Jump to content

Appreciate any help


Recommended Posts

Hi,

Would appreciate any help.

I ran Malwarebytes and here is the log file (log file from hijackthis follows)

Malwarebytes' Anti-Malware 1.40

Database version: 2718

Windows 5.1.2600 Service Pack 2

9/2/2009 4:35:59 PM

mbam-log-2009-09-02 (16-35-56).txt

Scan type: Quick Scan

Objects scanned: 97561

Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 36

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Documents and Settings\Geovision\Local Settings\Temp\tmp.tmp (Malware.Packer) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{51716c09-6b08-4ccf-b526-718e912c0573} (Trojan.GamesThief) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{51716c09-6b08-4ccf-b526-718e912c0573} (Trojan.GamesThief) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Geovision\Local Settings\Temp\tmp.tmp (Malware.Packer) -> No action taken.

C:\WINDOWS\system32\PERrGx5DkqSbQdwauCRQH.dll (Trojan.GamesThief) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temp\108328_xeex.exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temp\71562_xeex.exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\cqsj9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\dhwd9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\kx9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\mhxu9m1[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\qq3g9m[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\sx9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\tx29m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\wl9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\zx9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\CJSH9M[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\dh29m[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\dj9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\dnf9m[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\hx29m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\jxsj9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\jz9m[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\mhxu9m[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\RXCQ9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\wd9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\xc9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\zt9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\qqhx9m[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\wmgj9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\yxd9m[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\zu9m[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\zzh9m[1].exe (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\dh39m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\jr9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\mu9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\MXD9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\rxjh9m[1].exe (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\tl9m[1].exe (Spyware.OnlineGames) -> No action taken.

Hijack this log file

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:19:47 PM, on 9/2/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: xunlei Class - {21910D9A-058E-95F2-642F-95A6E221C648} - C:\WINDOWS\TUIKNKMV.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: xunlei Class - {84CA70D3-777F-2BFF-136F-DC274F669D53} - C:\WINDOWS\BUBJDXQUGSPAB.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: xunlei Class - {EEE9A750-3BC5-5D98-B423-C38B641E10F3} - C:\WINDOWS\VOEMAQZCTCLF.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: qqrrftfx.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O21 - SSODL: MSNServiceObj - {AD26AC5F-8421-419C-8692-ED0FE1FE74D8} - C:\Program Files\Messenger\msmsgs.dll (file missing)

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: bnetroighv - Unknown owner - C:\Program Files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe (file missing)

O23 - Service: CAZXE - Unknown owner - C:\Program Files\XIKWTHRW0S\0RICFOB.EXE (file missing)

O23 - Service: dasno - Unknown owner - C:\WINDOWS\system32\dasno.exe (file missing)

O23 - Service: dbsno - Unknown owner - C:\WINDOWS\system32\dbsno.exe (file missing)

O23 - Service: ddsno - Unknown owner - C:\WINDOWS\system32\ddsno.exe (file missing)

O23 - Service: desno - Unknown owner - C:\WINDOWS\system32\desno.exe (file missing)

O23 - Service: dfsno - Unknown owner - C:\WINDOWS\system32\dfsno.exe (file missing)

O23 - Service: dgsno - Unknown owner - C:\WINDOWS\system32\dgsno.exe (file missing)

O23 - Service: dkjno - Unknown owner - C:\WINDOWS\system32\dkjno.exe (file missing)

O23 - Service: dojno - Unknown owner - C:\WINDOWS\system32\dojno.exe (file missing)

O23 - Service: dsjno - Unknown owner - C:\WINDOWS\system32\dsjno.exe (file missing)

O23 - Service: dteno - Unknown owner - C:\WINDOWS\system32\dtesm.exe (file missing)

O23 - Service: dtjealqpijxfzj - Unknown owner - C:\Program Files\lewtfsevdhz\swpzyugw.exe (file missing)

O23 - Service: Intcrface Pdby Prohdure (gerbassmn) - Unknown owner - C:\WINDOWS\system32\Miekcsr.exe (file missing)

O23 - Service: H3KJ16M - Unknown owner - C:\Program Files\4DXJGE43B1O2\7MWZ6KDVV.EXE (file missing)

O23 - Service: hkyoulbzkasgllw - Unknown owner - C:\Program Files\pvldytpnxyuv\wnfiaujgh.exe (file missing)

O23 - Service: jmotuqyw - Unknown owner - C:\Program Files\zdvqqnbivm\gvpdspdjxjblfph.exe (file missing)

O23 - Service: jtesm - Unknown owner - C:\WINDOWS\system32\jtesm.exe (file missing)

O23 - Service: jzchqigczupkmo - Unknown owner - C:\Program Files\jtpwnpuqnkr\qlikorojp.exe (file missing)

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: nbjyaqolmamr - Unknown owner - C:\Program Files\vnwnxfcza\cnptyhwsbnauoy.exe (file missing)

O23 - Service: nckhnmfsh - Unknown owner - C:\Program Files\nnxxkutfvrltyt\ufrklvnzeox.exe (file missing)

O23 - Service: pvcofbbdcpiawre - Unknown owner - C:\Program Files\qgpecipqynjo\xhirdkrka.exe (file missing)

O23 - Service: pxjuzimzc - Unknown owner - C:\Program Files\qivjdqaeppeknv\xbpxxscgrmr.exe (file missing)

O23 - Service: qteno - Unknown owner - C:\WINDOWS\system32\otesm.exe (file missing)

O23 - Service: Ris tptfypuwcgweo (Risuuzijhguscjnsfe) - Unknown owner - C:\Program Files\Intel\phvuhaxaeaz.EXE (file missing)

O23 - Service: rlqynxwwajy - Unknown owner - C:\Program Files\awdnjfsk\hwwtlhmdywmpgb.exe (file missing)

O23 - Service: sejno - Unknown owner - C:\WINDOWS\system32\syjno.exe (file missing)

O23 - Service: sksno - Unknown owner - C:\WINDOWS\system32\sksno.exe (file missing)

