AshleyH Posted October 5, 2009 ID:138348 Share Posted October 5, 2009 I booted my computer this morning only to find a very annoy trojan installed. Malware bytes had been deleted and I could not open most programs and ctrl alt delete would not function. I booted into safe mode and tried reinstalling Malwarebytes. It was still deleting the file. I changed the name of the install program and very quickly renamed mbam.exe. It ran through and deleted a few items and rebooted. My computer seems to be running fine but I can not reinstall Malwarebytes. I ran the changed name exe again and it found nothing but a security center notification thing. I have also installed and run Avira per the instructions.Malwarebytes' Anti-Malware 1.41Database version: 2775Windows 5.1.2600 Service Pack 310/5/2009 1:41:05 PMmbam-log-2009-10-05 (13-41-05).txtScan type: Full Scan (C:\|)Objects scanned: 178062Time elapsed: 25 minute(s), 10 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)********************************Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:42:37 PM, on 10/5/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16876)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\PowerISO\PWRISOVM.EXEC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXEO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [0399020479] C:\Documents and Settings\Ashley\Application Data\0399020479\0399020479.exeO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware1\mbam4f.exe" /runcleanupscriptO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silentO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231256121171O17 - HKLM\System\CCS\Services\Tcpip\..\{2339E83C-604F-4D8A-A95A-DB7CB6EC748C}: NameServer = 66.255.85.8,66.255.85.9O20 - AppInit_DLLs: topowete.dll c:\windows\system32\gaganome.dllO21 - SSODL: lenitisuj - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)O22 - SharedTaskScheduler: mujuzedij - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe--End of file - 6988 bytesThanks,Ash Link to post Share on other sites More sharing options...
kamaz75 Posted October 5, 2009 ID:138401 Share Posted October 5, 2009 I bumped into the same problem today. That stupid thing deletes mbam.exe on access. You need a copy of mbam.exe with a different name (eg. m.exe). Since mine was already deleted, I had to jump thru the hoops to snag a fresh copy of mbam.exe while Malwarebytes is installing (using a perl script). After getting a copy of mbam.exe with a different name, cleanup worked fine.for(; { if( -x 'mbam.exe' && !( -x 'm.exe' ) ) { `copy mbam.exe m.exe`; }} Link to post Share on other sites More sharing options...
AshleyH Posted October 6, 2009 Author ID:138742 Share Posted October 6, 2009 Just an update. Came into work and found that Avira had prevented some things from running.10/6/2009 8:39 [Guard] Malware found Virus or unwanted program 'TR/Vundo.Gen2 [trojan]' detected in file 'C:\WINDOWS\system32\malesiba.dll. Action performed: Move file to quarantine10/6/2009 8:39 [Guard] Malware found Virus or unwanted program 'TR/Vundo.Gen2 [trojan]' detected in file 'C:\WINDOWS\system32\malesiba.dll. Action performed: Move file to quarantine10/6/2009 8:39 [Guard] Malware found Virus or unwanted program 'TR/Vundo.Gen2 [trojan]' detected in file 'C:\WINDOWS\system32\yogeledo.dll. Action performed: Move file to quarantineRan Malwarebytes again:Malwarebytes' Anti-Malware 1.41Database version: 2775Windows 5.1.2600 Service Pack 310/6/2009 9:42:23 AMmbam-log-2009-10-06 (09-42-22).txtScan type: Quick ScanObjects scanned: 84631Time elapsed: 3 minute(s), 52 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
wongaaa Posted October 6, 2009 ID:138768 Share Posted October 6, 2009 I have the same problem, cannot find dll listed above. I reset the registry key. and the scan took longer but eventually quit and check the registry key again, it went back to (BAD) 1 on updatedisablenotify. Link to post Share on other sites More sharing options...
AshleyH Posted October 6, 2009 Author ID:138805 Share Posted October 6, 2009 Another update. Avira did it's daily scan and found more Vundo crap and I get the occasional web pop up still.Avira AntiVir PersonalReport file date: Tuesday, October 06, 2009 12:40Scanning for 1780400 virus strains and unwanted programs.Licensee : Avira AntiVir Personal - FREE AntivirusSerial number : 0000149996-ADJIE-0000001Platform : Windows XPWindows version : (Service Pack 3) [5.1.2600]Boot mode : Normally bootedUsername : SYSTEMComputer name : ASH01Version information:BUILD.DAT : 9.0.0.410 18074 Bytes 9/25/2009 11:56:00AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 9/29/2009 16:10:13ANTIVIR3.VDF : 7.1.6.80 320512 Bytes 10/6/2009 16:33:23Engineversion : 8.2.1.33 AEVDF.DLL : 8.1.1.2 106867 Bytes 10/5/2009 16:20:45AESCRIPT.DLL : 8.1.2.35 483707 Bytes 10/5/2009 16:20:42AESCN.DLL : 8.1.2.5 127346 Bytes 10/5/2009 16:20:32AERDL.DLL : 8.1.3.2 479604 Bytes 10/5/2009 16:20:29AEPACK.DLL : 8.2.0.0 422261 Bytes 10/5/2009 16:20:20AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39AEHEUR.DLL : 8.1.0.166 2003319 Bytes 10/5/2009 16:20:07AEHELP.DLL : 8.1.7.0 237940 Bytes 10/5/2009 16:19:25AEGEN.DLL : 8.1.1.67 364916 Bytes 10/5/2009 16:19:20AEEMU.DLL : 8.1.1.0 393587 Bytes 10/5/2009 16:15:52AECORE.DLL : 8.1.8.1 184693 Bytes 10/5/2009 16:15:48AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59AVPREF.DLL : 9.0.3.0 44289 Bytes 10/6/2009 16:37:40AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48Configuration settings for the scan:Jobname.............................: