventing it.

Please read the following tutorial and perform the steps:

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Then you should be able to run MBAM afterwards. Also, make sure you update MBAM (Update tab > check for updates), before you run the scan.

Then, once the scan has finished, reboot!

After reboot,

Post the log from MBAM in your next reply.

Link to post
Share on other sites

WhooHoo! I copied the file incorrectly the last time, but I did it right this time and got mbam to run - (the rootrepeal showed nothing)

Here is my mbam log:

Malwarebytes' Anti-Malware 1.34

Database version: 1863

Windows 5.1.2600 Service Pack 3

2009-03-20 14:57:15

mbam-log-2009-03-20 (14-57-15).txt

Scan type: Full Scan (C:\|)

Objects scanned: 110717

Time elapsed: 26 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 10

Registry Values Infected: 5

Registry Data Items Infected: 4

Folders Infected: 2

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2765f56e-bd26-4719-a77a-dd09184f02c7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2765f56e-bd26-4719-a77a-dd09184f02c7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf40a2-94f3-42bd-f434-1604812c8955} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm0398fcb8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sadirozusi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggijixa (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Phil Llapitan\Application Data\Virus Melt (Rogue.VirusMelt) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\System Data (Rogue.VirusMelt) -> Quarantined and deleted successfully.

Files Infected:

C:\tcrnwc.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\ucpdcu.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Qyucepinukonejiq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP159\A0036187.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036411.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036417.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Phil Llapitan\Application Data\Virus Melt\Instructions.ini (Rogue.VirusMelt) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\System Data\mscfg.ini (Rogue.VirusMelt) -> Quarantined and deleted successfully.

C:\WINDOWS\eqowusuyanami.dll (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

  • Staff

Hi,

I assume you already rebooted as well? If not, then please reboot, because MBAM still has to delete some files after reboot.

Also, I see you have been using Combofix previously, so please run it again (disable your Avira when you run it) and post the log (C:\Combofix.txt) in your next reply.

Link to post
Share on other sites

Hi - Actually, mbam rebooted itself and then came up with a log... I have run Combofix, but I had a problem with the Avira coming back on when Combofix rebooted the system... I hope it did not mess up the log for you... here it is

ComboFix 09-03-15.01 - Phil Llapitan 2009-03-20 19:38:49.2 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.221.92 [GMT -7:00]

Running from: F:\ComboFix.exe

AV: AntiVir Desktop *On-access scanning enabled* (Outdated)

.

((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))

.

2009-03-20 14:26 . 2009-03-20 14:26 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\Malwarebytes

2009-03-20 14:26 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-20 14:26 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\program files\Avira

2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-03-19 13:03 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys

2009-03-17 18:54 . 2009-03-17 18:54 <DIR> d--hs---- C:\FOUND.003

2009-03-17 05:55 . 2009-03-17 05:55 2,713 ---hs---- c:\windows\system32\rubiromu.exe

2009-03-16 11:54 . 2009-03-16 11:54 2,713 ---hs---- c:\windows\system32\lohukehi.exe

2009-03-15 17:52 . 2009-03-15 17:52 2,713 ---hs---- c:\windows\system32\posidiha.exe

2009-03-14 13:55 . 2009-03-14 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-03-14 13:02 . 2009-03-14 13:02 <DIR> d-------- c:\documents and settings\mom\Application Data\VERITAS

2009-03-14 12:42 . 2009-03-14 12:42 <DIR> d-------- c:\documents and settings\mom

2009-03-14 12:23 . 2009-03-14 12:23 <DIR> d--hs---- C:\FOUND.002

2009-03-13 19:17 . 2009-03-13 19:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP

2009-03-13 19:16 . 2009-03-13 19:16 <DIR> d-------- c:\program files\Spyware Doctor

2009-03-13 19:07 . 2009-03-13 19:07 <DIR> d--hs---- C:\FOUND.001

2009-03-10 15:37 . 2009-03-10 15:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\f9f7

2009-03-10 15:33 . 2009-03-10 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft

2009-03-10 15:25 . 2009-03-10 15:25 <DIR> d--hs---- C:\FOUND.000

2009-03-10 14:38 . 2009-03-10 14:37 49,152 --a------ c:\windows\system32\dllcache\userinit.exe