O23 - Service: spqoydygccns - Unknown owner - C:\Program Files\sbcdvlmmy\ztwjwnonapcdihg.exe (file missing)

O23 - Service: sssno - Unknown owner - C:\WINDOWS\system32\sssno.exe (file missing)

O23 - Service: steno - Unknown owner - C:\WINDOWS\system32\stesm.exe (file missing)

O23 - Service: tteno - Unknown owner - C:\WINDOWS\system32\wtesm.exe (file missing)

O23 - Service: uewzzrjrc - Unknown owner - C:\Program Files\vxjovzxwqcxqgw\cpcbxbzxazj.exe (file missing)

O23 - Service: ukaqjmbmfgj - Unknown owner - C:\Program Files\sbinnjeyevse\kwhthdjtcsxgu.exe (file missing)

O23 - Service: uucrimqlgqcyx - Unknown owner - C:\Program Files\xeowhdzltjh\ewhjifbf.exe (file missing)

O23 - Service: valjsxfk - Unknown owner - C:\Program Files\vlyyontpvnkho\kerdqpvjed.exe (file missing)

O23 - Service: wqtesm - Unknown owner - C:\WINDOWS\system32\wqtesm.exe (file missing)

O23 - Service: wrmkjjntgjpci - Unknown owner - C:\Program Files\xczafrbzth\eusfhsdavwdfgiu.exe (file missing)

O23 - Service: yasnp - Unknown owner - C:\WINDOWS\system32\yasnp.exe (file missing)

O23 - Service: zxfrldoilnl - Unknown owner - C:\Program Files\zqsghlco\gimtjnepaazlr.exe (file missing)

--

End of file - 10045 bytes

tried running malwarebytes multiple times but cannot remove the virus. would appreciate help on this.

thanks

dm

Link to post
Share on other sites

Hello and welcome to the forum!

Run a scan with RootRepeal, followed by DDS, a scanner tool so I can see the current condition of your machine.

Also, please provide a description of any remaining problems or symptoms you may still have please.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the reportTab.png tab at the bottom.
  • Now press the btnScan.png button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    RR_checkbox.jpg
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. saveReport.png
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results soon.

    [*]Follow the instructions that pop up for posting the results and then click Ok.

    [*]The black and message box window shall then disappear.

    [*]Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Also, please provide a description of any remaining problems or symptoms you may still have please.

With Regards,

Extremeboy

Link to post
Share on other sites

There you go extremeboy

RootRepeal log file data

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/04 23:29

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xEEC6A000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7B02000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEE982000 Size: 49152 File Visible: No Signed: -

Status: -

Name: xnovlfwc.sys

Image Path: xnovlfwc.sys

Address: 0xF75D6000 Size: 61440 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

SSDT

-------------------

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\qqrrftfx.sys" at address 0xf7b5a7e2

Stealth Objects

-------------------

Object: Hidden Module [Name: qqrrftfx.dll]

Process: winlogon.exe (PID: 648) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: services.exe (PID: 692) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: lsass.exe (PID: 704) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: svchost.exe (PID: 856) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: svchost.exe (PID: 924) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: svchost.exe (PID: 964) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: svchost.exe (PID: 1032) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: svchost.exe (PID: 1084) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: spoolsv.exe (PID: 1276) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: avgwdsvc.exe (PID: 1392) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: SyncServices.exe (PID: 1512) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: SeaPort.exe (PID: 1704) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: avgnsx.exe (PID: 2024) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: explorer.exe (PID: 340) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: svchost.exe (PID: 412) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: alg.exe (PID: 1680) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: ctfmon.exe (PID: 2112) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]

Process: RootRepeal.exe (PID: 3412) Address: 0x14960000 Size: 90112

==EOF==

and I have attached the attach.txt. Appreciate your help.

Regards

dm

Hello and welcome to the forum!

Run a scan with RootRepeal, followed by DDS, a scanner tool so I can see the current condition of your machine.

Also, please provide a description of any remaining problems or symptoms you may still have please.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the reportTab.png tab at the bottom.
  • Now press the btnScan.png button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    RR_checkbox.jpg
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. saveReport.png
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results soon.

    [*]Follow the instructions that pop up for posting the results and then click Ok.

    [*]The black and message box window shall then disappear.

    [*]Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Also, please provide a description of any remaining problems or symptoms you may still have please.

With Regards,

Extremeboy

Attach.txt

Link to post
Share on other sites

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,

Extremeboy

Link to post
Share on other sites

Hello.

Thanks for those logs. You appear to have quite a few infections on your system.

We are going to start with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:

ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.

Link 1

Link 2

Please refer to this page for full instructions on how to run ComboFix.

  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

~Extremeboy

Link to post
Share on other sites

There you go Extremeboy. I have attached is as well.

thx

dm

ComboFix 09-09-08.02 - Geovision 09/08/2009 17:41.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.654 [GMT 1:00]

Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\desktop.ini

C:\RECYC.exe

c:\windows\AppPatch\AcXtrnel.dll

c:\windows\Downloaded Program Files\2yhusbzAYuevSnXtW.Ttf

c:\windows\Downloaded Program Files\CgMnxhFV2Qa68TsVz.Ttf

c:\windows\Downloaded Program Files\JjedvMTDtPyqp9ZTrgw.Ttf

c:\windows\Downloaded Program Files\NFesCyNNswv2Crfru.Ttf

c:\windows\Downloaded Program Files\u9A2PqtvjkJkzBcJxZbPc.Ttf

c:\windows\Downloaded Program Files\uMub3WCE6aZ3nFgrYRX.Ttf

c:\windows\Downloaded Program Files\xW6JeYmCY9e3yf5KD.Ttf

c:\windows\Downloaded Program Files\ZK26EzBfBUG8P9s8d.Ttf

c:\windows\Fonts\2knxWtVjbWXmUdGG.Ttf

c:\windows\Fonts\6e6EUdxVeWUYJynN.Ttf

c:\windows\Fonts\AjrMtd1HXvFm.Ttf

c:\windows\Fonts\AP2aBkXfCnZZwkTu.Ttf

c:\windows\Fonts\avJ9SdDwMd9Qzt.Ttf

c:\windows\Fonts\CcKKcpwJmND4.Ttf

c:\windows\Fonts\cD9KArZZUHxCqnyM.Ttf

c:\windows\Fonts\cFDPmh3MDPjcHMPd.Ttf

c:\windows\Fonts\CRp3uYCmcxMp3qQn9.Ttf

c:\windows\Fonts\CSzZ3gVtf.Ttf

c:\windows\Fonts\du3Q2JXbHYGxcSAe.Ttf

c:\windows\Fonts\e38H8kRkk.Ttf

c:\windows\Fonts\EEUJgNKN6xmNqKr6.Ttf

c:\windows\Fonts\eSEWZRdrSK3NeEJVy4.Ttf

c:\windows\Fonts\FCvvnT2B.Ttf

c:\windows\Fonts\FRSUApxKxh4aqhh4TnMqpe.Ttf

c:\windows\Fonts\FTQ3Xu3wZEZsJ358S.Ttf

c:\windows\Fonts\G8qZ5hBX7H.Ttf

c:\windows\Fonts\GanWM9z57VChEAfV.Ttf

c:\windows\Fonts\GbWrTV56WV24M.Ttf

c:\windows\Fonts\GD9xUjmZ8vHS5Vj.Ttf

c:\windows\Fonts\gfq7ymgpkp.Ttf

c:\windows\Fonts\HXxfduw9KeQTCeP6Z.Ttf

c:\windows\Fonts\jcPMKqwuVC7J.Ttf

c:\windows\Fonts\K7XaTBMWp8TPrYgw.Ttf

c:\windows\Fonts\KzAMjdYaws6f395.Ttf

c:\windows\Fonts\pDuuqr4BgFn65AeW.Ttf

c:\windows\Fonts\PeMTdMfqzpGTb5ps.Ttf

c:\windows\Fonts\pqgXk4S6U25v6f.Ttf

c:\windows\Fonts\qP2N8HTHkmGRq5.Ttf

c:\windows\Fonts\Qq3qg7RGSp9raxWW.Ttf

c:\windows\Fonts\qWskzsQA6.Ttf

c:\windows\Fonts\RCZbVbjCY6wYszD3.Ttf

c:\windows\Fonts\Rfs3DRdsUfkma5.Ttf

c:\windows\Fonts\rgBuFNZP2MWF7WQjA.Ttf

c:\windows\Fonts\S8a8cnEuaydPJGg8.Ttf

c:\windows\Fonts\sUfa6DfmrK.Ttf

c:\windows\Fonts\T8EkDVD578wpyAdP.Ttf

c:\windows\Fonts\tBeuadwPppCBnDUPgJH7P6.Ttf

c:\windows\Fonts\uawyv9Pr.Ttf

c:\windows\Fonts\urgU7WBMQ.Ttf

c:\windows\Fonts\usMywhxbgf5N8e9u6.Ttf

c:\windows\Fonts\uytczRnGV8NUp.Ttf

c:\windows\Fonts\VDcvXDH5px.Ttf

c:\windows\Fonts\Vx53f7Scj63HVHDE.Ttf

c:\windows\Fonts\vztr58qstaca8y8j.Ttf

c:\windows\Fonts\WD7eC3pJvgmYQYNwrVP.Ttf

c:\windows\Fonts\WFsARAucm7DAuX8.Ttf

c:\windows\Fonts\Wt2KuAXTXmrRUbAq.Ttf

c:\windows\Fonts\xSvCE2272aekx.Ttf

c:\windows\Fonts\yGMHUAj5Npydj8FZ.Ttf

c:\windows\Fonts\yHguCdqt6hp2.Ttf

c:\windows\Fonts\yrMyUq1ke.Ttf

c:\windows\Fonts\YywxhF7TSnkktrJw.Ttf

c:\windows\Fonts\Z3tcgfaZ.Ttf

c:\windows\PAXHCD0A.EXE

c:\windows\RYM531DN0T07.EXE

c:\windows\Tasks\SgF9z49Ph7g5UNpM.ico

c:\windows\W2UQ75.EXE

c:\windows\YB0Q1N1141.EXE

c:\windows\YLWVOVCCQP.EXE

c:\windows\ZZCWNB.EXE

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_IAS

-------\Legacy_IPRIP

-------\Legacy_KLAN

-------\Legacy_NWCWORKSTATION

-------\Legacy_NWSAPAGENT

-------\Legacy_PORTING

-------\Legacy_WMISVC

-------\Service_6to4

-------\Service_Ias

-------\Service_Iprip

-------\Service_NWCWorkstation

-------\Service_Nwsapagent

((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))

.

2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache

2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE

2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro

2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes

2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google

2009-08-09 00:22 . 2009-08-01 16:00 -------- d-----w- c:\program files\xnsjkdiacqsb

2009-08-09 00:22 . 2009-07-22 23:36 -------- d-----w- c:\program files\XIKWTHRW0S

2009-08-09 00:22 . 2009-08-03 20:32 -------- d-----w- c:\program files\wkdxkkcw

2009-08-09 00:22 . 2009-07-31 02:07 -------- d-----w- c:\program files\xgzqugwmrstoxl

2009-08-09 00:22 . 2009-07-22 22:53 -------- d-----w- c:\program files\WMUGAXR

2009-08-09 00:20 . 2009-08-03 21:05 -------- d-----w- c:\program files\vqievceso

2009-08-09 00:20 . 2009-07-31 00:30 -------- d-----w- c:\program files\vnwnxfcza

2009-08-09 00:20 . 2009-07-31 02:13 -------- d-----w- c:\program files\tbxnlphnqljx

2009-08-09 00:20 . 2009-07-31 01:48 -------- d-----w- c:\program files\uhkjyhzmxgtl

2009-08-09 00:20 . 2009-07-20 21:08 -------- d-----w- c:\program files\R0974Q3IE

2009-08-09 00:20 . 2009-07-18 23:14 -------- d-----w- c:\program files\sbcdvlmmy

2009-08-09 00:20 . 2009-07-31 01:00 -------- d-----w- c:\program files\qivjdqaeppeknv

