Jump to content

Mbam.exe instantly deleted on install


Recommended Posts

I booted my computer this morning only to find a very annoy trojan installed. Malware bytes had been deleted and I could not open most programs and ctrl alt delete would not function. I booted into safe mode and tried reinstalling Malwarebytes. It was still deleting the file. I changed the name of the install program and very quickly renamed mbam.exe. It ran through and deleted a few items and rebooted. My computer seems to be running fine but I can not reinstall Malwarebytes. I ran the changed name exe again and it found nothing but a security center notification thing. I have also installed and run Avira per the instructions.

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

10/5/2009 1:41:05 PM

mbam-log-2009-10-05 (13-41-05).txt

Scan type: Full Scan (C:\|)

Objects scanned: 178062

Time elapsed: 25 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

********************************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:42:37 PM, on 10/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [0399020479] C:\Documents and Settings\Ashley\Application Data\0399020479\0399020479.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware1\mbam4f.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231256121171

O17 - HKLM\System\CCS\Services\Tcpip\..\{2339E83C-604F-4D8A-A95A-DB7CB6EC748C}: NameServer = 66.255.85.8,66.255.85.9

O20 - AppInit_DLLs: topowete.dll c:\windows\system32\gaganome.dll

O21 - SSODL: lenitisuj - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 6988 bytes

Thanks,

Ash

Link to post
Share on other sites

I bumped into the same problem today. That stupid thing deletes mbam.exe on access. You need a copy of mbam.exe with a different name (eg. m.exe). Since mine was already deleted, I had to jump thru the hoops to snag a fresh copy of mbam.exe while Malwarebytes is installing (using a perl script). After getting a copy of mbam.exe with a different name, cleanup worked fine.

for(;:) {

if( -x 'mbam.exe' && !( -x 'm.exe' ) ) {

`copy mbam.exe m.exe`;

}

}

Link to post
Share on other sites

Just an update. Came into work and found that Avira had prevented some things from running.

10/6/2009 8:39 [Guard] Malware found

Virus or unwanted program 'TR/Vundo.Gen2 [trojan]'

detected in file 'C:\WINDOWS\system32\malesiba.dll.

Action performed: Move file to quarantine

10/6/2009 8:39 [Guard] Malware found

Virus or unwanted program 'TR/Vundo.Gen2 [trojan]'

detected in file 'C:\WINDOWS\system32\malesiba.dll.

Action performed: Move file to quarantine

10/6/2009 8:39 [Guard] Malware found

Virus or unwanted program 'TR/Vundo.Gen2 [trojan]'

detected in file 'C:\WINDOWS\system32\yogeledo.dll.

Action performed: Move file to quarantine

Ran Malwarebytes again:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

10/6/2009 9:42:23 AM

mbam-log-2009-10-06 (09-42-22).txt

Scan type: Quick Scan

Objects scanned: 84631

Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Another update. Avira did it's daily scan and found more Vundo crap and I get the occasional web pop up still.

Avira AntiVir Personal

Report file date: Tuesday, October 06, 2009 12:40

Scanning for 1780400 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : ASH01

Version information:

BUILD.DAT : 9.0.0.410 18074 Bytes 9/25/2009 11:56:00

AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42

ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 9/29/2009 16:10:13

ANTIVIR3.VDF : 7.1.6.80 320512 Bytes 10/6/2009 16:33:23

Engineversion : 8.2.1.33

AEVDF.DLL : 8.1.1.2 106867 Bytes 10/5/2009 16:20:45

AESCRIPT.DLL : 8.1.2.35 483707 Bytes 10/5/2009 16:20:42

AESCN.DLL : 8.1.2.5 127346 Bytes 10/5/2009 16:20:32

AERDL.DLL : 8.1.3.2 479604 Bytes 10/5/2009 16:20:29

AEPACK.DLL : 8.2.0.0 422261 Bytes 10/5/2009 16:20:20

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39

AEHEUR.DLL : 8.1.0.166 2003319 Bytes 10/5/2009 16:20:07

AEHELP.DLL : 8.1.7.0 237940 Bytes 10/5/2009 16:19:25

AEGEN.DLL : 8.1.1.67 364916 Bytes 10/5/2009 16:19:20

AEEMU.DLL : 8.1.1.0 393587 Bytes 10/5/2009 16:15:52

AECORE.DLL : 8.1.8.1 184693 Bytes 10/5/2009 16:15:48

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 10/6/2009 16:37:40

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:

Jobname.............................: Local Hard Disks

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\alldiscs.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Tuesday, October 06, 2009 12:40

Starting search for hidden objects.