Local Hard DisksConfiguration file..................: C:\Program Files\Avira\AntiVir Desktop\alldiscs.avpLogging.............................: lowPrimary action......................: interactiveSecondary action....................: ignoreScan master boot sector.............: onScan boot sector....................: onBoot sectors........................: C:, Process scan........................: onScan registry.......................: onSearch for rootkits.................: onIntegrity checking of system files..: offScan all files......................: All filesScan archives.......................: onRecursion depth.....................: 20Smart extensions....................: onMacro heuristic.....................: onFile heuristic......................: mediumStart of the scan: Tuesday, October 06, 2009 12:40Starting search for hidden objects.'36076' objects were checked, '0' hidden objects were found.The scan of running processes will be startedScan process 'avscan.exe' - '1' Module(s) have been scannedScan process 'avguard.exe' - '1' Module(s) have been scannedScan process 'avnotify.exe' - '1' Module(s) have been scannedScan process 'TweetDeck.exe' - '1' Module(s) have been scannedScan process 'R8win.exe' - '1' Module(s) have been scannedScan process 'R8win.exe' - '1' Module(s) have been scannedScan process 'avgnt.exe' - '1' Module(s) have been scannedScan process 'sched.exe' - '1' Module(s) have been scannedScan process 'alg.exe' - '1' Module(s) have been scannedScan process 'iPodService.exe' - '1' Module(s) have been scannedScan process 'FNPLicensingService.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'mDNSResponder.exe' - '1' Module(s) have been scannedScan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'ctfmon.exe' - '1' Module(s) have been scannedScan process 'iTunesHelper.exe' - '1' Module(s) have been scannedScan process 'acrotray.exe' - '1' Module(s) have been scannedScan process 'PWRISOVM.EXE' - '1' Module(s) have been scannedScan process 'smax4pnp.exe' - '1' Module(s) have been scannedScan process 'igfxpers.exe' - '1' Module(s) have been scannedScan process 'hkcmd.exe' - '1' Module(s) have been scannedScan process 'spoolsv.exe' - '1' Module(s) have been scannedScan process 'explorer.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'lsass.exe' - '1' Module(s) have been scannedScan process 'services.exe' - '1' Module(s) have been scannedScan process 'winlogon.exe' - '1' Module(s) have been scannedScan process 'csrss.exe' - '1' Module(s) have been scannedScan process 'smss.exe' - '1' Module(s) have been scanned34 processes with 34 modules were scannedStarting master boot sector scan:Master boot sector HD0 [iNFO] No virus was found!Master boot sector HD1 [iNFO] No virus was found!Start scanning boot sectors:Boot sector 'C:\' [iNFO] No virus was found!Starting to scan executable files (registry).The registry was scanned ( '55' files ).Starting the file scan:Begin scan in 'C:\'C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning.C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP281\A0022205.exe [DETECTION] Is the TR/FraudPack.vdt TrojanC:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP282\A0022253.dll [DETECTION] Is the TR/Vundo.Gen2 TrojanC:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP282\A0022254.dll [DETECTION] Is the TR/Vundo.Gen2 TrojanC:\WINDOWS\system32\nelovigu.exe [DETECTION] Is the TR/FraudPack.vdt TrojanC:\WINDOWS\system32\pihemova.exe [DETECTION] Is the TR/FraudPack.vdt TrojanBeginning disinfection:C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP281\A0022205.exe [DETECTION] Is the TR/FraudPack.vdt Trojan [NOTE] The file was moved to '4afb7e07.qua'!C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP282\A0022253.dll [DETECTION] Is the TR/Vundo.Gen2 Trojan [NOTE] The file was moved to '4b4ca968.qua'!C:\System Volume Information\_restore{5F15AB98-1A68-4626-9537-B84F00E86DC3}\RP282\A0022254.dll [DETECTION] Is the TR/Vundo.Gen2 Trojan [NOTE] The file was moved to '4b4298f8.qua'!C:\WINDOWS\system32\nelovigu.exe [DETECTION] Is the TR/FraudPack.vdt Trojan [NOTE] The file was moved to '4b377e3c.qua'!C:\WINDOWS\system32\pihemova.exe [DETECTION] Is the TR/FraudPack.vdt Trojan [NOTE] The file was moved to '4b337e40.qua'!End of the scan: Tuesday, October 06, 2009 13:26Used time: 24:47 Minute(s)The scan has been done completely. 9286 Scanned directories 275915 Files were scanned 5 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 5 Files were moved to quarantine 0 Files were renamed 1 Files cannot be scanned 275909 Files not concerned 1480 Archives were scanned 1 Warnings 6 Notes 36076 Objects were scanned with rootkit scan 0 Hidden objects were found Link to post Share on other sites More sharing options...
AshleyH Posted October 7, 2009 Author ID:139220 Share Posted October 7, 2009 Update. Whenever Firefox is open I am starting to get more and more pops and hijacking tabs. Malwarebytes and Avira are coming up clean. I checked and there are no weird Firefox addons installed. Link to post Share on other sites More sharing options...
AshleyH Posted October 7, 2009 Author ID:139222 Share Posted October 7, 2009 Just had another pop up and it is using Internet Explorer to display them. Link to post Share on other sites More sharing options...
AshleyH Posted October 7, 2009 Author ID:139295 Share Posted October 7, 2009 Update. Stupid taskkill.exe is slowing down my computer. I run scan after scan and it isn't fixing it. Link to post Share on other sites More sharing options...