2009-08-09 00:20 . 2009-07-21 00:01 -------- d-----w- c:\program files\qgpecipqynjo

2009-08-09 00:20 . 2009-07-31 01:52 -------- d-----w- c:\program files\oopyrxlgnb

2009-08-09 00:20 . 2009-07-20 18:47 -------- d-----w- c:\program files\nnxxkutfvrltyt

2009-08-09 00:14 . 2009-08-01 16:06 -------- d-----w- c:\program files\jxtsibzbmrtjzeo

2009-08-09 00:14 . 2009-07-31 20:59 -------- d-----w- c:\program files\jwtpcqkoxymeir

2009-08-09 00:09 . 2009-07-31 02:28 -------- d-----w- c:\program files\bftrruzlyibxxk

2009-08-09 00:09 . 2009-07-29 03:38 -------- d-----w- c:\program files\awdnjfsk

2009-08-09 00:09 . 2009-07-25 07:19 -------- d-----w- c:\program files\byrinwwuvlcnloe

2009-08-09 00:09 . 2009-07-22 22:57 -------- d-----w- c:\program files\273LIR

2009-08-09 00:09 . 2009-07-20 23:41 -------- d-----w- c:\program files\4DXJGE43B1O2

2009-08-06 00:44 . 2009-07-22 22:22 -------- d-----w- c:\program files\zqsghlco

2009-08-06 00:44 . 2009-07-21 21:56 -------- d-----w- c:\program files\xczafrbzth

2009-08-06 00:44 . 2009-07-25 07:22 -------- d-----w- c:\program files\xeowhdzltjh

2009-08-06 00:44 . 2009-07-20 20:38 -------- d-----w- c:\program files\vlyyontpvnkho

2009-08-06 00:44 . 2009-07-21 22:10 -------- d-----w- c:\program files\vxjovzxwqcxqgw

2009-08-06 00:44 . 2009-07-21 22:03 -------- d-----w- c:\program files\sbinnjeyevse

2009-08-06 00:44 . 2009-07-25 19:19 -------- d-----w- c:\program files\jtpwnpuqnkr

2009-08-06 00:44 . 2009-07-22 17:33 -------- d-----w- c:\program files\zdvqqnbivm

2009-08-06 00:43 . 2009-07-29 03:45 -------- d-----w- c:\program files\pvldytpnxyuv

2009-08-06 00:43 . 2009-07-23 18:59 -------- d-----w- c:\program files\lewtfsevdhz

2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG

2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3

2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat

2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe

2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe

2009-07-22 22:57 . 2009-07-22 22:57 28672 ----a-w- c:\windows\BUBJDXQUGSPAB.dll

2009-07-22 22:53 . 2009-07-22 22:53 28672 ----a-w- c:\windows\VOEMAQZCTCLF.dll

2009-07-20 21:08 . 2009-07-20 21:08 28672 ----a-w- c:\windows\TUIKNKMV.dll

2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network

2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java

2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel

2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!

2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

------- Sigcheck -------

[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

[-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

c:\windows\system32\comres.dll ... is missing !!

c:\windows\system32\qmgr.dll ... is missing !!

c:\windows\system32\drivers\asyncmac.sys ... is missing !!

c:\windows\system32\mspmsnsv.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21910D9A-058E-95F2-642F-95A6E221C648}]

2009-07-20 21:08 28672 ----a-w- c:\windows\TUIKNKMV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84CA70D3-777F-2BFF-136F-DC274F669D53}]

2009-07-22 22:57 28672 ----a-w- c:\windows\BUBJDXQUGSPAB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A750-3BC5-5D98-B423-C38B641E10F3}]

2009-07-22 22:53 28672 ----a-w- c:\windows\VOEMAQZCTCLF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4894F5C2-169D-4DAC-A982-444B9BDB3AC4}"= "c:\windows\Downloaded Program Files\UYTbcaZtxE23MEzKGQ.cur" [2009-09-08 22016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:ooVoo TCP port 443

"443:UDP"= 443:UDP:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R2 bnetroighv;bnetroighv;c:\program files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe [x]

R2 CAZXE;CAZXE;c:\program files\XIKWTHRW0S\0RICFOB.EXE [x]

R2 dasno;dasno;c:\windows\system32\dasno.exe [x]

R2 dbsno;dbsno;c:\windows\system32\dbsno.exe [x]

R2 ddsno;ddsno;c:\windows\system32\ddsno.exe [x]

R2 desno;desno;c:\windows\system32\desno.exe [x]

R2 dfsno;dfsno;c:\windows\system32\dfsno.exe [x]

R2 dgsno;dgsno;c:\windows\system32\dgsno.exe [x]

R2 dkjno;dkjno;c:\windows\system32\dkjno.exe [x]

R2 dojno;dojno;c:\windows\system32\dojno.exe [x]

R2 dsjno;dsjno;c:\windows\system32\dsjno.exe [x]

R2 dteno;dteno;c:\windows\system32\dtesm.exe [x]

R2 dtjealqpijxfzj;dtjealqpijxfzj;c:\program files\lewtfsevdhz\swpzyugw.exe [x]

R2 gerbassmn;Intcrface Pdby Prohdure;c:\windows\system32\Miekcsr.exe [x]

R2 H3KJ16M;H3KJ16M;c:\program files\4DXJGE43B1O2\7MWZ6KDVV.EXE [x]

R2 hkyoulbzkasgllw;hkyoulbzkasgllw;c:\program files\pvldytpnxyuv\wnfiaujgh.exe [x]

R2 jmotuqyw;jmotuqyw;c:\program files\zdvqqnbivm\gvpdspdjxjblfph.exe [x]

R2 jtesm;jtesm;c:\windows\system32\jtesm.exe [x]

R2 jzchqigczupkmo;jzchqigczupkmo;c:\program files\jtpwnpuqnkr\qlikorojp.exe [x]