'36076' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'avnotify.exe' - '1' Module(s) have been scanned

Scan process 'TweetDeck.exe' - '1' Module(s) have been scanned

Scan process 'R8win.exe' - '1' Module(s) have been scanned

Scan process 'R8win.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'FNPLicensingService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'acrotray.exe' - '1' Module(s) have been scanned

Scan process 'PWRISOVM.EXE' - '1' Module(s) have been scanned

Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

34 processes with 34 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '55' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP281\A0022205.exe

[DETECTION] Is the TR/FraudPack.vdt Trojan

C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP282\A0022253.dll

[DETECTION] Is the TR/Vundo.Gen2 Trojan

C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP282\A0022254.dll

[DETECTION] Is the TR/Vundo.Gen2 Trojan

C:\WINDOWS\system32\nelovigu.exe

[DETECTION] Is the TR/FraudPack.vdt Trojan

C:\WINDOWS\system32\pihemova.exe

[DETECTION] Is the TR/FraudPack.vdt Trojan

Beginning disinfection:

C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP281\A0022205.exe

[DETECTION] Is the TR/FraudPack.vdt Trojan

[NOTE] The file was moved to '4afb7e07.qua'!

C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP282\A0022253.dll

[DETECTION] Is the TR/Vundo.Gen2 Trojan

[NOTE] The file was moved to '4b4ca968.qua'!

C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP282\A0022254.dll

[DETECTION] Is the TR/Vundo.Gen2 Trojan

[NOTE] The file was moved to '4b4298f8.qua'!

C:\WINDOWS\system32\nelovigu.exe

[DETECTION] Is the TR/FraudPack.vdt Trojan

[NOTE] The file was moved to '4b377e3c.qua'!

C:\WINDOWS\system32\pihemova.exe

[DETECTION] Is the TR/FraudPack.vdt Trojan

[NOTE] The file was moved to '4b337e40.qua'!

End of the scan: Tuesday, October 06, 2009 13:26

Used time: 24:47 Minute(s)

The scan has been done completely.

9286 Scanned directories

275915 Files were scanned

5 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

5 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

275909 Files not concerned

1480 Archives were scanned

1 Warnings

6 Notes

36076 Objects were scanned with rootkit scan

0 Hidden objects were found

Link to post
Share on other sites

Update. Ran another scan at lunch and lots of stuff still popping up.

Malwarebytes' Anti-Malware 1.41

Database version: 2921

Windows 5.1.2600 Service Pack 3

10/7/2009 2:04:42 PM

mbam-log-2009-10-07 (14-04-42).txt

Scan type: Quick Scan

Objects scanned: 88378

Time elapsed: 7 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\vopezuyu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{707b6433-f96d-4f35-8cfe-98d2f159c710} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeherasol (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{707b6433-f96d-4f35-8cfe-98d2f159c710} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\balegapuz (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vopezuyu.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vopezuyu.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\84171728 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\system32\vopezuyu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\wikugayi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\topowete.dll.tmp (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\jiyotaro.dll.tmp (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\kuhahavo.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\84171728\84171728.bat (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\84171728\84171728.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jivabefu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

*****

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:07:59 PM, on 10/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware1\mbam4f.exe" /runcleanupscript

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231256121171

O17 - HKLM\System\CCS\Services\Tcpip\..\{2339E83C-604F-4D8A-A95A-DB7CB6EC748C}: NameServer = 66.255.85.8,66.255.85.9

O20 - AppInit_DLLs: c:\windows\system32\gaganome.dll fijeriki.dll

O21 - SSODL: lenitisuj - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 6119 bytes

Link to post
Share on other sites

I just don't know what to do. The instructions say to wait and not install anything else but this thing is eating up my computer. I'll scan and find 13 infected items and fix them. The next couple of scans are clear but they will pop right back up. I still can't install mbam.exe regularly. Thankfully I was able to catch a mbam.exe quick enough one time to change the name so I can run the program at least.

