Jump to content

malware and combofix scan results. need futher assistance


Recommended Posts

hello everyone

my computer is definitely infected with some sort of virus. everytime i click on an application a pop up box comes up saying bad image. tizamahu.dll is not a real window image, something to that nature. also when i try to open or run any anti-malware apps them wont open. i cant even log onto malwarebytes.org. this is really getting annoying. any help would be greatly appreciated.

Running from: F:\Win32kDiag.exe

Log file at : C:\Documents and Settings\TEMP\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP262.tmp\ZAP262.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP2A8.tmp\ZAP2A8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP2F5.tmp\ZAP2F5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP3F8.tmp\ZAP3F8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAPFF.tmp\ZAPFF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\18555481990E8AB4CBB63FB4F26006C0\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SECURITY\LOGS\LOGS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\93c9bb5898f80e6361e0dc6ea165864f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b68fe9ebdd665f78e33cbe020865a7b8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b95852880152dfa827ec46ae43899c80\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d2fcfbeca3e284c5f8d988b1c113bb83\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Start Menu\Programs\Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

[1] 2004-08-04 07:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

update: was able to use combofix and heres the results

ComboFix 09-09-22.03 - Vishon Thomas 09/23/2009 21:26.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.221 [GMT -4:00]

Running from: F:\Lorgeo.bat

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\cazohyz._dl

c:\documents and settings\All Users\Application Data\dusisixy.inf

c:\documents and settings\All Users\Application Data\icofumoqe.exe

c:\documents and settings\All Users\Application Data\jidabaty.reg

c:\documents and settings\All Users\Application Data\mylewuzyv.com

c:\documents and settings\All Users\Application Data\powetajaza.exe

c:\documents and settings\All Users\Application Data\rytugo.inf

c:\documents and settings\All Users\Application Data\uhocix.ban

c:\documents and settings\All Users\Application Data\xicupafuci.reg

c:\documents and settings\All Users\Application Data\ynysudu.bin

c:\documents and settings\All Users\Documents\gaxaf.dll

c:\documents and settings\All Users\Documents\vejagi.vbs

c:\documents and settings\All Users\Documents\vybymonadi.dll

c:\documents and settings\All Users\Documents\xalerosim.vbs

c:\documents and settings\TEMP\Application Data\abomogac.sys

c:\documents and settings\TEMP\Application Data\axadygi.scr

c:\documents and settings\TEMP\Application Data\cehelyde.pif

c:\documents and settings\TEMP\Application Data\ecezugy.ban

c:\documents and settings\TEMP\Application Data\elyjely.com

c:\documents and settings\TEMP\Application Data\hara.inf

c:\documents and settings\TEMP\Application Data\hyqegyquqa.lib

c:\documents and settings\TEMP\Application Data\inst.exe

c:\documents and settings\TEMP\Application Data\kapu.reg

c:\documents and settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\TEMP\Application Data\nosu.pif

c:\documents and settings\TEMP\Application Data\ohos.ban

c:\documents and settings\TEMP\Application Data\pajilapajo.bat

c:\documents and settings\TEMP\Application Data\roryhik.com

c:\documents and settings\TEMP\Application Data\sevawyxyco.scr

c:\documents and settings\TEMP\Application Data\uqiq.dl

c:\documents and settings\TEMP\Cookies\doqoladoxe.bin

c:\documents and settings\TEMP\Cookies\ecalogytol.lib

c:\documents and settings\TEMP\Cookies\figekuxyw.ban

c:\documents and settings\TEMP\Cookies\ganebataf.db

c:\documents and settings\TEMP\Cookies\helybu._dl

c:\documents and settings\TEMP\Cookies\mime.db

c:\documents and settings\TEMP\Cookies\nupoxirax.com

c:\documents and settings\TEMP\Cookies\qedyhy.ban

c:\documents and settings\TEMP\Cookies\tigiwep._dl

c:\documents and settings\TEMP\Cookies\tysavu.scr

c:\documents and settings\TEMP\Cookies\upynewyjo.bin

c:\documents and settings\TEMP\Cookies\xajapew.scr

c:\documents and settings\TEMP\Cookies\ygasepa.pif

c:\documents and settings\TEMP\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\TEMP\Local Settings\Application Data\guqywyf.ban

