Jump to content

malware and combofix scan results. need futher assistance


vishthom

Recommended Posts

hello everyone

my computer is definitely infected with some sort of virus. everytime i click on an application a pop up box comes up saying bad image. tizamahu.dll is not a real window image, something to that nature. also when i try to open or run any anti-malware apps them wont open. i cant even log onto malwarebytes.org. this is really getting annoying. any help would be greatly appreciated.

Running from: F:\Win32kDiag.exe

Log file at : C:\Documents and Settings\TEMP\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP262.tmp\ZAP262.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP2A8.tmp\ZAP2A8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP2F5.tmp\ZAP2F5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP3F8.tmp\ZAP3F8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAPFF.tmp\ZAPFF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\18555481990E8AB4CBB63FB4F26006C0\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SECURITY\LOGS\LOGS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\93c9bb5898f80e6361e0dc6ea165864f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b68fe9ebdd665f78e33cbe020865a7b8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b95852880152dfa827ec46ae43899c80\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d2fcfbeca3e284c5f8d988b1c113bb83\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Start Menu\Programs\Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

[1] 2004-08-04 07:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

update: was able to use combofix and heres the results

ComboFix 09-09-22.03 - Vishon Thomas 09/23/2009 21:26.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.221 [GMT -4:00]

Running from: F:\Lorgeo.bat

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\cazohyz._dl

c:\documents and settings\All Users\Application Data\dusisixy.inf

c:\documents and settings\All Users\Application Data\icofumoqe.exe

c:\documents and settings\All Users\Application Data\jidabaty.reg

c:\documents and settings\All Users\Application Data\mylewuzyv.com

c:\documents and settings\All Users\Application Data\powetajaza.exe

c:\documents and settings\All Users\Application Data\rytugo.inf

c:\documents and settings\All Users\Application Data\uhocix.ban

c:\documents and settings\All Users\Application Data\xicupafuci.reg

c:\documents and settings\All Users\Application Data\ynysudu.bin

c:\documents and settings\All Users\Documents\gaxaf.dll

c:\documents and settings\All Users\Documents\vejagi.vbs

c:\documents and settings\All Users\Documents\vybymonadi.dll

c:\documents and settings\All Users\Documents\xalerosim.vbs

c:\documents and settings\TEMP\Application Data\abomogac.sys

c:\documents and settings\TEMP\Application Data\axadygi.scr

c:\documents and settings\TEMP\Application Data\cehelyde.pif

c:\documents and settings\TEMP\Application Data\ecezugy.ban

c:\documents and settings\TEMP\Application Data\elyjely.com

c:\documents and settings\TEMP\Application Data\hara.inf

c:\documents and settings\TEMP\Application Data\hyqegyquqa.lib

c:\documents and settings\TEMP\Application Data\inst.exe

c:\documents and settings\TEMP\Application Data\kapu.reg

c:\documents and settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\TEMP\Application Data\nosu.pif

c:\documents and settings\TEMP\Application Data\ohos.ban

c:\documents and settings\TEMP\Application Data\pajilapajo.bat

c:\documents and settings\TEMP\Application Data\roryhik.com

c:\documents and settings\TEMP\Application Data\sevawyxyco.scr

c:\documents and settings\TEMP\Application Data\uqiq.dl

c:\documents and settings\TEMP\Cookies\doqoladoxe.bin

c:\documents and settings\TEMP\Cookies\ecalogytol.lib

c:\documents and settings\TEMP\Cookies\figekuxyw.ban

c:\documents and settings\TEMP\Cookies\ganebataf.db

c:\documents and settings\TEMP\Cookies\helybu._dl

c:\documents and settings\TEMP\Cookies\mime.db

c:\documents and settings\TEMP\Cookies\nupoxirax.com

c:\documents and settings\TEMP\Cookies\qedyhy.ban

c:\documents and settings\TEMP\Cookies\tigiwep._dl

c:\documents and settings\TEMP\Cookies\tysavu.scr

c:\documents and settings\TEMP\Cookies\upynewyjo.bin

c:\documents and settings\TEMP\Cookies\xajapew.scr

c:\documents and settings\TEMP\Cookies\ygasepa.pif

c:\documents and settings\TEMP\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\TEMP\Local Settings\Application Data\guqywyf.ban