My most current scans:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

10/9/2009 8:32:50 AM

mbam-log-2009-10-09 (08-32-50).txt

Scan type: Quick Scan

Objects scanned: 85105

Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 4

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\gomuzidi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{7a99f983-a2f2-4a83-a784-e94899697a37} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeherasol (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07918631 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{7a99f983-a2f2-4a83-a784-e94899697a37} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tubuworoy (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gomuzidi.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\gomuzidi.dll -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\07918631 (Rogue.Multiple) -> Delete on reboot.

Files Infected:

c:\WINDOWS\system32\gomuzidi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\All Users\Application Data\07918631\07918631.exe (Trojan.FakeAlert.H) -> Delete on reboot.

C:\WINDOWS\system32\dogejuhu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

*****

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:34:10 AM, on 10/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware1\mbam4f.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231256121171

O17 - HKLM\System\CCS\Services\Tcpip\..\{2339E83C-604F-4D8A-A95A-DB7CB6EC748C}: NameServer = 66.255.85.8,66.255.85.9

O20 - AppInit_DLLs: c:\windows\system32\gaganome.dll fijeriki.dll

O21 - SSODL: lenitisuj - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 6033 bytes

Thanks,

Ash

Link to post
Share on other sites

Please help!!

It's been a week from when I put up this topic and my computer is still a mess. Friday I ran Malwarebytes 3 times on full scan (still from the name altered exe) and it found zero items. I come into work this morning, turn on my computer, and it has been infected again. Ran mbam and it found 25 different things. Once my computer restarted I was able to update mbam and ran it again. 16 items found this time.

Malwarebytes' Anti-Malware 1.41

Database version: 2945

Windows 5.1.2600 Service Pack 3

10/12/2009 8:57:28 AM

mbam-log-2009-10-12 (08-57-28).txt

Scan type: Quick Scan

Objects scanned: 88760

Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeherasol (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\pump.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\pananini.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fihanuna.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pump.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rijilutu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\duyojaye.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jogejase.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yakiyetu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kuronuju.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\skynet.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\wf3.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\wf4.dat (Malware.Trace) -> Quarantined and deleted successfully.

****

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:59:14 AM, on 10/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware1\mbam4f.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231256121171

O17 - HKLM\System\CCS\Services\Tcpip\..\{2339E83C-604F-4D8A-A95A-DB7CB6EC748C}: NameServer = 66.255.85.8,66.255.85.9

O20 - AppInit_DLLs: c:\windows\system32\gaganome.dll wayolelu.dll c:\windows\system32\riropefu.dll

O21 - SSODL: lenitisuj - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)

O21 - SSODL: legalemin - {404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 6310 bytes

Ashley

Link to post
Share on other sites

Welcome to Malwarebytes!!!!! :)

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

I ran ComboFix and it deleted several things but I was unable to get on the internet afterward. Some how it made my ethernet card stop working. In order to get my computer to work correctly I had to use a System Restore point. Repeat 3 times. Did I do something wrong?

Link to post
Share on other sites

Ok I ran ComboFix again. It seems to fix things as I can install mbam.exe again but I cannot get on the internet. I tried to Repair the Local Area Connection but it failed because it said it could not find the TCP/IP information. I had assumed ComboFix was accidentally deleting the driver to my Ethernet card so when I went into the Device Manager I found two items had popped up under network adapters.

See attached picture.

It said something had changed in the registry not allowing them to run. Sadly I know very little about computers so I wasn't able to fix the internet issue. I had to use a System Restore again to fix it.

Here is the Combo log even though it has now been changed back.

ComboFix 09-10-12.03 - Ashley 10/13/2009 9:15.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1096 [GMT -4:00]

Running from: c:\documents and settings\Ashley\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\bezuziso.dll

c:\windows\system32\buhepine.dll

c:\windows\system32\drivers\ndisrd.sys

c:\windows\system32\lasobemo.dll

c:\windows\system32\lidegifu.dll

c:\windows\system32\movisebo.dll

c:\windows\system32\nokihino.dll

c:\windows\system32\schtml

c:\windows\system32\sivepena.dll

c:\windows\system32\tenogapa.dll

c:\windows\system32\venabiki.dll

c:\windows\system32\yaponema.dll

c:\windows\system32\zafufovi.dll

c:\windows\system32\zamogudi.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ANTIPOL

-------\Service_ndisrd

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))

.