AshleyH Posted October 7, 2009 Author ID:139304 Share Posted October 7, 2009 Ignore the pop up post. Found out it is Avira doing them. Deleting Avira now. Link to post Share on other sites More sharing options...
AshleyH Posted October 7, 2009 Author ID:139352 Share Posted October 7, 2009 Update. Ran another scan at lunch and lots of stuff still popping up.Malwarebytes' Anti-Malware 1.41Database version: 2921Windows 5.1.2600 Service Pack 310/7/2009 2:04:42 PMmbam-log-2009-10-07 (14-04-42).txtScan type: Quick ScanObjects scanned: 88378Time elapsed: 7 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 1Registry Values Infected: 3Registry Data Items Infected: 3Folders Infected: 1Files Infected: 8Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\vopezuyu.dll (Trojan.Vundo.H) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{707b6433-f96d-4f35-8cfe-98d2f159c710} (Trojan.Vundo.H) -> Delete on reboot.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeherasol (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{707b6433-f96d-4f35-8cfe-98d2f159c710} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\balegapuz (Trojan.Vundo.H) -> Delete on reboot.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vopezuyu.dll -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vopezuyu.dll -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:C:\Documents and Settings\All Users\Application Data\84171728 (Rogue.Multiple) -> Quarantined and deleted successfully.Files Infected:c:\WINDOWS\system32\vopezuyu.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\wikugayi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\topowete.dll.tmp (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\jiyotaro.dll.tmp (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\kuhahavo.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\84171728\84171728.bat (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\84171728\84171728.exe (Rogue.Multiple) -> Quarantined and deleted successfully.C:\WINDOWS\system32\jivabefu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.*****Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:07:59 PM, on 10/7/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16876)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\PowerISO\PWRISOVM.EXEC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXEO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware1\mbam4f.exe" /runcleanupscriptO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231256121171O17 - HKLM\System\CCS\Services\Tcpip\..\{2339E83C-604F-4D8A-A95A-DB7CB6EC748C}: NameServer = 66.255.85.8,66.255.85.9O20 - AppInit_DLLs: c:\windows\system32\gaganome.dll fijeriki.dll O21 - SSODL: lenitisuj - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)O22 - SharedTaskScheduler: mujuzedij - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe--End of file - 6119 bytes Link to post Share on other sites More sharing options...
AshleyH Posted October 9, 2009 Author ID:140320 Share Posted October 9, 2009 I just don't know what to do. The instructions say to wait and not install anything else but this thing is eating up my computer. I'll scan and find 13 infected items and fix them. The next couple of scans are clear but they will pop right back up. I still can't install mbam.exe regularly. Thankfully I was able to catch a mbam.exe quick enough one time to change the name so I can run the program at least.My most current scans:Malwarebytes' Anti-Malware 1.41Database version: 2775Windows 5.1.2600 Service Pack 310/9/2009 8:32:50 AMmbam-log-2009-10-09 (08-32-50).txtScan type: Quick ScanObjects scanned: 85105Time elapsed: 4 minute(s), 57 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 1Registry Values Infected: 4Registry Data Items Infected: 2Folders Infected: 1Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\WINDOWS\system32\gomuzidi.dll (Trojan.Vundo.H) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{7a99f983-a2f2-4a83-a784-e94899697a37} (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeherasol (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07918631 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{7a99f983-a2f2-4a83-a784-e94899697a37} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tubuworoy (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gomuzidi.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\gomuzidi.dll -> Quarantined and deleted successfully.Folders Infected:C:\Documents and Settings\All Users\Application Data\07918631 (Rogue.Multiple) -> Delete on reboot.Files Infected:c:\WINDOWS\system32\gomuzidi.dll (Trojan.Vundo.H) -> Delete on reboot.C:\Documents and Settings\All Users\Application Data\07918631\07918631.exe (Trojan.FakeAlert.H) -> Delete on reboot.C:\WINDOWS\system32\dogejuhu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.*****Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:34:10 AM, on 10/9/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16876)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\PowerISO\PWRISOVM.EXEC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXEO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware1\mbam4f.exe" /runcleanupscriptO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231256121171O17 - HKLM\System\CCS\Services\Tcpip\..\{2339E83C-604F-4D8A-A95A-DB7CB6EC748C}: NameServer = 66.255.85.8,66.255.85.9O20 - AppInit_DLLs: c:\windows\system32\gaganome.dll fijeriki.dll O21 - SSODL: lenitisuj - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)O22 - SharedTaskScheduler: mujuzedij - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe--End of file - 6033 bytesThanks,Ash Link to post Share on other sites More sharing options...