c:\documents and settings\TEMP\Local Settings\Application Data\umoviv.inf

c:\documents and settings\TEMP\Local Settings\Application Data\uvise.scr

c:\documents and settings\TEMP\Local Settings\Application Data\woweho.exe

c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\wiwovo.pif

c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\zocy.ban

c:\documents and settings\TEMP\Start Menu\Programs\AntivirusPro_2010

c:\documents and settings\TEMP\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk

c:\documents and settings\TEMP\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\program files\Common Files\aned.sys

c:\program files\Common Files\esuleqi.reg

c:\program files\Common Files\hatimig.inf

c:\program files\Common Files\iboco.com

c:\program files\Common Files\iziq.com

c:\program files\Common Files\luco.com

c:\program files\Common Files\yqope.vbs

c:\program files\Protection System

c:\program files\Protection System\core.cga

c:\program files\Protection System\firewall.dll

c:\program files\Protection System\help.ico

c:\program files\Protection System\psystem.exe

c:\windows\betu.bin

c:\windows\bezexuz.ban

c:\windows\efehy.pif

c:\windows\Installer\1730f3.msp

c:\windows\Installer\1730f4.msp

c:\windows\Installer\4e0cc.msi

c:\windows\Installer\4e0cd.msp

c:\windows\Installer\4e0ce.msp

c:\windows\Installer\4e0cf.msp

c:\windows\Installer\4e0d0.msp

c:\windows\Installer\4e0d1.msp

c:\windows\Installer\4e0d2.msp

c:\windows\Installer\4e0d3.msp

c:\windows\Installer\4e0d4.msp

c:\windows\Installer\4e0d5.msp

c:\windows\kijebopu.scr

c:\windows\myqazijihu.bin

c:\windows\nezo.inf

c:\windows\ovecotada.bin

c:\windows\qahapac.reg

c:\windows\qakaz.vbs

c:\windows\selunu.inf

c:\windows\soxicyc.reg

c:\windows\system32\bisomasu.dll

c:\windows\system32\braviax.exe

c:\windows\system32\drivers\kbiwkmlkdqoown.sys

c:\windows\system32\drivers\kbiwkmrrdrsmej.sys

c:\windows\system32\iniasd.txt

c:\windows\system32\jisagade.dll

c:\windows\system32\kaju.pif

c:\windows\system32\kbiwkmbitwwwtw.dll

c:\windows\system32\kbiwkmdecbdwqe.dll

c:\windows\system32\kbiwkmeppxjtxo.dll

c:\windows\system32\kbiwkmfbmlirfv.dat

c:\windows\system32\kbiwkmfvdbarcc.dat

c:\windows\system32\kbiwkmkciybwuw.dll

c:\windows\system32\kbiwkmlrublxxh.dll

c:\windows\system32\kbiwkmvcrviqqt.dll

c:\windows\system32\mybabus.bat

c:\windows\system32\tizomahu.dll

c:\windows\system32\vbzlib1.dll

c:\windows\system32\wisdstr.exe

c:\windows\system32\wscsvc32.exe

c:\windows\system32\zehekilo.dll

c:\windows\ufyvycogo.bin

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected

Restored copy from - c:\i386\BEEP.SYS

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_kbiwkmpylwfaod

-------\Legacy_kbiwkmtepxgila

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_kbiwkmpylwfaod

-------\Service_kbiwkmtepxgila

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))

.