2009-10-12 16:45 . 2009-10-12 16:45 -------- d-----w- c:\windows\system32\wbem\Repository

2009-10-12 16:45 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-12 16:44 . 2009-10-12 16:44 -------- d-----w- c:\program files\Avira

2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\program files\Avira(2)

2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)

2009-10-12 16:26 . 2009-10-12 16:45 -------- d-----w- C:\cmdcons(2)

2009-10-12 16:25 . 2009-10-12 16:45 -------- d-----w- C:\Qoobox(2)

2009-10-12 15:41 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2009-10-12 15:33 . 2009-10-12 16:45 -------- d-----w- C:\RECYCLER(2)

2009-10-08 14:07 . 2009-10-08 14:07 -------- d-----w- c:\program files\Google

2009-10-06 14:23 . 2009-10-06 14:23 -------- d-----w- c:\program files\TweetDeck

2009-10-05 17:42 . 2009-10-05 17:42 -------- d-----w- c:\program files\Trend Micro

2009-10-05 16:00 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-05 14:34 . 2009-10-05 14:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1

2009-09-30 13:58 . 2009-09-30 13:58 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-23 14:14 . 2009-09-23 14:15 -------- d-----w- c:\documents and settings\Ashley\Application Data\wootalyzer

2009-09-23 14:13 . 2009-09-23 14:13 -------- d-----w- c:\program files\Wootalyzer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-13 13:11 . 2009-01-06 16:23 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-10-06 14:34 . 2009-04-20 13:12 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-09-18 10:21 . 2009-01-07 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-09-10 18:54 . 2009-07-23 13:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-07-23 13:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-06 13:51 . 2009-07-06 13:51 52224 --sha-w- c:\windows\system32\bazisomi.dll.tmp

2009-07-12 00:27 . 2009-07-12 00:27 87552 --sha-w- c:\windows\system32\bumobova.dll

2009-07-06 13:50 . 2009-07-06 13:50 52224 --sha-w- c:\windows\system32\dafamupu.dll

2009-07-07 01:51 . 2009-07-07 01:51 51200 --sha-w- c:\windows\system32\fijeriki.dll.tmp

2009-07-06 13:51 . 2009-07-06 13:51 52224 --sha-w- c:\windows\system32\gibavufe.dll.tmp

2009-07-07 01:50 . 2009-07-07 01:50 51200 --sha-w- c:\windows\system32\jehavomu.dll

2009-07-10 00:26 . 2009-07-10 00:26 88576 --sha-w- c:\windows\system32\kiyoheze.dll

2009-07-06 13:51 . 2009-07-06 13:51 52224 --sha-w- c:\windows\system32\mezatapu.dll.tmp

2009-07-07 01:51 . 2009-07-07 01:51 51200 --sha-w- c:\windows\system32\niwalezu.dll.tmp

2009-07-10 12:26 . 2009-07-10 12:26 88576 --sha-w- c:\windows\system32\nomukipo.dll

2009-07-10 00:26 . 2009-07-10 00:26 51200 --sha-w- c:\windows\system32\pepunelo.dll

2009-07-11 12:26 . 2009-07-11 12:26 88064 --sha-w- c:\windows\system32\pitizudi.dll

2009-07-13 12:41 . 2009-07-13 12:41 51200 --sha-w- c:\windows\system32\seduvumo.dll

2009-07-11 00:26 . 2009-07-11 00:26 87552 --sha-w- c:\windows\system32\wawumive.dll

2009-07-06 13:50 . 2009-07-06 13:50 89088 --sha-w- c:\windows\system32\wojifoge.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware1\mbam4f.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

TCP: {2339E83C-604F-4D8A-A95A-DB7CB6EC748C} = 66.255.85.8,66.255.85.9

FF - ProfilePath - c:\documents and settings\Ashley\Application Data\Mozilla\Firefox\Profiles\rm4uh50g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en#restore

FF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071500000347.dll

FF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071503000010.dll

.

- - - - ORPHANS REMOVED - - - -

BHO-{e6caadf0-fd5c-434c-9314-201e440443da} - satukivu.dll

HKLM-Run-bitisurida - zuvararo.dll

SharedTaskScheduler-{56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll

SharedTaskScheduler-{404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dll

SSODL-lenitisuj-{56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll

SSODL-legalemin-{404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-13 09:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4028)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

.