AshleyH Posted October 12, 2009 Author ID:141854 Share Posted October 12, 2009 Please help!!It's been a week from when I put up this topic and my computer is still a mess. Friday I ran Malwarebytes 3 times on full scan (still from the name altered exe) and it found zero items. I come into work this morning, turn on my computer, and it has been infected again. Ran mbam and it found 25 different things. Once my computer restarted I was able to update mbam and ran it again. 16 items found this time.Malwarebytes' Anti-Malware 1.41Database version: 2945Windows 5.1.2600 Service Pack 310/12/2009 8:57:28 AMmbam-log-2009-10-12 (08-57-28).txtScan type: Quick ScanObjects scanned: 88760Time elapsed: 3 minute(s), 50 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 1Registry Data Items Infected: 1Folders Infected: 0Files Infected: 12Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeherasol (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\pump.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\pananini.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\fihanuna.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\pump.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.C:\WINDOWS\system32\rijilutu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\duyojaye.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\jogejase.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\yakiyetu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\kuronuju.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.C:\WINDOWS\system32\skynet.dat (Malware.Trace) -> Quarantined and deleted successfully.C:\WINDOWS\wf3.dat (Malware.Trace) -> Quarantined and deleted successfully.C:\WINDOWS\wf4.dat (Malware.Trace) -> Quarantined and deleted successfully.****Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:59:14 AM, on 10/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16876)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\PowerISO\PWRISOVM.EXEC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXEO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware1\mbam4f.exe" /runcleanupscriptO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231256121171O17 - HKLM\System\CCS\Services\Tcpip\..\{2339E83C-604F-4D8A-A95A-DB7CB6EC748C}: NameServer = 66.255.85.8,66.255.85.9O20 - AppInit_DLLs: c:\windows\system32\gaganome.dll wayolelu.dll c:\windows\system32\riropefu.dllO21 - SSODL: lenitisuj - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)O21 - SSODL: legalemin - {404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dll (file missing)O22 - SharedTaskScheduler: mujuzedij - {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll (file missing)O22 - SharedTaskScheduler: mujuzedij - {404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dll (file missing)O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe--End of file - 6310 bytesAshley Link to post Share on other sites More sharing options...
sjpritch25 Posted October 12, 2009 ID:141941 Share Posted October 12, 2009 Welcome to Malwarebytes!!!!! Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix**Note: It is important that it is saved directly to your desktop**--------------------------------------------------------------------1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.--------------------------------------------------------------------Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall Link to post Share on other sites More sharing options...
AshleyH Posted October 13, 2009 Author ID:142437 Share Posted October 13, 2009 I ran ComboFix and it deleted several things but I was unable to get on the internet afterward. Some how it made my ethernet card stop working. In order to get my computer to work correctly I had to use a System Restore point. Repeat 3 times. Did I do something wrong? Link to post Share on other sites More sharing options...
AshleyH Posted October 13, 2009 Author ID:142459 Share Posted October 13, 2009 Ok I ran ComboFix again. It seems to fix things as I can install mbam.exe again but I cannot get on the internet. I tried to Repair the Local Area Connection but it failed because it said it could not find the TCP/IP information. I had assumed ComboFix was accidentally deleting the driver to my Ethernet card so when I went into the Device Manager I found two items had popped up under network adapters. See attached picture.It said something had changed in the registry not allowing them to run. Sadly I know very little about computers so I wasn't able to fix the internet issue. I had to use a System Restore again to fix it.Here is the Combo log even though it has now been changed back.ComboFix 09-10-12.03 - Ashley 10/13/2009 9:15.1.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1096 [GMT -4:00]Running from: c:\documents and settings\Ashley\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\bezuziso.dllc:\windows\system32\buhepine.dllc:\windows\system32\drivers\ndisrd.sysc:\windows\system32\lasobemo.dllc:\windows\system32\lidegifu.dllc:\windows\system32\movisebo.dllc:\windows\system32\nokihino.dllc:\windows\system32\schtmlc:\windows\system32\sivepena.dllc:\windows\system32\tenogapa.dllc:\windows\system32\venabiki.dllc:\windows\system32\yaponema.dllc:\windows\system32\zafufovi.dllc:\windows\system32\zamogudi.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_ANTIPOL-------\Service_ndisrd((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 ))))))))))))))))))))))))))))))).2009-10-12 16:45 . 2009-10-12 16:45 -------- d-----w- c:\windows\system32\wbem\Repository2009-10-12 16:45 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-10-12 16:44 . 2009-10-12 16:44 -------- d-----w- c:\program files\Avira2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\program files\Avira(2)2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)2009-10-12 16:26 . 2009-10-12 16:45 -------- d-----w- C:\cmdcons(2)2009-10-12 16:25 . 2009-10-12 16:45 -------- d-----w- C:\Qoobox(2)2009-10-12 15:41 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)2009-10-12 15:33 . 2009-10-12 16:45 -------- d-----w- C:\RECYCLER(2)2009-10-08 14:07 . 2009-10-08 14:07 -------- d-----w- c:\program files\Google2009-10-06 14:23 . 2009-10-06 14:23 -------- d-----w- c:\program files\TweetDeck2009-10-05 17:42 . 2009-10-05 17:42 -------- d-----w- c:\program files\Trend Micro2009-10-05 16:00 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-10-05 14:34 . 2009-10-05 14:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware12009-09-30 13:58 . 