c:\documents and settings\TEMP\Local Settings\Application Data\umoviv.inf

c:\documents and settings\TEMP\Local Settings\Application Data\uvise.scr

c:\documents and settings\TEMP\Local Settings\Application Data\woweho.exe

c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\wiwovo.pif

c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\zocy.ban

c:\documents and settings\TEMP\Start Menu\Programs\AntivirusPro_2010

c:\documents and settings\TEMP\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk

c:\documents and settings\TEMP\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\program files\Common Files\aned.sys

c:\program files\Common Files\esuleqi.reg

c:\program files\Common Files\hatimig.inf

c:\program files\Common Files\iboco.com

c:\program files\Common Files\iziq.com

c:\program files\Common Files\luco.com

c:\program files\Common Files\yqope.vbs

c:\program files\Protection System

c:\program files\Protection System\core.cga

c:\program files\Protection System\firewall.dll

c:\program files\Protection System\help.ico

c:\program files\Protection System\psystem.exe

c:\windows\betu.bin

c:\windows\bezexuz.ban

c:\windows\efehy.pif

c:\windows\Installer\1730f3.msp

c:\windows\Installer\1730f4.msp

c:\windows\Installer\4e0cc.msi

c:\windows\Installer\4e0cd.msp

c:\windows\Installer\4e0ce.msp

c:\windows\Installer\4e0cf.msp

c:\windows\Installer\4e0d0.msp

c:\windows\Installer\4e0d1.msp

c:\windows\Installer\4e0d2.msp

c:\windows\Installer\4e0d3.msp

c:\windows\Installer\4e0d4.msp

c:\windows\Installer\4e0d5.msp

c:\windows\kijebopu.scr

c:\windows\myqazijihu.bin

c:\windows\nezo.inf

c:\windows\ovecotada.bin

c:\windows\qahapac.reg

c:\windows\qakaz.vbs

c:\windows\selunu.inf

c:\windows\soxicyc.reg

c:\windows\system32\bisomasu.dll

c:\windows\system32\braviax.exe

c:\windows\system32\drivers\kbiwkmlkdqoown.sys

c:\windows\system32\drivers\kbiwkmrrdrsmej.sys

c:\windows\system32\iniasd.txt

c:\windows\system32\jisagade.dll

c:\windows\system32\kaju.pif

c:\windows\system32\kbiwkmbitwwwtw.dll

c:\windows\system32\kbiwkmdecbdwqe.dll

c:\windows\system32\kbiwkmeppxjtxo.dll

c:\windows\system32\kbiwkmfbmlirfv.dat

c:\windows\system32\kbiwkmfvdbarcc.dat

c:\windows\system32\kbiwkmkciybwuw.dll

c:\windows\system32\kbiwkmlrublxxh.dll

c:\windows\system32\kbiwkmvcrviqqt.dll

c:\windows\system32\mybabus.bat

c:\windows\system32\tizomahu.dll

c:\windows\system32\vbzlib1.dll

c:\windows\system32\wisdstr.exe

c:\windows\system32\wscsvc32.exe

c:\windows\system32\zehekilo.dll

c:\windows\ufyvycogo.bin

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected

Restored copy from - c:\i386\BEEP.SYS

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_kbiwkmpylwfaod

-------\Legacy_kbiwkmtepxgila

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_kbiwkmpylwfaod

-------\Service_kbiwkmtepxgila

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))

.