**************************************************************************

.

Completion time: 2009-10-13 9:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-13 13:22

ComboFix2.txt 2009-10-12 16:34

Pre-Run: 61,714,505,728 bytes free

Post-Run: 61,669,756,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

162 --- E O F --- 2009-09-10 07:01

devicemanager.bmp

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\bazisomi.dll.tmp
c:\windows\system32\bumobova.dll
c:\windows\system32\dafamupu.dll
c:\windows\system32\fijeriki.dll.tmp
c:\windows\system32\gibavufe.dll.tmp
c:\windows\system32\jehavomu.dll
c:\windows\system32\kiyoheze.dll
c:\windows\system32\mezatapu.dll.tmp
c:\windows\system32\niwalezu.dll.tmp
c:\windows\system32\nomukipo.dll
c:\windows\system32\pepunelo.dll
c:\windows\system32\pitizudi.dll
c:\windows\system32\seduvumo.dll
c:\windows\system32\wawumive.dll
c:\windows\system32\wojifoge.dll
c:\windows\system32\DRIVERS\srenum.sys
Driver::
srenum

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==============================

Open device Manager again

right-click on the yellow exclamation mark

Click on Uninstall.

Make sure you repeat for the other one too.

Reboot your Computer.

Let me know if you can get online or not. Thanks

Link to post
Share on other sites

First when my computer rebooted after ComboFix did its thing a RUNDLL error popped up.

post-21495-1255459545_thumb.jpg

Second when I went to uninstall the items in Device Manager it would not let me.

post-21495-1255459553_thumb.jpg

I did everything you said but was not able to get on the internet and had to use system restore. Here is the log but just remember I did a restore. I do not have access to another computer here at work and I need internet access to access the server. For future knowledge is there something else I could do besides a restore?

ComboFix 09-10-13.01 - Ashley 10/13/2009 14:08.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1123 [GMT -4:00]

Running from: c:\documents and settings\Ashley\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ashley\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\system32\bazisomi.dll.tmp"

"c:\windows\system32\bumobova.dll"

"c:\windows\system32\dafamupu.dll"

"c:\windows\system32\DRIVERS\srenum.sys"

"c:\windows\system32\fijeriki.dll.tmp"

"c:\windows\system32\gibavufe.dll.tmp"

"c:\windows\system32\jehavomu.dll"

"c:\windows\system32\kiyoheze.dll"

"c:\windows\system32\mezatapu.dll.tmp"

"c:\windows\system32\niwalezu.dll.tmp"

"c:\windows\system32\nomukipo.dll"

"c:\windows\system32\pepunelo.dll"

"c:\windows\system32\pitizudi.dll"

"c:\windows\system32\seduvumo.dll"

"c:\windows\system32\wawumive.dll"

"c:\windows\system32\wojifoge.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\bazisomi.dll.tmp

c:\windows\system32\bumobova.dll

c:\windows\system32\dafamupu.dll

c:\windows\system32\drivers\ndisrd.sys

c:\windows\system32\fijeriki.dll.tmp

c:\windows\system32\gibavufe.dll.tmp

c:\windows\system32\jehavomu.dll

c:\windows\system32\kiyoheze.dll

c:\windows\system32\mezatapu.dll.tmp

c:\windows\system32\niwalezu.dll.tmp

c:\windows\system32\nomukipo.dll

c:\windows\system32\pepunelo.dll

c:\windows\system32\pitizudi.dll

c:\windows\system32\schtml

c:\windows\system32\tarokuwe.dll

c:\windows\system32\wawumive.dll

c:\windows\system32\wayolelu.dll

c:\windows\system32\wojifoge.dll

c:\windows\system32\yaponema.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ANTIPOL

-------\Legacy_SRENUM

-------\Service_ndisrd

-------\Service_srenum

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))

.