2009-09-24 01:31 . 2009-09-24 01:31 -------- d-----w- c:\windows\LastGood.Tmp

2009-09-24 01:11 . 2009-09-24 01:11 -------- d-----w- C:\found.000

2009-09-24 00:43 . 2009-09-24 00:43 -------- d-----w- c:\program files\Trend Micro

2009-09-23 20:56 . 2009-09-23 20:56 14885 ----a-w- c:\windows\dofamuti.com

2009-09-23 20:56 . 2009-09-23 20:56 13153 ----a-w- c:\windows\zebabemiku.com

2009-09-23 20:38 . 2009-09-23 20:38 15128 ----a-w- c:\documents and settings\TEMP\Local Settings\Application Data\qamic.dat

2009-09-22 20:46 . 2009-09-22 20:46 0 ----a-w- c:\documents and settings\TEMP\NTUSER.zip

2009-09-22 20:37 . 2009-09-22 20:37 185573 ----a-w- c:\documents and settings\Default User\NTUSER.zip

2009-09-22 18:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-22 18:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-21 20:33 . 2009-09-21 20:33 12328 ----a-w- c:\documents and settings\TEMP\Local Settings\Application Data\ylojerutet.dat

2009-09-21 18:01 . 2009-09-21 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-09-21 17:14 . 2009-09-21 17:14 -------- d-----w- c:\documents and settings\TEMP\Application Data\SUPERAntiSpyware.com

2009-09-21 17:13 . 2009-09-21 17:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-21 16:39 . 2009-09-22 20:10 -------- d-----w- C:\Malwarebytes' Anti-Malware

2009-09-20 19:42 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-09-20 19:42 . 2009-08-19 15:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-09-20 19:41 . 2009-09-21 22:41 -------- d-----w- c:\program files\Common Files\PC Tools

2009-09-20 19:40 . 2009-09-24 01:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-19 20:32 . 2009-09-20 03:32 -------- d--h--w- c:\windows\msdownld.tmp

2009-09-19 20:31 . 2009-09-22 22:14 -------- dc-h--w- c:\windows\ie8

2009-09-16 16:53 . 2009-09-16 16:53 -------- d-----w- c:\windows\system32\Adobe

2009-09-09 13:30 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-05 21:16 . 2009-09-05 21:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-09-02 20:59 . 2009-09-02 20:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-02 00:37 . 2009-09-02 00:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-02 00:32 . 2009-09-02 00:32 -------- d-sh--w- c:\documents and settings\TEMP\IECompatCache

2009-09-02 00:31 . 2009-09-02 00:31 -------- d-sh--w- c:\documents and settings\TEMP\PrivacIE

2009-09-02 00:28 . 2009-09-02 00:28 -------- d-sh--w- c:\documents and settings\TEMP\IETldCache

2009-09-02 00:23 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-09-02 00:22 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-09-02 00:22 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-28 13:41 . 2009-08-28 13:41 10510 ----a-w- c:\program files\Common Files\omyjev.dat

2009-08-28 00:30 . 2009-08-28 00:30 -------- d-----w- c:\documents and settings\TEMP\Application Data\Malwarebytes

2009-08-28 00:30 . 2009-08-28 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-28 00:30 . 2009-09-20 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-27 18:40 . 2008-04-14 00:12 32866 ----a-w- c:\windows\system32\dllcache\slrundll.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-23 20:56 . 2009-09-23 20:56 11781 ----a-w- c:\program files\Common Files\syvagoj._sy

2009-09-23 20:38 . 2009-09-23 20:38 18935 ----a-w- c:\program files\Common Files\qalawapo._sy

2009-09-23 20:38 . 2009-09-23 20:38 10445 ----a-w- c:\program files\Common Files\dimynugeqa.lib

2009-09-23 20:38 . 2009-09-23 20:38 10060 ----a-w- c:\program files\Common Files\zoco.db

2009-09-22 22:24 . 2005-06-16 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-22 19:37 . 2008-02-07 00:17 -------- d-----w- c:\program files\DVDFab Platinum 4

2009-09-22 19:37 . 2007-08-01 00:18 -------- d-----w- c:\documents and settings\TEMP\Application Data\Vso

2009-09-21 21:42 . 2005-02-18 18:24 -------- d-----w- c:\program files\Google

2009-09-21 04:54 . 2009-09-21 04:54 19724 ----a-w- c:\documents and settings\TEMP\Application Data\qenaco.dat