2009-09-24 01:31 . 2009-09-24 01:31 -------- d-----w- c:\windows\LastGood.Tmp

2009-09-24 01:11 . 2009-09-24 01:11 -------- d-----w- C:\found.000

2009-09-24 00:43 . 2009-09-24 00:43 -------- d-----w- c:\program files\Trend Micro

2009-09-23 20:56 . 2009-09-23 20:56 14885 ----a-w- c:\windows\dofamuti.com

2009-09-23 20:56 . 2009-09-23 20:56 13153 ----a-w- c:\windows\zebabemiku.com

2009-09-23 20:38 . 2009-09-23 20:38 15128 ----a-w- c:\documents and settings\TEMP\Local Settings\Application Data\qamic.dat

2009-09-22 20:46 . 2009-09-22 20:46 0 ----a-w- c:\documents and settings\TEMP\NTUSER.zip

2009-09-22 20:37 . 2009-09-22 20:37 185573 ----a-w- c:\documents and settings\Default User\NTUSER.zip

2009-09-22 18:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-22 18:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-21 20:33 . 2009-09-21 20:33 12328 ----a-w- c:\documents and settings\TEMP\Local Settings\Application Data\ylojerutet.dat

2009-09-21 18:01 . 2009-09-21 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-09-21 17:14 . 2009-09-21 17:14 -------- d-----w- c:\documents and settings\TEMP\Application Data\SUPERAntiSpyware.com

2009-09-21 17:13 . 2009-09-21 17:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-21 16:39 . 2009-09-22 20:10 -------- d-----w- C:\Malwarebytes' Anti-Malware

2009-09-20 19:42 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-09-20 19:42 . 2009-08-19 15:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-09-20 19:41 . 2009-09-21 22:41 -------- d-----w- c:\program files\Common Files\PC Tools

2009-09-20 19:40 . 2009-09-24 01:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-19 20:32 . 2009-09-20 03:32 -------- d--h--w- c:\windows\msdownld.tmp

2009-09-19 20:31 . 2009-09-22 22:14 -------- dc-h--w- c:\windows\ie8

2009-09-16 16:53 . 2009-09-16 16:53 -------- d-----w- c:\windows\system32\Adobe

2009-09-09 13:30 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-05 21:16 . 2009-09-05 21:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-09-02 20:59 . 2009-09-02 20:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-02 00:37 . 2009-09-02 00:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-02 00:32 . 2009-09-02 00:32 -------- d-sh--w- c:\documents and settings\TEMP\IECompatCache

2009-09-02 00:31 . 2009-09-02 00:31 -------- d-sh--w- c:\documents and settings\TEMP\PrivacIE

2009-09-02 00:28 . 2009-09-02 00:28 -------- d-sh--w- c:\documents and settings\TEMP\IETldCache

2009-09-02 00:23 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-09-02 00:22 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-09-02 00:22 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-28 13:41 . 2009-08-28 13:41 10510 ----a-w- c:\program files\Common Files\omyjev.dat

2009-08-28 00:30 . 2009-08-28 00:30 -------- d-----w- c:\documents and settings\TEMP\Application Data\Malwarebytes

2009-08-28 00:30 . 2009-08-28 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-28 00:30 . 2009-09-20 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-27 18:40 . 2008-04-14 00:12 32866 ----a-w- c:\windows\system32\dllcache\slrundll.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-23 20:56 . 2009-09-23 20:56 11781 ----a-w- c:\program files\Common Files\syvagoj._sy

2009-09-23 20:38 . 2009-09-23 20:38 18935 ----a-w- c:\program files\Common Files\qalawapo._sy

2009-09-23 20:38 . 2009-09-23 20:38 10445 ----a-w- c:\program files\Common Files\dimynugeqa.lib

2009-09-23 20:38 . 2009-09-23 20:38 10060 ----a-w- c:\program files\Common Files\zoco.db

2009-09-22 22:24 . 2005-06-16 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-22 19:37 . 2008-02-07 00:17 -------- d-----w- c:\program files\DVDFab Platinum 4

2009-09-22 19:37 . 2007-08-01 00:18 -------- d-----w- c:\documents and settings\TEMP\Application Data\Vso

2009-09-21 21:42 . 2005-02-18 18:24 -------- d-----w- c:\program files\Google

2009-09-21 04:54 . 2009-09-21 04:54 19724 ----a-w- c:\documents and settings\TEMP\Application Data\qenaco.dat

2009-09-21 04:54 . 2009-09-21 04:54 18525 ----a-w- c:\program files\Common Files\ekopimi.lib