2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\windows\LastGood.Tmp

2009-10-13 15:34 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-10-13 15:34 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-10-13 15:34 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\program files\Avira

2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-10-13 13:34 . 2009-10-13 13:34 -------- d-----w- c:\windows\system32\wbem\Repository

2009-10-12 16:45 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\program files\Avira(2)

2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)

2009-10-12 16:26 . 2009-10-12 16:45 -------- d-----w- C:\cmdcons(2)

2009-10-12 16:25 . 2009-10-12 16:45 -------- d-----w- C:\Qoobox(2)

2009-10-12 15:41 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2009-10-12 15:33 . 2009-10-12 16:45 -------- d-----w- C:\RECYCLER(2)

2009-10-08 14:07 . 2009-10-08 14:07 -------- d-----w- c:\program files\Google

2009-10-06 14:23 . 2009-10-06 14:23 -------- d-----w- c:\program files\TweetDeck

2009-10-05 17:42 . 2009-10-05 17:42 -------- d-----w- c:\program files\Trend Micro

2009-10-05 16:00 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-05 14:34 . 2009-10-05 14:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1

2009-09-30 13:58 . 2009-09-30 13:58 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-23 14:14 . 2009-09-23 14:15 -------- d-----w- c:\documents and settings\Ashley\Application Data\wootalyzer

2009-09-23 14:13 . 2009-09-23 14:13 -------- d-----w- c:\program files\Wootalyzer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-13 13:11 . 2009-01-06 16:23 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-10-06 14:34 . 2009-04-20 13:12 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-09-18 10:21 . 2009-01-07 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-09-10 18:54 . 2009-07-23 13:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-07-23 13:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-10 12:26 . 2009-07-10 12:26 37376 --sha-w- c:\windows\system32\buhepine.dll

2009-07-07 01:50 . 2009-07-07 01:50 38400 --sha-w- c:\windows\system32\lidegifu.dll

2009-07-12 12:27 . 2009-07-12 12:27 38400 --sha-w- c:\windows\system32\movisebo.dll

2009-07-10 00:26 . 2009-07-10 00:26 37376 --sha-w- c:\windows\system32\nokihino.dll

2009-07-07 13:51 . 2009-07-07 13:51 38400 --sha-w- c:\windows\system32\sivepena.dll

2009-07-06 13:50 . 2009-07-06 13:50 38400 --sha-w- c:\windows\system32\venabiki.dll

2009-07-11 12:26 . 2009-07-11 12:26 37888 --sha-w- c:\windows\system32\zamogudi.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e6caadf0-fd5c-434c-9314-201e440443da}]

satukivu.dll [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware1\mbam4f.exe" [2009-09-10 1312080]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"bitisurida"="wayolelu.dll" [bU]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{56bc3655-b1ce-48a9-a45e-9bfb0a63ef29}"= "c:\windows\system32\gaganome.dll" [bU]

"{404beca4-5746-47c4-8f6f-793e2968d394}"= "c:\windows\system32\riropefu.dll" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"lenitisuj"= {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll [bU]

"legalemin"= {404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dll [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avguard.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/13/2009 11:34 AM 108289]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGIO

*NewlyCreated* - AVIPBB

*NewlyCreated* - SSMDRV

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

TCP: {2339E83C-604F-4D8A-A95A-DB7CB6EC748C} = 66.255.85.8,66.255.85.9

FF - ProfilePath - c:\documents and settings\Ashley\Application Data\Mozilla\Firefox\Profiles\rm4uh50g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en#restore

FF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071500000347.dll

FF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071503000010.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-13 14:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3704)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-10-13 14:15 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-13 18:15

ComboFix2.txt 2009-10-13 13:22

ComboFix3.txt 2009-10-12 16:34

Pre-Run: 61,452,976,128 bytes free

Post-Run: 61,425,258,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

195 --- E O F --- 2009-09-10 07:01

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\buhepine.dll
c:\windows\system32\lidegifu.dll
c:\windows\system32\movisebo.dll
c:\windows\system32\nokihino.dll
c:\windows\system32\sivepena.dll
c:\windows\system32\venabiki.dll
c:\windows\system32\zamogudi.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e6caadf0-fd5c-434c-9314-201e440443da}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bitisurida"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{56bc3655-b1ce-48a9-a45e-9bfb0a63ef29}"=-
"{404beca4-5746-47c4-8f6f-793e2968d394}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"lenitisuj"=-
"legalemin"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

===========================================

Please open MBAM, update to the latest def's, run a Quick Scan. Please post the mbam log and ComboFix log in your next reply. Thanks

Link to post
Share on other sites

Did as instructed and internet did not work after fix. Same reason as before, 2 yellow exclamation points in the device manager that won't uninstall. Had to use system restore.