2009-09-30 13:58 -------- d-----w- c:\program files\Microsoft Silverlight2009-09-23 14:14 . 2009-09-23 14:15 -------- d-----w- c:\documents and settings\Ashley\Application Data\wootalyzer2009-09-23 14:13 . 2009-09-23 14:13 -------- d-----w- c:\program files\Wootalyzer.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-10-13 13:11 . 2009-01-06 16:23 -------- d-----w- c:\program files\Mozilla Thunderbird2009-10-06 14:34 . 2009-04-20 13:12 -------- d-----w- c:\program files\Common Files\Adobe AIR2009-09-18 10:21 . 2009-01-07 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet2009-09-10 18:54 . 2009-07-23 13:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-10 18:53 . 2009-07-23 13:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll2009-07-06 13:51 . 2009-07-06 13:51 52224 --sha-w- c:\windows\system32\bazisomi.dll.tmp2009-07-12 00:27 . 2009-07-12 00:27 87552 --sha-w- c:\windows\system32\bumobova.dll2009-07-06 13:50 . 2009-07-06 13:50 52224 --sha-w- c:\windows\system32\dafamupu.dll2009-07-07 01:51 . 2009-07-07 01:51 51200 --sha-w- c:\windows\system32\fijeriki.dll.tmp2009-07-06 13:51 . 2009-07-06 13:51 52224 --sha-w- c:\windows\system32\gibavufe.dll.tmp2009-07-07 01:50 . 2009-07-07 01:50 51200 --sha-w- c:\windows\system32\jehavomu.dll2009-07-10 00:26 . 2009-07-10 00:26 88576 --sha-w- c:\windows\system32\kiyoheze.dll2009-07-06 13:51 . 2009-07-06 13:51 52224 --sha-w- c:\windows\system32\mezatapu.dll.tmp2009-07-07 01:51 . 2009-07-07 01:51 51200 --sha-w- c:\windows\system32\niwalezu.dll.tmp2009-07-10 12:26 . 2009-07-10 12:26 88576 --sha-w- c:\windows\system32\nomukipo.dll2009-07-10 00:26 . 2009-07-10 00:26 51200 --sha-w- c:\windows\system32\pepunelo.dll2009-07-11 12:26 . 2009-07-11 12:26 88064 --sha-w- c:\windows\system32\pitizudi.dll2009-07-13 12:41 . 2009-07-13 12:41 51200 --sha-w- c:\windows\system32\seduvumo.dll2009-07-11 00:26 . 2009-07-11 00:26 87552 --sha-w- c:\windows\system32\wawumive.dll2009-07-06 13:50 . 2009-07-06 13:50 89088 --sha-w- c:\windows\system32\wojifoge.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware1\mbam4f.exe" [2009-09-10 1312080][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]..------- Supplementary Scan -------.uInternet Settings,ProxyOverride = *.localIE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlTCP: {2339E83C-604F-4D8A-A95A-DB7CB6EC748C} = 66.255.85.8,66.255.85.9FF - ProfilePath - c:\documents and settings\Ashley\Application Data\Mozilla\Firefox\Profiles\rm4uh50g.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en#restoreFF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071500000347.dllFF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071503000010.dll.- - - - ORPHANS REMOVED - - - -BHO-{e6caadf0-fd5c-434c-9314-201e440443da} - satukivu.dllHKLM-Run-bitisurida - zuvararo.dllSharedTaskScheduler-{56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dllSharedTaskScheduler-{404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dllSSODL-lenitisuj-{56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dllSSODL-legalemin-{404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dll**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-13 09:20Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(4028)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\windows\system32\wscntfy.exec:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe.**************************************************************************.Completion time: 2009-10-13 9:22 - machine was rebootedComboFix-quarantined-files.txt 2009-10-13 13:22ComboFix2.txt 2009-10-12 16:34Pre-Run: 61,714,505,728 bytes freePost-Run: 61,669,756,928 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect162 --- E O F --- 2009-09-10 07:01devicemanager.bmp Link to post Share on other sites More sharing options...
sjpritch25 Posted October 13, 2009 ID:142523 Share Posted October 13, 2009 1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the quotebox below into it:File::c:\windows\system32\bazisomi.dll.tmpc:\windows\system32\bumobova.dllc:\windows\system32\dafamupu.dllc:\windows\system32\fijeriki.dll.tmpc:\windows\system32\gibavufe.dll.tmpc:\windows\system32\jehavomu.dllc:\windows\system32\kiyoheze.dllc:\windows\system32\mezatapu.dll.tmpc:\windows\system32\niwalezu.dll.tmpc:\windows\system32\nomukipo.dllc:\windows\system32\pepunelo.dllc:\windows\system32\pitizudi.dllc:\windows\system32\seduvumo.dllc:\windows\system32\wawumive.dllc:\windows\system32\wojifoge.dllc:\windows\system32\DRIVERS\srenum.sysDriver::srenumSave this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.==============================Open device Manager againright-click on the yellow exclamation markClick on Uninstall. Make sure you repeat for the other one too. Reboot your Computer. Let me know if you can get online or not. Thanks Link to post Share on other sites More sharing options...
AshleyH Posted October 13, 2009 Author ID:142554 Share Posted October 13, 2009 First when my computer rebooted after ComboFix did its thing a RUNDLL error popped up. Second when I went to uninstall the items in Device Manager it would not let me.I did everything you said but was not able to get on the internet and had to use system restore. Here is the log but just remember I did a restore. I do not have access to another computer here at work and I need internet access to access the server. For future knowledge is there something else I could do besides a restore?ComboFix 09-10-13.01 - Ashley 10/13/2009 14:08.1.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1123 [GMT -4:00]Running from: c:\documents and settings\Ashley\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Ashley\Desktop\CFScript.txtAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}FILE ::"c:\windows\system32\bazisomi.dll.tmp""c:\windows\system32\bumobova.dll""c:\windows\system32\dafamupu.dll""c:\windows\system32\DRIVERS\srenum.sys""c:\windows\system32\fijeriki.dll.tmp""c:\windows\system32\gibavufe.dll.tmp""c:\windows\system32\jehavomu.dll""c:\windows\system32\kiyoheze.dll""c:\windows\system32\mezatapu.dll.tmp""c:\windows\system32\niwalezu.dll.tmp""c:\windows\system32\nomukipo.dll""c:\windows\system32\pepunelo.dll""c:\windows\system32\pitizudi.dll""c:\windows\system32\seduvumo.dll""c:\windows\system32\wawumive.dll""c:\windows\system32\wojifoge.dll".