R2 nbjyaqolmamr;nbjyaqolmamr;c:\program files\vnwnxfcza\cnptyhwsbnauoy.exe [x]

R2 nckhnmfsh;nckhnmfsh;c:\program files\nnxxkutfvrltyt\ufrklvnzeox.exe [x]

R2 PCIEDump;PCIEDump;c:\windows\system32\drivers\qqrrftfx.sys [x]

R2 pvcofbbdcpiawre;pvcofbbdcpiawre;c:\program files\qgpecipqynjo\xhirdkrka.exe [x]

R2 pxjuzimzc;pxjuzimzc;c:\program files\qivjdqaeppeknv\xbpxxscgrmr.exe [x]

R2 qteno;qteno;c:\windows\system32\otesm.exe [x]

R2 Risuuzijhguscjnsfe;Ris tptfypuwcgweo;c:\program files\Intel\phvuhaxaeaz.EXE lwqrdbdfqzcdphn [x]

R2 rlqynxwwajy;rlqynxwwajy;c:\program files\awdnjfsk\hwwtlhmdywmpgb.exe [x]

R2 sejno;sejno;c:\windows\system32\syjno.exe [x]

R2 sksno;sksno;c:\windows\system32\sksno.exe [x]

R2 spqoydygccns;spqoydygccns;c:\program files\sbcdvlmmy\ztwjwnonapcdihg.exe [x]

R2 sssno;sssno;c:\windows\system32\sssno.exe [x]

R2 steno;steno;c:\windows\system32\stesm.exe [x]

R2 tteno;tteno;c:\windows\system32\wtesm.exe [x]

R2 uewzzrjrc;uewzzrjrc;c:\program files\vxjovzxwqcxqgw\cpcbxbzxazj.exe [x]

R2 ukaqjmbmfgj;ukaqjmbmfgj;c:\program files\sbinnjeyevse\kwhthdjtcsxgu.exe [x]

R2 uucrimqlgqcyx;uucrimqlgqcyx;c:\program files\xeowhdzltjh\ewhjifbf.exe [x]

R2 valjsxfk;valjsxfk;c:\program files\vlyyontpvnkho\kerdqpvjed.exe [x]

R2 wqtesm;wqtesm;c:\windows\system32\wqtesm.exe [x]

R2 wrmkjjntgjpci;wrmkjjntgjpci;c:\program files\xczafrbzth\eusfhsdavwdfgiu.exe [x]

R2 yasnp;yasnp;c:\windows\system32\yasnp.exe [x]

R2 zxfrldoilnl;zxfrldoilnl;c:\program files\zqsghlco\gimtjnepaazlr.exe [x]

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]

R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]

R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]

S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]

S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

- - - - ORPHANS REMOVED - - - -

SSODL-MSNServiceObj-{AD26AC5F-8421-419C-8692-ED0FE1FE74D8} - c:\program files\Messenger\msmsgs.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-08 17:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2252)

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Maxtor\Sync\SyncServices.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-08 17:57 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-08 16:57

Pre-Run: 2,750,029,824 bytes free

Post-Run: 2,685,046,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

351

ComboFix.txt

Link to post
Share on other sites

Hello.

Sorry for not replying earlier, I almost missed this thread in my subscriptions... Anyways, let's continue. Sorry for the short delay.

You have quite a few system infected files here and as well as a bunch of other infections on your machine. One of them is a backdoor.

---

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

---

If you wish to continue follow the steps below...

You don't have Service Pack 3 installed which is good as we can install that later and if there are no good replacement for certain files using the service pack can help us. Don't install it just yet please. Follow my instructions and we can deal with this effectively and efficiently.

Continue with the following...