ComboFix 09-10-13.03 - Ashley 10/14/2009 9:00.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1176 [GMT -4:00]

Running from: c:\documents and settings\Ashley\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ashley\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\system32\buhepine.dll"

"c:\windows\system32\lidegifu.dll"

"c:\windows\system32\movisebo.dll"

"c:\windows\system32\nokihino.dll"

"c:\windows\system32\sivepena.dll"

"c:\windows\system32\venabiki.dll"

"c:\windows\system32\zamogudi.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\buhepine.dll

c:\windows\system32\drivers\ndisrd.sys

c:\windows\system32\kekasika.dll

c:\windows\system32\lidegifu.dll

c:\windows\system32\movisebo.dll

c:\windows\system32\nokihino.dll

c:\windows\system32\schtml

c:\windows\system32\sivepena.dll

c:\windows\system32\tarokuwe.dll

c:\windows\system32\venabiki.dll

c:\windows\system32\yaponema.dll

c:\windows\system32\zamogudi.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ANTIPOL

-------\Service_ndisrd

((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))

.

2009-10-13 18:34 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-10-13 18:34 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-10-13 18:34 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-10-13 18:32 . 2009-10-13 18:32 -------- d-----w- c:\windows\system32\wbem\Repository

2009-10-13 18:24 . 2009-10-13 18:32 -------- d-----w- C:\RECYCLER(3)

2009-10-13 18:07 . 2009-10-13 18:32 -------- d-----w- C:\cmdcons(3)

2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\program files\Avira

2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-10-12 16:45 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\program files\Avira(2)

2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)

2009-10-12 16:26 . 2009-10-12 16:45 -------- d-----w- C:\cmdcons(2)

2009-10-12 16:25 . 2009-10-12 16:45 -------- d-----w- C:\Qoobox(2)

2009-10-12 15:41 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2009-10-12 15:33 . 2009-10-12 16:45 -------- d-----w- C:\RECYCLER(2)

2009-10-08 14:07 . 2009-10-08 14:07 -------- d-----w- c:\program files\Google

2009-10-06 14:23 . 2009-10-06 14:23 -------- d-----w- c:\program files\TweetDeck

2009-10-05 17:42 . 2009-10-05 17:42 -------- d-----w- c:\program files\Trend Micro

2009-10-05 16:00 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-05 14:34 . 2009-10-05 14:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1

2009-09-30 13:58 . 2009-09-30 13:58 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-23 14:14 . 2009-09-23 14:15 -------- d-----w- c:\documents and settings\Ashley\Application Data\wootalyzer

2009-09-23 14:13 . 2009-09-23 14:13 -------- d-----w- c:\program files\Wootalyzer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-13 13:11 . 2009-01-06 16:23 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-10-06 14:34 . 2009-04-20 13:12 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-09-18 10:21 . 2009-01-07 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-09-10 18:54 . 2009-07-23 13:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-07-23 13:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 00:27 . 2009-07-12 00:27 87552 --sha-w- c:\windows\system32\bumobova.dll

2009-07-06 13:50 . 2009-07-06 13:50 52224 --sha-w- c:\windows\system32\dafamupu.dll

2009-07-07 01:50 . 2009-07-07 01:50 51200 --sha-w- c:\windows\system32\jehavomu.dll

2009-07-10 00:26 . 2009-07-10 00:26 88576 --sha-w- c:\windows\system32\kiyoheze.dll

2009-07-10 12:26 . 2009-07-10 12:26 88576 --sha-w- c:\windows\system32\nomukipo.dll

2009-07-10 00:26 . 2009-07-10 00:26 51200 --sha-w- c:\windows\system32\pepunelo.dll

2009-07-11 12:26 . 2009-07-11 12:26 88064 --sha-w- c:\windows\system32\pitizudi.dll

2009-07-14 12:37 . 2009-07-14 12:37 52224 --sha-w- c:\windows\system32\rurirovi.dll

2009-07-11 00:26 . 2009-07-11 00:26 38400 --sha-w- c:\windows\system32\tenogapa.dll