((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\bazisomi.dll.tmpc:\windows\system32\bumobova.dllc:\windows\system32\dafamupu.dllc:\windows\system32\drivers\ndisrd.sysc:\windows\system32\fijeriki.dll.tmpc:\windows\system32\gibavufe.dll.tmpc:\windows\system32\jehavomu.dllc:\windows\system32\kiyoheze.dllc:\windows\system32\mezatapu.dll.tmpc:\windows\system32\niwalezu.dll.tmpc:\windows\system32\nomukipo.dllc:\windows\system32\pepunelo.dllc:\windows\system32\pitizudi.dllc:\windows\system32\schtmlc:\windows\system32\tarokuwe.dllc:\windows\system32\wawumive.dllc:\windows\system32\wayolelu.dllc:\windows\system32\wojifoge.dllc:\windows\system32\yaponema.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_ANTIPOL-------\Legacy_SRENUM-------\Service_ndisrd-------\Service_srenum((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 ))))))))))))))))))))))))))))))).2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\windows\LastGood.Tmp2009-10-13 15:34 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-10-13 15:34 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-10-13 15:34 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\program files\Avira2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-10-13 13:34 . 2009-10-13 13:34 -------- d-----w- c:\windows\system32\wbem\Repository2009-10-12 16:45 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\program files\Avira(2)2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)2009-10-12 16:26 . 2009-10-12 16:45 -------- d-----w- C:\cmdcons(2)2009-10-12 16:25 . 2009-10-12 16:45 -------- d-----w- C:\Qoobox(2)2009-10-12 15:41 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)2009-10-12 15:33 . 2009-10-12 16:45 -------- d-----w- C:\RECYCLER(2)2009-10-08 14:07 . 2009-10-08 14:07 -------- d-----w- c:\program files\Google2009-10-06 14:23 . 2009-10-06 14:23 -------- d-----w- c:\program files\TweetDeck2009-10-05 17:42 . 2009-10-05 17:42 -------- d-----w- c:\program files\Trend Micro2009-10-05 16:00 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-10-05 14:34 . 2009-10-05 14:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware12009-09-30 13:58 . 2009-09-30 13:58 -------- d-----w- c:\program files\Microsoft Silverlight2009-09-23 14:14 . 2009-09-23 14:15 -------- d-----w- c:\documents and settings\Ashley\Application Data\wootalyzer2009-09-23 14:13 . 2009-09-23 14:13 -------- d-----w- c:\program files\Wootalyzer.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-10-13 13:11 . 2009-01-06 16:23 -------- d-----w- c:\program files\Mozilla Thunderbird2009-10-06 14:34 . 2009-04-20 13:12 -------- d-----w- c:\program files\Common Files\Adobe AIR2009-09-18 10:21 . 2009-01-07 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet2009-09-10 18:54 . 2009-07-23 13:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-10 18:53 . 2009-07-23 13:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll2009-07-10 12:26 . 2009-07-10 12:26 37376 --sha-w- c:\windows\system32\buhepine.dll2009-07-07 01:50 . 2009-07-07 01:50 38400 --sha-w- c:\windows\system32\lidegifu.dll2009-07-12 12:27 . 2009-07-12 12:27 38400 --sha-w- c:\windows\system32\movisebo.dll2009-07-10 00:26 . 2009-07-10 00:26 37376 --sha-w- c:\windows\system32\nokihino.dll2009-07-07 13:51 . 2009-07-07 13:51 38400 --sha-w- c:\windows\system32\sivepena.dll2009-07-06 13:50 . 2009-07-06 13:50 38400 --sha-w- c:\windows\system32\venabiki.dll2009-07-11 12:26 . 2009-07-11 12:26 37888 --sha-w- c:\windows\system32\zamogudi.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e6caadf0-fd5c-434c-9314-201e440443da}]satukivu.dll [bU][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware1\mbam4f.exe" [2009-09-10 1312080]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"bitisurida"="wayolelu.dll" [bU][hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]"{56bc3655-b1ce-48a9-a45e-9bfb0a63ef29}"= "c:\windows\system32\gaganome.dll" [bU]"{404beca4-5746-47c4-8f6f-793e2968d394}"= "c:\windows\system32\riropefu.dll" [bU][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"lenitisuj"= {56bc3655-b1ce-48a9-a45e-9bfb0a63ef29} - c:\windows\system32\gaganome.dll [bU]"legalemin"= {404beca4-5746-47c4-8f6f-793e2968d394} - c:\windows\system32\riropefu.dll [bU][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"="c:\\Program Files\\Avira\\AntiVir Desktop\\avguard.exe"=R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/13/2009 11:34 AM 108289]--- Other Services/Drivers In Memory ---*NewlyCreated* - AVGIO*NewlyCreated* - AVIPBB*NewlyCreated* - SSMDRV..------- Supplementary Scan -------.uInternet Settings,ProxyOverride = *.localIE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlTCP: {2339E83C-604F-4D8A-A95A-DB7CB6EC748C} = 66.255.85.8,66.255.85.9FF - ProfilePath - c:\documents and settings\Ashley\Application Data\Mozilla\Firefox\Profiles\rm4uh50g.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en#restoreFF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071500000347.dllFF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071503000010.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-13 14:12Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(3704)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exec:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2009-10-13 14:15 - machine was rebootedComboFix-quarantined-files.txt 2009-10-13 18:15ComboFix2.txt 2009-10-13 13:22ComboFix3.txt 2009-10-12 16:34Pre-Run: 61,452,976,128 bytes freePost-Run: 61,425,258,496 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect195 --- E O F --- 2009-09-10 07:01 Link to post Share on other sites More sharing options...
sjpritch25 Posted October 14, 2009 ID:142647 Share Posted October 14, 2009 1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the quotebox below into it:File::c:\windows\system32\buhepine.dllc:\windows\system32\lidegifu.dllc:\windows\system32\movisebo.dllc:\windows\system32\nokihino.dllc:\windows\system32\sivepena.dllc:\windows\system32\venabiki.dllc:\windows\system32\zamogudi.dllRegistry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e6caadf0-fd5c-434c-9314-201e440443da}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"bitisurida"=-[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]"{56bc3655-b1ce-48a9-a45e-9bfb0a63ef29}"=-"{404beca4-5746-47c4-8f6f-793e2968d394}"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"lenitisuj"=-"legalemin"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"appinit_dlls"=""Save this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.===========================================Please open MBAM, update to the latest def's, run a Quick Scan. Please post the mbam log and ComboFix log in your next reply. Thanks Link to post Share on other sites More sharing options...