2009-03-10 14:36 . 2009-03-10 14:37 2 --a------ C:\11259787

2009-03-09 22:52 . 2009-03-09 22:52 75 --a------ c:\windows\system32\dllcache\cb.tmp

2009-03-09 22:51 . 2009-03-09 22:51 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\fe61ef9

2009-03-09 21:30 . 2009-03-09 21:30 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live

2009-03-09 21:24 . 2007-05-30 09:50 287,934 --a------ c:\windows\ConnectWait.ico

2009-03-09 12:27 . 2009-03-09 23:10 442,368 --a------ C:\ffastunT.ffl

2009-03-09 09:30 . 2009-03-09 09:30 <DIR> d-------- c:\program files\Qwest

2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Common Files\supportsoft

2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Actiontec

2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\2Wire

2009-03-09 09:29 . 2004-02-14 09:19 143,360 --a------ c:\windows\GTRemove.exe

2009-03-09 09:27 . 2009-03-09 09:27 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\InstallShield

2009-03-08 22:45 . 2009-03-17 18:45 6,456 --ah----- c:\windows\system32\pekubofe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-07 15:11 0 ----a-w c:\documents and settings\Phil Llapitan\Application Data\wklnhst.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiS Windows KeyHook"="c:\windows\System32\keyhook.exe" [2004-05-12 249856]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-03-12 114741]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 c:\windows\AGRSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-11-12 335872]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-19 108289]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]

S1 f742cf20;f742cf20;c:\windows\system32\drivers\f742cf20.sys --> c:\windows\system32\drivers\f742cf20.sys [?]

S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-09-29 20608]

S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]

S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696]

S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696]

.

Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\QuickConnectSupportTask.job

- c:\program files\Qwest\QuickConnect\QuickConnect.exe [2008-11-19 14:36]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-20 19:44:03

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\ANALOG DEVICES\SOUNDMAX\SPKRMON.EXE

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-03-20 19:49:36 - machine was rebooted [Phil Llapitan]

ComboFix-quarantined-files.txt 2009-03-21 02:49:30

Pre-Run: 20,218,707,968 bytes free

Post-Run: 20,147,552,256 bytes free

122 --- E O F --- 2009-01-15 04:05:14

Link to post
Share on other sites

  • Staff

Hi,

We're really making progress here - I guess you were lucky here. MBAM and Avira already deleted most, now we'll just have to deal with some leftovers :(

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\drivers\f742cf20.sys

c:\windows\system32\rubiromu.exe

c:\windows\system32\lohukehi.exe

c:\windows\system32\posidiha.exe

Dirlook::

c:\documents and settings\All Users\Application Data\fe61ef9

c:\documents and settings\All Users\Application Data\f9f7

Driver::

f742cf20

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

hello - sorry it took me so long to get back - I have done the CFScript, run Combofix and here is my log from that :( thank you for your patience!

ComboFix 09-03-19.02 - Phil Llapitan 2009-03-21 20:12:05.3 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.221.68 [GMT -7:00]

Running from: c:\combofix\ComboFix.exe

Command switches used :: c:\documents and settings\Phil Llapitan\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\system32\drivers\f742cf20.sys

c:\windows\system32\lohukehi.exe

c:\windows\system32\posidiha.exe

c:\windows\system32\rubiromu.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\lohukehi.exe

c:\windows\system32\posidiha.exe

c:\windows\system32\rubiromu.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_f742cf20

((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))

.

2009-03-20 14:26 . 2009-03-20 14:26 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\Malwarebytes

2009-03-20 14:26 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-20 14:26 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\program files\Avira

2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-03-19 13:03 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys

2009-03-17 18:54 . 2009-03-17 18:54 <DIR> d--hs---- C:\FOUND.003

2009-03-14 13:55 . 2009-03-14 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-03-14 13:02 . 2009-03-14 13:02 <DIR> d-------- c:\documents and settings\mom\Application Data\VERITAS

2009-03-14 12:42 . 2009-03-14 12:42 <DIR> d-------- c:\documents and settings\mom

2009-03-14 12:23 . 2009-03-14 12:23 <DIR> d--hs---- C:\FOUND.002

2009-03-13 19:17 . 2009-03-13 19:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP

2009-03-13 19:16 . 2009-03-13 19:16 <DIR> d-------- c:\program files\Spyware Doctor

2009-03-13 19:07 . 2009-03-13 19:07 <DIR> d--hs---- C:\FOUND.001

2009-03-10 15:37 . 2009-03-10 15:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\f9f7

2009-03-10 15:33 . 2009-03-10 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft

2009-03-10 15:25 . 2009-03-10 15:25 <DIR> d--hs---- C:\FOUND.000

2009-03-10 14:38 . 2009-03-10 14:37 49,152 --a------ c:\windows\system32\dllcache\userinit.exe

2009-03-10 14:36 . 2009-03-10 14:37 2 --a------ C:\11259787

2009-03-09 22:52 . 2009-03-09 22:52 75 --a------ c:\windows\system32\dllcache\cb.tmp

2009-03-09 22:51 . 2009-03-09 22:51 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\fe61ef9

2009-03-09 21:30 . 2009-03-09 21:30 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live

2009-03-09 21:24 . 2007-05-30 09:50 287,934 --a------ c:\windows\ConnectWait.ico

2009-03-09 12:27 . 2009-03-09 23:10 442,368 --a------ C:\ffastunT.ffl

2009-03-09 09:30 . 2009-03-09 09:30 <DIR> d-------- c:\program files\Qwest

2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Common Files\supportsoft

2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Actiontec

2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\2Wire

2009-03-09 09:29 . 2004-02-14 09:19 143,360 --a------ c:\windows\GTRemove.exe

2009-03-09 09:27 . 2009-03-09 09:27 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\InstallShield

2009-03-08 22:45 . 2009-03-17 18:45 6,456 --ah----- c:\windows\system32\pekubofe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-07 15:11 0 ----a-w c:\documents and settings\Phil Llapitan\Application Data\wklnhst.dat

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\All Users\Application Data\f9f7 ----

2009-03-10 15:38 3282 --a------ c:\documents and settings\All Users\Application Data\f9f7\unins000.dat

---- Directory of c:\documents and settings\All Users\Application Data\fe61ef9 ----

2009-03-10 15:35 12378 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\System Data\vd952342.bd

2008-10-09 13:50 1741 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\Kodak EasyShare software.lnk

2006-03-17 18:32 665 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\Microsoft Find Fast.lnk

2006-01-31 17:09 1712 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\HP Digital Imaging Monitor.lnk

2005-11-12 13:39 1417 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\Utility Tray.lnk

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiS Windows KeyHook"="c:\windows\System32\keyhook.exe" [2004-05-12 249856]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-03-12 114741]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 c:\windows\AGRSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-11-12 335872]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-19 108289]

S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-09-29 20608]

S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]

S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696]

S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696]

--- Other Services/Drivers In Memory ---

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - FastUserSwitchingCompatibility

*Deregistered* - helpsvc

*Deregistered* - HTTPFilter

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LmHosts

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - Pml Driver HPZ12

*Deregistered* - PolicyAgent

*Deregistered* - ProtectedStorage

*Deregistered* - RasMan

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - spkrmon

*Deregistered* - Spooler

*Deregistered* - sprtlisten

*Deregistered* - srservice

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - TapiSrv

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - W32Time

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\QuickConnectSupportTask.job

- c:\program files\Qwest\QuickConnect\QuickConnect.exe [2008-11-19 14:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-21 20:17:31

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\ANALOG DEVICES\SOUNDMAX\SPKRMON.EXE

c:\program files\COMMON FILES\SUPPORTSOFT\BIN\SPRTLISTEN.EXE

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-03-21 20:22:49 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-22 03:22:44

ComboFix2.txt 2009-03-21 02:49:40

Pre-Run: 20,205,404,160 bytes free

Post-Run: 20,040,941,568 bytes free

182 --- E O F --- 2009-01-15 04:05:14

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Thank you for all of your help and patience. The system seems to be running well... I have it online and am checking out the programs that she has on it. It so far seems to be ok :( I can let you know if there are any further problems? Have a pleasant week ~ Diane D.

Link to post
Share on other sites

  • Staff

Hi Diane, glad we could help. :(

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.