---

Delete the existing Combofix.exe you currently have. Re-download one from one of those 2 links I linked above and save it to your desktop.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste ALL of the contents of the text in the codebox below into it:
    http://www.malwarebytes.org/forums/index.php?showtopic=23222
    Collect::[68]
    c:\windows\BUBJDXQUGSPAB.dll
    c:\windows\VOEMAQZCTCLF.dll
    c:\windows\TUIKNKMV.dll
    c:\program files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe
    c:\program files\XIKWTHRW0S\0RICFOB.EXE
    c:\windows\system32\dasno.exe
    c:\windows\system32\dbsno.exe
    c:\windows\system32\ddsno.exe
    c:\windows\system32\desno.exe
    c:\windows\system32\dfsno.exe
    c:\windows\system32\dgsno.exe
    c:\windows\system32\dkjno.exe
    c:\windows\system32\dojno.exe
    c:\windows\system32\dsjno.exe
    c:\windows\system32\dtesm.exe
    c:\program files\lewtfsevdhz\swpzyugw.exe
    c:\windows\system32\Miekcsr.exe
    c:\program files\4DXJGE43B1O2\7MWZ6KDVV.EXE
    c:\program files\pvldytpnxyuv\wnfiaujgh.exe
    c:\program files\zdvqqnbivm\gvpdspdjxjblfph.exe
    c:\windows\system32\jtesm.exe
    c:\program files\jtpwnpuqnkr\qlikorojp.exe
    c:\program files\vnwnxfcza\cnptyhwsbnauoy.exe
    c:\program files\nnxxkutfvrltyt\ufrklvnzeox.exe
    c:\windows\system32\drivers\qqrrftfx.sys
    c:\program files\qgpecipqynjo\xhirdkrka.exe
    c:\program files\qivjdqaeppeknv\xbpxxscgrmr.exe
    c:\windows\system32\otesm.exe
    c:\program files\Intel\phvuhaxaeaz.EXE lwqrdbdfqzcdphn
    c:\program files\awdnjfsk\hwwtlhmdywmpgb.exe
    c:\windows\system32\syjno.exe
    c:\windows\system32\sksno.exe
    c:\program files\sbcdvlmmy\ztwjwnonapcdihg.exe
    c:\windows\system32\sssno.exe
    c:\windows\system32\stesm.exe
    c:\windows\system32\wtesm.exe
    c:\program files\vxjovzxwqcxqgw\cpcbxbzxazj.exe
    c:\program files\sbinnjeyevse\kwhthdjtcsxgu.exe
    c:\program files\xeowhdzltjh\ewhjifbf.exe
    c:\program files\vlyyontpvnkho\kerdqpvjed.exe
    c:\windows\system32\wqtesm.exe
    c:\program files\xczafrbzth\eusfhsdavwdfgiu.exe
    c:\windows\system32\yasnp.exe
    c:\program files\zqsghlco\gimtjnepaazlr.exe
    Folder::
    c:\program files\xnsjkdiacqsb
    c:\program files\XIKWTHRW0S
    c:\program files\wkdxkkcw
    c:\program files\xgzqugwmrstoxl
    c:\program files\WMUGAXR
    c:\program files\vqievceso
    c:\program files\vnwnxfcza
    c:\program files\tbxnlphnqljx
    c:\program files\uhkjyhzmxgtl
    c:\program files\R0974Q3IE
    c:\program files\sbcdvlmmy
    c:\program files\qivjdqaeppeknv
    c:\program files\qgpecipqynjo
    c:\program files\oopyrxlgnb
    c:\program files\nnxxkutfvrltyt
    c:\program files\jxtsibzbmrtjzeo
    c:\program files\jwtpcqkoxymeir
    c:\program files\bftrruzlyibxxk
    c:\program files\awdnjfsk
    c:\program files\byrinwwuvlcnloe
    c:\program files\273LIR
    c:\program files\4DXJGE43B1O2
    c:\program files\zqsghlco
    c:\program files\xczafrbzth
    c:\program files\xeowhdzltjh
    c:\program files\vlyyontpvnkho
    c:\program files\vxjovzxwqcxqgw
    c:\program files\sbinnjeyevse
    c:\program files\jtpwnpuqnkr
    c:\program files\zdvqqnbivm
    c:\program files\pvldytpnxyuv
    c:\program files\lewtfsevdhz
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21910D9A-058E-95F2-642F-95A6E221C648}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84CA70D3-777F-2BFF-136F-DC274F669D53}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A750-3BC5-5D98-B423-C38B641E10F3}]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nlsf"=-
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{4894F5C2-169D-4DAC-A982-444B9BDB3AC4}"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoLogoff"=-
    Driver::
    bnetroighv
    CAZXE
    dasno
    dbsno
    ddsno
    desno
    dfsno
    dgsno
    dkjno
    dojno
    dsjno
    dteno
    dtjealqpijxfzj
    gerbassmn
    H3KJ16M
    hkyoulbzkasgllw
    jmotuqyw
    jtesm
    jzchqigczupkmo
    nbjyaqolmamr
    nckhnmfsh
    PCIEDump
    pvcofbbdcpiawre
    pxjuzimzc
    qteno
    Risuuzijhguscjnsfe
    rlqynxwwajy
    sejno
    sksno
    spqoydygccns
    sssno
    steno
    tteno
    uewzzrjrc
    ukaqjmbmfgj
    uucrimqlgqcyx
    valjsxfk
    wqtesm
    wrmkjjntgjpci
    yasnp
    zxfrldoilnl
    SysRst::
    SrPeek::
    c:\windows\system32\userinit.exe
    c:\windows\system32\comres.dll
    c:\windows\system32\drivers\asyncmac.sys

    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    CFScriptB-4.gif

  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**

=================

  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.

Let me know how it goes and if the upload went successfully or not in your next reply.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1

  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

    [*]Then click Finish.

    [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

    [*]On the Scanner tab:

    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.

    [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

    [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

    [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    [*]Click OK to close the message box and continue with the removal process.

    [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

    [*]Make sure that everything is checked, and click Remove Selected.

    [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

    [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

    [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    userinit.exe
    comres.dll
    asyncmac.sys
    ntoskrnl.exe
    tcpip.sys
    explorer.exe


  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please ATTACH this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Thanks.

With Regards,

Extremeboy

Link to post
Share on other sites

Extremeboy,

I ll try to use your help in getting the viruses out and if that doesnt work then i ll reformat it. And I appreciate your patience.

Here is the combofix file. I have posted the zip file using the info you provided. I have also attached the malwarebytes log file and systemlook log file.

Please let me know if I missed anything.

Thanks

dm

ComboFix 09-09-09.04 - Geovision 09/09/2009 21:25.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.613 [GMT 1:00]

Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Geovision\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\BUBJDXQUGSPAB.dll

file zipped: c:\windows\TUIKNKMV.dll

file zipped: c:\windows\VOEMAQZCTCLF.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\273LIR