2009-08-28 13:41 . 2009-08-28 13:41 12934 ----a-w- c:\program files\Common Files\eqecibemy.db

2009-08-28 13:41 . 2009-08-28 13:41 14315 ----a-w- c:\program files\Common Files\awes.lib

2009-08-25 04:31 . 2006-06-17 19:38 107936 ----a-w- c:\documents and settings\TEMP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-21 16:09 . 2008-10-15 05:04 -------- d-----w- c:\program files\MSBuild

2009-08-21 16:08 . 2009-08-21 16:08 -------- d-----w- c:\program files\Reference Assemblies

2009-08-17 21:03 . 2005-01-10 20:33 -------- d-----w- c:\program files\Java

2009-08-17 03:58 . 2009-03-18 18:08 -------- d-----w- c:\documents and settings\TEMP\Application Data\mjusbsp

2009-08-14 10:58 . 2009-09-20 19:42 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 22:16 . 2007-02-24 16:19 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-07-25 09:23 . 2009-03-05 20:43 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-04 11:00 915456 ----a-w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"cdloader"="c:\documents and settings\TEMP\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

"SUPERAntiSpyware"="G:\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]

"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-14 282624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 185896]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

c:\documents and settings\TEMP\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "G:\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- G:\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Documents and Settings\\TEMP\\Application Data\\mjusbsp\\magicJack.exe"=

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]

S1 SASDIFSV;SASDIFSV;G:\sasdifsv.sys [9/15/2009 11:42 AM 9968]

S1 SASKUTIL;SASKUTIL;G:\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]

S3 MotDev;Motorola Inc. USB Device;c:\windows\SYSTEM32\DRIVERS\motodrv.sys [6/19/2008 12:16 AM 42112]

S3 SASENUM;SASENUM;G:\SASENUM.SYS [9/15/2009 11:42 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BEEP

.

Contents of the 'Scheduled Tasks' folder

2005-01-18 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - hxxp://www.alwaysupdatednews.com/install/aun_0036.exe

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe

HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe

HKLM-Run-!AVG Anti-Spyware - f:\avg anti-spyware 7.5\avgas.exe

HKLM-Run-Media Codec Update Service - f:\essentials codec pack\update.exe

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

Notify-WgaLogon - (no file)

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-mcmscsvc

SafeBoot-MCODS

AddRemove-Audacity_is1 - g:\audacity\unins000.exe

AddRemove-DVDFab Platinum_is1 - f:\dvdfab platinum 3\unins000.exe

AddRemove-Movkit Batch Video Converter_is1 - f:\movkit batch video converter\unins000.exe

AddRemove-VLC media player - f:\vlc\uninstall.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe

AddRemove-Windows Essentials Media Codec Pack - f:\essentials codec pack\uninst.exe

AddRemove-YouTubeGet_is1 - c:\youtubeget\unins000.exe

AddRemove-{347362FC-2826-4EDB-B1E3-FC55900CA632}_is1 - f:\hj-split\unins000.exe

AddRemove-{7A5AE924-83A4-47AB-BDB6-6BF534BC9E12}_is1 - g:\nidesoft video converter 2\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 21:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3564163255-4232285275-1735309245-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]

@Denied: (Full) (LocalSystem)

"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)

G:\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2644)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\windows\SYSTEM32\dlbxcoms.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\Real\RealPlayer\realplay.exe

.

**************************************************************************

.

Completion time: 2009-09-24 21:39 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-24 01:39

Pre-Run: 8,191,905,792 bytes free

Post-Run: 8,209,207,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

362

and here is the malware log.

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

9/23/2009 9:54:38 PM

mbam-log-2009-09-23 (21-54-24).txt

Scan type: Quick Scan

Objects scanned: 137948

Time elapsed: 11 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\All Users\Desktop\Protection System Support.lnk (Rogue.Link) -> No action taken.

C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys (Fake.Beep.sys) -> No action taken.

Link to post
Share on other sites

  • Root Admin

You didn't tell MBAM to remove it. You need to tell MBAM to remove it. Please follow the directions below.

STEP 01

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 02

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.