AshleyH Posted October 14, 2009 Author ID:142959 Share Posted October 14, 2009 Did as instructed and internet did not work after fix. Same reason as before, 2 yellow exclamation points in the device manager that won't uninstall. Had to use system restore.ComboFix 09-10-13.03 - Ashley 10/14/2009 9:00.1.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1176 [GMT -4:00]Running from: c:\documents and settings\Ashley\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Ashley\Desktop\CFScript.txtAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}FILE ::"c:\windows\system32\buhepine.dll""c:\windows\system32\lidegifu.dll""c:\windows\system32\movisebo.dll""c:\windows\system32\nokihino.dll""c:\windows\system32\sivepena.dll""c:\windows\system32\venabiki.dll""c:\windows\system32\zamogudi.dll".((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\buhepine.dllc:\windows\system32\drivers\ndisrd.sysc:\windows\system32\kekasika.dllc:\windows\system32\lidegifu.dllc:\windows\system32\movisebo.dllc:\windows\system32\nokihino.dllc:\windows\system32\schtmlc:\windows\system32\sivepena.dllc:\windows\system32\tarokuwe.dllc:\windows\system32\venabiki.dllc:\windows\system32\yaponema.dllc:\windows\system32\zamogudi.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_ANTIPOL-------\Service_ndisrd((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 ))))))))))))))))))))))))))))))).2009-10-13 18:34 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-10-13 18:34 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-10-13 18:34 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-10-13 18:32 . 2009-10-13 18:32 -------- d-----w- c:\windows\system32\wbem\Repository2009-10-13 18:24 . 2009-10-13 18:32 -------- d-----w- C:\RECYCLER(3)2009-10-13 18:07 . 2009-10-13 18:32 -------- d-----w- C:\cmdcons(3)2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\program files\Avira2009-10-13 15:34 . 2009-10-13 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-10-12 16:45 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\program files\Avira(2)2009-10-12 16:42 . 2009-10-12 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)2009-10-12 16:26 . 2009-10-12 16:45 -------- d-----w- C:\cmdcons(2)2009-10-12 16:25 . 2009-10-12 16:45 -------- d-----w- C:\Qoobox(2)2009-10-12 15:41 . 2009-10-12 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)2009-10-12 15:33 . 2009-10-12 16:45 -------- d-----w- C:\RECYCLER(2)2009-10-08 14:07 . 2009-10-08 14:07 -------- d-----w- c:\program files\Google2009-10-06 14:23 . 2009-10-06 14:23 -------- d-----w- c:\program files\TweetDeck2009-10-05 17:42 . 2009-10-05 17:42 -------- d-----w- c:\program files\Trend Micro2009-10-05 16:00 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-10-05 14:34 . 2009-10-05 14:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware12009-09-30 13:58 . 2009-09-30 13:58 -------- d-----w- c:\program files\Microsoft Silverlight2009-09-23 14:14 . 2009-09-23 14:15 -------- d-----w- c:\documents and settings\Ashley\Application Data\wootalyzer2009-09-23 14:13 . 2009-09-23 14:13 -------- d-----w- c:\program files\Wootalyzer.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-10-13 13:11 . 2009-01-06 16:23 -------- d-----w- c:\program files\Mozilla Thunderbird2009-10-06 14:34 . 2009-04-20 13:12 -------- d-----w- c:\program files\Common Files\Adobe AIR2009-09-18 10:21 . 2009-01-07 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet2009-09-10 18:54 . 2009-07-23 13:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-10 18:53 . 2009-07-23 13:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll2009-07-12 00:27 . 2009-07-12 00:27 87552 --sha-w- c:\windows\system32\bumobova.dll2009-07-06 13:50 . 2009-07-06 13:50 52224 --sha-w- c:\windows\system32\dafamupu.dll2009-07-07 01:50 . 2009-07-07 01:50 51200 --sha-w- c:\windows\system32\jehavomu.dll2009-07-10 00:26 . 2009-07-10 00:26 88576 --sha-w- c:\windows\system32\kiyoheze.dll2009-07-10 12:26 . 2009-07-10 12:26 88576 --sha-w- c:\windows\system32\nomukipo.dll2009-07-10 00:26 . 2009-07-10 00:26 51200 --sha-w- c:\windows\system32\pepunelo.dll2009-07-11 12:26 . 2009-07-11 12:26 88064 --sha-w- c:\windows\system32\pitizudi.dll2009-07-14 12:37 . 2009-07-14 12:37 52224 --sha-w- c:\windows\system32\rurirovi.dll2009-07-11 00:26 . 2009-07-11 00:26 38400 --sha-w- c:\windows\system32\tenogapa.dll2009-07-11 00:26 . 2009-07-11 00:26 87552 --sha-w- c:\windows\system32\wawumive.dll2009-07-06 13:50 . 2009-07-06 13:50 89088 --sha-w- c:\windows\system32\wojifoge.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware1\mbam4f.exe" [2009-09-10 1312080]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"="c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/13/2009 2:34 PM 108289]S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]..------- Supplementary Scan -------.uInternet Settings,ProxyOverride = *.localIE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlTCP: {2339E83C-604F-4D8A-A95A-DB7CB6EC748C} = 66.255.85.8,66.255.85.9FF - ProfilePath - c:\documents and settings\Ashley\Application Data\Mozilla\Firefox\Profiles\rm4uh50g.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en#restoreFF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071500000347.dllFF - plugin: c:\documents and settings\Ashley\Application Data\Move Networks\plugins\npqmp071503000010.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-14 09:04Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(3868)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exec:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2009-10-14 9:07 - machine was rebootedComboFix-quarantined-files.txt 2009-10-14 13:07ComboFix2.txt 2009-10-13 18:15ComboFix3.txt 2009-10-13 13:22ComboFix4.txt 2009-10-12 16:34Pre-Run: 61,261,819,904 bytes freePost-Run: 61,205,004,288 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect169 --- E O F --- 2009-09-10 07:01****Malwarebytes' Anti-Malware 1.41Database version: 2954Windows 5.1.2600 Service Pack 310/14/2009 9:14:09 AMmbam-log-2009-10-14 (09-14-09).txtScan type: Quick ScanObjects scanned: 86455Time elapsed: 2 minute(s), 18 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