c:\program files\4DXJGE43B1O2

c:\program files\awdnjfsk

c:\program files\bftrruzlyibxxk

c:\program files\byrinwwuvlcnloe

c:\program files\jtpwnpuqnkr

c:\program files\jwtpcqkoxymeir

c:\program files\jxtsibzbmrtjzeo

c:\program files\lewtfsevdhz

c:\program files\nnxxkutfvrltyt

c:\program files\oopyrxlgnb

c:\program files\pvldytpnxyuv

c:\program files\qgpecipqynjo

c:\program files\qivjdqaeppeknv

c:\program files\R0974Q3IE

c:\program files\sbcdvlmmy

c:\program files\sbinnjeyevse

c:\program files\tbxnlphnqljx

c:\program files\uhkjyhzmxgtl

c:\program files\vlyyontpvnkho

c:\program files\vnwnxfcza

c:\program files\vqievceso

c:\program files\vxjovzxwqcxqgw

c:\program files\wkdxkkcw

c:\program files\WMUGAXR

c:\program files\xczafrbzth

c:\program files\xeowhdzltjh

c:\program files\xgzqugwmrstoxl

c:\program files\XIKWTHRW0S

c:\program files\xnsjkdiacqsb

c:\program files\zdvqqnbivm

c:\program files\zqsghlco

c:\windows\BUBJDXQUGSPAB.dll

c:\windows\Downloaded Program Files\UYTBcaztxe23mezkgq.cur

c:\windows\SWEPVWJ17OXH.EXE

c:\windows\TUIKNKMV.dll

c:\windows\UDXVHFM16.EXE

c:\windows\VOEMAQZCTCLF.dll

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_BNETROIGHV

-------\Legacy_CAZXE

-------\Legacy_DASNO

-------\Legacy_DBSNO

-------\Legacy_DDSNO

-------\Legacy_DESNO

-------\Legacy_DFSNO

-------\Legacy_DGSNO

-------\Legacy_DKJNO

-------\Legacy_DOJNO

-------\Legacy_DSJNO

-------\Legacy_DTENO

-------\Legacy_DTJEALQPIJXFZJ

-------\Legacy_GERBASSMN

-------\Legacy_H3KJ16M

-------\Legacy_HKYOULBZKASGLLW

-------\Legacy_JMOTUQYW

-------\Legacy_JTESM

-------\Legacy_JZCHQIGCZUPKMO

-------\Legacy_NBJYAQOLMAMR

-------\Legacy_NCKHNMFSH

-------\Legacy_PCIEDUMP

-------\Legacy_PVCOFBBDCPIAWRE

-------\Legacy_PXJUZIMZC

-------\Legacy_QTENO

-------\Legacy_RISUUZIJHGUSCJNSFE

-------\Legacy_RLQYNXWWAJY

-------\Legacy_SEJNO

-------\Legacy_SKSNO

-------\Legacy_SPQOYDYGCCNS

-------\Legacy_SSSNO

-------\Legacy_STENO

-------\Legacy_TTENO

-------\Legacy_UEWZZRJRC

-------\Legacy_UKAQJMBMFGJ

-------\Legacy_UUCRIMQLGQCYX

-------\Legacy_VALJSXFK

-------\Legacy_WQTESM

-------\Legacy_WRMKJJNTGJPCI

-------\Legacy_YASNP

-------\Legacy_ZXFRLDOILNL

-------\Service_bnetroighv

-------\Service_CAZXE

-------\Service_dasno

-------\Service_dbsno

-------\Service_ddsno

-------\Service_desno

-------\Service_dfsno

-------\Service_dgsno

-------\Service_dkjno

-------\Service_dojno

-------\Service_dsjno

-------\Service_dteno

-------\Service_dtjealqpijxfzj

-------\Service_gerbassmn

-------\Service_H3KJ16M

-------\Service_hkyoulbzkasgllw

-------\Service_jmotuqyw

-------\Service_jtesm

-------\Service_jzchqigczupkmo

-------\Service_nbjyaqolmamr

-------\Service_nckhnmfsh

-------\Service_PCIEDump

-------\Service_pvcofbbdcpiawre

-------\Service_pxjuzimzc

-------\Service_qteno

-------\Service_Risuuzijhguscjnsfe

-------\Service_rlqynxwwajy

-------\Service_sejno

-------\Service_sksno

-------\Service_spqoydygccns

-------\Service_sssno

-------\Service_steno

-------\Service_tteno

-------\Service_uewzzrjrc

-------\Service_ukaqjmbmfgj

-------\Service_uucrimqlgqcyx

-------\Service_valjsxfk

-------\Service_wqtesm

-------\Service_wrmkjjntgjpci

-------\Service_yasnp

-------\Service_zxfrldoilnl

((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))

.

2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache

2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE

2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro

2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes

2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google

2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG

2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3

2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat

2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe

2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe

2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network

2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java

2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel

2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!

2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

------- Sigcheck -------

[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!

c:\windows\system32\qmgr.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:ooVoo TCP port 443

"443:UDP"= 443:UDP:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]

R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]

R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]

S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]

S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-09 21:34

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3596)

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Maxtor\Sync\SyncServices.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

.

**************************************************************************

.

Completion time: 2009-09-09 21:37 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-09 20:37

ComboFix2.txt 2009-09-08 16:57

Pre-Run: 2,674,049,024 bytes free

Post-Run: 2,654,560,256 bytes free

293

======

SystemLook.txt

mbam_log_2009_09_10__11_23_25_.txt

Link to post
Share on other sites

Hello again.

I ll try to use your help in getting the viruses out and if that doesnt work then i ll reformat it. And I appreciate your patience.

Not that it's not going to work but if you plan on formatting, why not do it now? If you are going to plan formatting anyways why waste the time here to continue with the disinfection process?

Anyways, If you do wish to continue, follow instructions below otherwise, please let me know. Still some more work we need to do here before we are done.

There are a couple of odd things in the logs... Do the following...

Create and Run batch script

  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".
    @ECHO OFF
    For %%a in (
    C:\WINDOWS\explorer.exe
    c:\windows\system32\userinit.exe
    c:\windows\system32\ntoskrnl.exe
    c:\windows\system32\drivers\tcpip.sys
    c:\windows\system32\comres.dll
    ) DO (
    zip FilesToUpload %%a
    )
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Zip.bat.
  • Hit OK.

When done properly, the icon should look like batch.png for XP machines and VistaBatch.jpg for Vista machines.

Double click on Zip.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. This is normal please do not panic. Then a zipped compressed file called FilesToUpload.zip file should be created in the same location that zip.bat was ran. Should be on your desktop.

Please upload that file to me...

Submit file samples

  1. Open to the Submission Channel.
  2. Under Link to topic where this file was requested, input:
    http://www.malwarebytes.org/forums/index.php?showtopic=23222


  3. Click Browse and select the FilesToUpload.zip on your desktop.
  4. Under the comments section, say that Extremeboy asked for the submission.
  5. Then select Send File to send it
  6. After that you should get a confirmation if it was uploaded successfully.

Run a scan with Systemlook again...

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop if you lost your copy...

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    asyncmac.sys
    qmgr.dll
    comres.dll
    :dir
    C:\Windows\system32\dllcache
    C:\WINDOWS\ERDNT\cache


  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Close notepad. On your desktop there should be a text file called Systemlook.txt.
  • Please right-click on Systemlook.txt and press send to >. From the drop down list select Compressed (zipped) folder
  • Now a compressed zipped folder called Systemlook.zip shall be created on your desktop
  • Please ATTACH the Systemlook.zip folder in your next reply. DO NOT post it. ATTACH IT please.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

  • Please download GMER from one of the following locations, and save it to your desktop:

    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click gmerRandomIcon.png or gmerDesktopIcon.png on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.