2009-07-11 00:26 . 2009-07-11 00:26 87552 --sha-w- c:\windows\system32\wawumive.dll

2009-07-06 13:50 . 2009-07-06 13:50 89088 --sha-w- c:\windows\system32\wojifoge.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware1\mbam4f.exe" [2009-09-10 1312080]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/13/2009 2:34 PM 108289]

S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

TCP: {2339E83C-604F-4D8A-A95A-DB7CB6EC748C} = 66.255.85.8,66.255.85.9

FF - ProfilePath - c:\documents and settings\Ashley\Application Data\Mozilla\Firefox\Profiles\rm4uh50g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en#restore

FF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071500000347.dll

FF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071503000010.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-14 09:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3868)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-10-14 9:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-14 13:07

ComboFix2.txt 2009-10-13 18:15

ComboFix3.txt 2009-10-13 13:22

ComboFix4.txt 2009-10-12 16:34

Pre-Run: 61,261,819,904 bytes free

Post-Run: 61,205,004,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

169 --- E O F --- 2009-09-10 07:01

****

Malwarebytes' Anti-Malware 1.41

Database version: 2954

Windows 5.1.2600 Service Pack 3

10/14/2009 9:14:09 AM

mbam-log-2009-10-14 (09-14-09).txt

Scan type: Quick Scan

Objects scanned: 86455

Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Something else is going to to re-infect you. Let try an ark scan.

I need you to unplug the computer from the internet, until i say otherwise. Thanks

Download GMER Antirootkit Here, click on Download EXE and save to your Desktop

  • Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the "Rootkit" Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
    • Type or paste the following to unload the gmer driver:
    • net stop gmer
    • Hit Enter
    • Exit the command prompt.

    [*]Re-enable all active protection.

Link to post
Share on other sites

  • 3 months later...

Greetings everyone...

What follows is not an entire fix for the problem, however it appears to be a piece of the puzzle..

This machine I have been working on is VERY BADLY INECTED with multiple things.. including VUNDO, and the malwarebyte deletion problem being discussed here as well.. I found a procedure for killing the mbam.exe deletion problem to the point of getting a copy to install then run to clean out the junk..

Additional symptoms on this system. taskmanager was disabled., desktop was not coming up etc. used winxp cd to do an in place re-installion of the OS to get the desktop to come up. used regedit to clean up registry of task manager disables. Anyhow.. next opteration was to install malwarebytes.. installation goes find, then error as mbam.exe is deleted... Here's what I did to get it back.

Boot into Safe mode,

Start -> Run, type msconfig and hit ENTER key.

select Diagnostic mode (which should disable everything... but will reveal the heart of re-infection mechanism)

click apply and allow restart.

On boot, you will the the msconfig window showing you're started up in a non standard setup. You will notice "custom" is selected instead of Diagnostic mode.

ignore that fact for the moment. Click the Startup Tab you will find an entry that in my case was lajerode.dll, and changes constantly. it will be the only selected function. write down the name of the dll entry andn path. and any others you happen to notice that you know should not be there. (I know this is very vague, and if you don't understand what I'm saying, do not try this)

After writing the useless dll's to be deleted. shutdown the computer (complete powerdown shutdown to insure killing of any in memory virus remnats.)

I next used an UMBUTU 9.10 CD to boot up and get access to the filesystem. (better to not be a windows OS to minimize the virus components activating)

navigate to the programs you wrote down in previous step, and delete the dll files you had on your list.

reboot the system into regular Windows mode.. upon reaching the desktop run the mbam-setup.exe to install malwarebytes. do not click anything yet. Now start two more mbam-setup windows. you will install each one in a different folder. for example c:\program files\malware for one, then c:\program fiiles\malware2 for another etc... progress each setup to last step before it actually starts copying files. once all 3 or 4 are ready. initial the install one each one as quick as possible. this will slow down and confuse any existing deleters from missing one of the installs, attempt an update and run a quick scan.. in my case I had 4 successfull installations, and started a scan with each one, deleting what ever I found. my last one didn't find anything... allowed it to shutdown the computer to powerdown one more time.

Hope this is not too confusing. so far, I have re-booted and it appers to have been eradicated. I will post again if it's not the case.. hope this helps someone..

L8

The Gray Wizard

(aka: Matt)

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.