2009-09-21 04:54 . 2009-09-21 04:54 18525 ----a-w- c:\program files\Common Files\ekopimi.lib

2009-08-28 13:41 . 2009-08-28 13:41 12934 ----a-w- c:\program files\Common Files\eqecibemy.db

2009-08-28 13:41 . 2009-08-28 13:41 14315 ----a-w- c:\program files\Common Files\awes.lib

2009-08-25 04:31 . 2006-06-17 19:38 107936 ----a-w- c:\documents and settings\TEMP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-21 16:09 . 2008-10-15 05:04 -------- d-----w- c:\program files\MSBuild

2009-08-21 16:08 . 2009-08-21 16:08 -------- d-----w- c:\program files\Reference Assemblies

2009-08-17 21:03 . 2005-01-10 20:33 -------- d-----w- c:\program files\Java

2009-08-17 03:58 . 2009-03-18 18:08 -------- d-----w- c:\documents and settings\TEMP\Application Data\mjusbsp

2009-08-14 10:58 . 2009-09-20 19:42 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 22:16 . 2007-02-24 16:19 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-07-25 09:23 . 2009-03-05 20:43 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-04 11:00 915456 ----a-w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"cdloader"="c:\documents and settings\TEMP\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

"SUPERAntiSpyware"="G:\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]

"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-14 282624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 185896]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

c:\documents and settings\TEMP\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "G:\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- G:\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Documents and Settings\\TEMP\\Application Data\\mjusbsp\\magicJack.exe"=

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]

S1 SASDIFSV;SASDIFSV;G:\sasdifsv.sys [9/15/2009 11:42 AM 9968]

S1 SASKUTIL;SASKUTIL;G:\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]

S3 MotDev;Motorola Inc. USB Device;c:\windows\SYSTEM32\DRIVERS\motodrv.sys [6/19/2008 12:16 AM 42112]

S3 SASENUM;SASENUM;G:\SASENUM.SYS [9/15/2009 11:42 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BEEP

.

Contents of the 'Scheduled Tasks' folder

2005-01-18 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - hxxp://www.alwaysupdatednews.com/install/aun_0036.exe

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe

HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe

HKLM-Run-!AVG Anti-Spyware - f:\avg anti-spyware 7.5\avgas.exe

HKLM-Run-Media Codec Update Service - f:\essentials codec pack\update.exe

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

Notify-WgaLogon - (no file)

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-mcmscsvc

SafeBoot-MCODS

AddRemove-Audacity_is1 - g:\audacity\unins000.exe

AddRemove-DVDFab Platinum_is1 - f:\dvdfab platinum 3\unins000.exe

AddRemove-Movkit Batch Video Converter_is1 - f:\movkit batch video converter\unins000.exe

AddRemove-VLC media player - f:\vlc\uninstall.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe

AddRemove-Windows Essentials Media Codec Pack - f:\essentials codec pack\uninst.exe

AddRemove-YouTubeGet_is1 - c:\youtubeget\unins000.exe

AddRemove-{347362FC-2826-4EDB-B1E3-FC55900CA632}_is1 - f:\hj-split\unins000.exe

AddRemove-{7A5AE924-83A4-47AB-BDB6-6BF534BC9E12}_is1 - g:\nidesoft video converter 2\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 21:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3564163255-4232285275-1735309245-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]

@Denied: (Full) (LocalSystem)

"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)

G:\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2644)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\windows\SYSTEM32\dlbxcoms.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\Real\RealPlayer\realplay.exe

.

**************************************************************************

.

Completion time: 2009-09-24 21:39 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-24 01:39

Pre-Run: 8,191,905,792 bytes free

Post-Run: 8,209,207,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

362

and here is the malware log.

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

9/23/2009 9:54:38 PM

mbam-log-2009-09-23 (21-54-24).txt

Scan type: Quick Scan

Objects scanned: 137948

Time elapsed: 11 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\All Users\Desktop\Protection System Support.lnk (Rogue.Link) -> No action taken.

C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys (Fake.Beep.sys) -> No action taken.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.