  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    gmerNoDialog.png

  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)

    [*]Click on btnScan.png and wait for the scan to finish.

    [*]If you see a rootkit warning window, click OK.

    [*]Push btnSave.png and save the logfile to your desktop.

    [*]Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

For your next reply I would like to see:

-Successfully uploaded FilesToUpload.zip to my channel

-ATTACHED the Systemlook.zip log as instructed

-The GMER log

Thanks. :unsure:

Any problems, please do not hesitate to ask.

With Regards,

Extremeboy

Link to post
Share on other sites

Hello.

Thanks for letting me know.

Please do not get me wrong, I have no intention of reformatting it after going thru these steps. I only threw out that option not knowing that this will work.

I'm not getting your wrong and I understand what you mean. What I'm saying is that we can clean this machine still but your computer WAS compromised and your security may also be altered and therefore I can not way be sure it's 100% trustworthy any longer.

With Regards,

Extremeboy

Link to post
Share on other sites

here is the log file for GMER. Couldnt run zip.bat.

Thx

dm

GMER 1.0.15.15077 [wpoxrsiq.exe] - http://www.gmer.net

Rootkit scan 2009-09-14 07:27:01

Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

SystemLook.zip

Link to post
Share on other sites

There you go. Thx

dm

ComboFix 09-09-14.02 - Geovision 09/15/2009 22:12.3.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.670 [GMT 1:00]

Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))

.

2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache

2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE

2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro

2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes

2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google

2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG

2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3

2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat

2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe

2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe

2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network

2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java

2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel

2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!

2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

------- Sigcheck -------

[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!

c:\windows\system32\qmgr.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:ooVoo TCP port 443

"443:UDP"= 443:UDP:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]

R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]

R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]

S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]

S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-15 22:17

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2272)

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2009-09-15 22:21

ComboFix-quarantined-files.txt 2009-09-15 21:21

ComboFix2.txt 2009-09-08 16:57

Pre-Run: 2,645,417,984 bytes free

Post-Run: 2,623,598,592 bytes free

156

Link to post
Share on other sites

Hello.

I want samples of those files so, let's try it again.

Create and Run batch script

  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".
    @ECHO OFF
    For %%a in (
    C:\WINDOWS\explorer.exe
    c:\windows\system32\userinit.exe
    c:\windows\system32\ntoskrnl.exe
    c:\windows\system32\drivers\tcpip.sys
    c:\windows\system32\comres.dll
    ) DO (
    zip FilesToUpload %%a
    )
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Upload.bat
  • Hit OK.

When done properly, the icon should look like batch.png for XP machines and VistaBatch.jpg for Vista machines.

Double click on Zip.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. This is normal please do not panic. Then a zipped compressed file called FilesToUpload.zip file should be created in the same location that zip.bat was ran. Should be on your desktop.

Please upload that file to me...

Submit file samples

  1. Open to the Submission Channel.
  2. Under Link to topic where this file was requested, input:
    http://www.malwarebytes.org/forums/index.php?showtopic=23222


  3. Click Browse and select the FilesToUpload.zip on your desktop.
  4. Under the comments section, say that Extremeboy asked for the submission.
  5. Then select Send File to send it
  6. After that you should get a confirmation if it was uploaded successfully.

Do you still have your Windows XP Professional Sp2 disk still with you? If so, we can use that to do some fixing as well.

Please scans these files with VirusTotal... Somethings doesn't look quite right with some of the information

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN

  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Browse to the location of each file and select that file. (do one line at a time).
    1. c:\windows\explorer.exe
    2. c:\windows\system32\userinit.exe
    3. c:\windows\system32\ntoskrnl.exe
    4. c:\windows\system32\drivers\tcpip.sys

  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

Post the results here once done.

Take a new DDS run as well and post back with both the DDS and Attach logs.

With Regards,

Extremeboy

Link to post
Share on other sites

Tried running the upload.bat but it again did not generate any zip file.

Ran the other things that you requested and have attached the results of the online scan as well as the dds.txt and attach.txt.

Please let me know if i missed anything.

seems like the userinit.exe is the culprit.

Thanks

DM

Results_explore_exe.txt

results_ntokrnl_exe.txt

results_tcpip_sys.txt

resultsuserinit_exe.txt

DDS.txt

Attach.txt

Link to post
Share on other sites

Hello.

This question was not answered...

Do you still have your Windows XP Professional Sp2 disk still with you? If so, we can use that to do some fixing as well.

Userinit.exe is indeed patched.

Please also scan the following file...

c:\windows\system32\comres.dll <- This file

Using Virsutotal. Post the results when done.

~Extremeboy

Link to post
Share on other sites

Hello.

That's fine then.

See if you can upload the following files to me. It may not work, so if it fails to upload the file just let me know.

C:\WINDOWS\explorer.exe <- This file

c:\windows\system32\userinit.exe <- This file

c:\windows\system32\ntoskrnl.exe <- This file

c:\windows\system32\drivers\tcpip.sys <- And This file

---

After uploading them (if it works) continue with the following...

Go to Start > My Computer

Go to Tools > Folder Options

Click on the View tab

Untick the following:

  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)

You will get a message warning you about showing protected operating system files, click Yes

Make sure this option is selected:

  • Show hidden files and folders

Click Apply and then click OK

Now please navigate to your system32 directory:

c:\windows\system32 <- This folder

Look for the file called userinit.exe

Do NOT delete it. Instead please rename it to userinit.exe.bak

You will get a confirmation error, that if you change the extension it may be unusable, please select Yes.

Now press the F5 key on your keyboard to refresh the page.

Make sure that userinit.exe.bak is still named userinit.exe.bak and that userinit.exe was not created.

Now run Combofix again and post the log back here.

We are going to use your Windows Disk next post.

With Regards,

Extremeboy

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.