sjpritch25 Posted October 14, 2009 ID:143042 Share Posted October 14, 2009 Something else is going to to re-infect you. Let try an ark scan. I need you to unplug the computer from the internet, until i say otherwise. ThanksDownload GMER Antirootkit Here, click on Download EXE and save to your DesktopDisconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver Double-click Gmer.exe to run the program. When the program opens, click the "Rootkit" Tab On the right-side, check all the items to be scanned, but leave "Show All" unchecked Select all drives that are connected to your system to be scanned Click the Scan button When the scan is finished, click Copy to save the scan log to the Windows clipboard Open Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V Save the gmer scan log and post it in your next reply. Close Gmer Open a command prompt (Start | run |type cmd and hit Enter) Type or paste the following to unload the gmer driver: net stop gmer Hit Enter Exit the command prompt. [*]Re-enable all active protection. Link to post Share on other sites More sharing options...
AshleyH Posted October 20, 2009 Author ID:145911 Share Posted October 20, 2009 I have not forgotten or given up on this. I'm trying to get another computer to work on so that I can unhook this one from the net. All of my work is done off of a company server. Should have it by tomorrow. Link to post Share on other sites More sharing options...
sjpritch25 Posted October 21, 2009 ID:146283 Share Posted October 21, 2009 k Link to post Share on other sites More sharing options...
Michael Ortega Posted October 27, 2009 ID:149548 Share Posted October 27, 2009 Interestingly enough, I had this problem with several different variants of bugs - most of which seem to be Rootkits. The latest one appears to have hidden itself inside of the "LogMeIn" client. I have (2) active running "LogMeIn" processes. I'm in the middle of a GMER scan right now. I'll let you know what becomes of it. Link to post Share on other sites More sharing options...
nmgraywiz Posted February 1, 2010 ID:192503 Share Posted February 1, 2010 Greetings everyone... What follows is not an entire fix for the problem, however it appears to be a piece of the puzzle.. This machine I have been working on is VERY BADLY INECTED with multiple things.. including VUNDO, and the malwarebyte deletion problem being discussed here as well.. I found a procedure for killing the mbam.exe deletion problem to the point of getting a copy to install then run to clean out the junk.. Additional symptoms on this system. taskmanager was disabled., desktop was not coming up etc. used winxp cd to do an in place re-installion of the OS to get the desktop to come up. used regedit to clean up registry of task manager disables. Anyhow.. next opteration was to install malwarebytes.. installation goes find, then error as mbam.exe is deleted... Here's what I did to get it back.Boot into Safe mode, Start -> Run, type msconfig and hit ENTER key.select Diagnostic mode (which should disable everything... but will reveal the heart of re-infection mechanism)click apply and allow restart.On boot, you will the the msconfig window showing you're started up in a non standard setup. You will notice "custom" is selected instead of Diagnostic mode. ignore that fact for the moment. Click the Startup Tab you will find an entry that in my case was lajerode.dll, and changes constantly. it will be the only selected function. write down the name of the dll entry andn path. and any others you happen to notice that you know should not be there. (I know this is very vague, and if you don't understand what I'm saying, do not try this)After writing the useless dll's to be deleted. shutdown the computer (complete powerdown shutdown to insure killing of any in memory virus remnats.)I next used an UMBUTU 9.10 CD to boot up and get access to the filesystem. (better to not be a windows OS to minimize the virus components activating) navigate to the programs you wrote down in previous step, and delete the dll files you had on your list.reboot the system into regular Windows mode.. upon reaching the desktop run the mbam-setup.exe to install malwarebytes. do not click anything yet. Now start two more mbam-setup windows. you will install each one in a different folder. for example c:\program files\malware for one, then c:\program fiiles\malware2 for another etc... progress each setup to last step before it actually starts copying files. once all 3 or 4 are ready. initial the install one each one as quick as possible. this will slow down and confuse any existing deleters from missing one of the installs, attempt an update and run a quick scan.. in my case I had 4 successfull installations, and started a scan with each one, deleting what ever I found. my last one didn't find anything... allowed it to shutdown the computer to powerdown one more time.Hope this is not too confusing. so far, I have re-booted and it appers to have been eradicated. I will post again if it's not the case.. hope this helps someone..L8The Gray Wizard(aka: Matt) Link to post Share on other sites More sharing options...
Recommended Posts