Jump to content

Can't install Mbam, firefox can't connect

heisiam1513
 Share

Recommended Posts

heisiam1513

heisiam1513

Posted
Posted

Hi all...I have something called 'Registry Defender' that keeps popping up. I can't install Mbam, can't run Norton, automatic updates are turned off...etc. Here is my HJT log.

Thanks in advance for any help provided!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:49:06 AM, on 10/14/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/vznisp/portal/main.aspx

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {955efbf4-884f-4aea-9436-cefac07635b4} - silugihi.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [matideyap] Rundll32.exe "c:\windows\system32\zadiyoju.dll",a

O4 - HKLM\..\Run: [padivuvobi] Rundll32.exe "hevolofo.dll",s

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCYYYYYYYYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O20 - AppInit_DLLs: perutigu.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O24 - Desktop Component 0: (no name) - http://store.surfline.com/store/images/lg876739279.jpg

--

End of file - 8587 bytes

Link to post
Share on other sites
heisiam1513

heisiam1513

Posted
  • Author
Posted

ComboFix 09-10-14.06 - Jeremy 10/14/2009 19:02.4.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.201 [GMT -7:00]

Running from: c:\documents and settings\Jeremy\Desktop\Combo-Fix.exe

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\begovatu.dll

c:\windows\system32\bokuwavi.dll

c:\windows\system32\delekuwu.dll

c:\windows\system32\jefaduku.dll

c:\windows\system32\lopibeki.dll

c:\windows\system32\pigopimu.dll

c:\windows\system32\ririzaki.dll

c:\windows\system32\tayijobu.dll

c:\windows\system32\yeruduki.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))

.

2009-10-14 13:48 . 2009-10-14 13:48 -------- d-----w- c:\program files\Trend Micro

2009-10-14 13:03 . 2009-10-14 13:03 51712 --sh--w- c:\windows\system32\himepuka.dll

2009-10-14 06:12 . 2009-10-14 06:12 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\Mozilla

2009-10-14 05:51 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe

2009-10-14 05:51 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-14 05:07 . 2009-10-14 05:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-10-14 04:50 . 2009-10-14 04:50 -------- d-----w- C:\Combo-Fix

2009-10-14 00:36 . 2006-10-05 02:42 2560 ------w- c:\windows\system32\drivers\cdralw2k.sys

2009-10-14 00:36 . 2006-10-05 02:42 2432 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2009-10-14 00:35 . 2009-10-14 00:36 -------- d-----w- c:\program files\Picasa2

2009-10-14 00:31 . 2009-10-14 00:31 -------- d-----w- c:\program files\Western Digital

2009-10-14 00:31 . 2009-10-14 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2009-10-14 00:29 . 2009-10-14 00:29 -------- d-----w- c:\program files\Common Files\eSellerate

2009-10-14 00:28 . 2009-10-14 00:28 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\{4F717BFB-FF31-477F-85D1-7BABC44363EC}

2009-10-14 00:26 . 2009-10-14 00:29 -------- d-----w- c:\program files\Memeo

2009-10-14 00:26 . 2009-10-14 00:29 -------- d-s---w- c:\documents and settings\Jeremy\Local Settings\Application Data\Memeo

2009-10-14 00:26 . 2009-10-14 00:29 -------- d-s---w- c:\documents and settings\All Users\Application Data\Memeo

2009-10-14 00:25 . 2009-10-14 00:25 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\{73DF8C24-FEEC-41AF-B020-3FABC7890954}

2009-10-14 00:09 . 2009-10-14 00:09 -------- d-----w- c:\program files\Western Digital Technologies

2009-10-13 23:15 . 2009-10-13 23:15 -------- d-----w- C:\ProgramData

2009-10-13 23:15 . 2009-10-13 23:15 -------- d-----w- c:\program files\Angle Interactive

2009-10-13 21:01 . 2009-10-13 21:01 91648 --sh--w- c:\windows\system32\pimenuda.dll

2009-10-09 15:33 . 2009-10-09 15:33 172544 ----a-w- c:\windows\system32\tafiwizo.dll

2009-10-09 15:31 . 2009-10-09 15:31 17632 ----a-w- c:\windows\system32\suxalawi.dat

2009-10-09 15:31 . 2009-10-09 15:31 19674 ----a-w- c:\windows\cyzisor.dat

2009-10-09 15:31 . 2009-10-09 15:31 15224 ----a-w- c:\windows\system32\xaniguf.dat

2009-10-09 03:26 . 2009-10-09 03:26 -------- d-----w- c:\program files\CS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-14 12:54 . 2009-10-14 12:54 1113885 ---ha-w- c:\windows\system32\BITC.tmp

2009-10-14 04:48 . 2009-10-14 04:42 79632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-14 04:37 . 2004-08-24 02:52 79632 -c--a-w- c:\documents and settings\Jeremy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-14 01:56 . 2006-11-14 03:07 -------- d-----w- c:\program files\Google

2009-10-14 00:31 . 2004-08-10 13:24 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-13 22:38 . 2004-07-03 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-13 22:30 . 2004-08-31 03:38 -------- d-----w- c:\program files\Common Files\Roxio Shared

2009-10-07 02:20 . 2004-08-10 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-09 16:42 . 2009-09-09 16:42 -------- d-----w- c:\program files\Dell 720

2009-09-02 17:22 . 2009-04-26 06:57 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2009-09-02 17:20 . 2009-04-26 06:57 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-09-02 17:20 . 2009-04-26 06:57 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-09-02 17:12 . 2004-07-03 13:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-23 00:24 . 2004-08-31 04:53 -------- d-----w- c:\program files\DiMAGE Viewer

2009-07-24 23:28 . 2009-07-24 23:27 705 ----a-w- C:\bdluh.exe

2009-07-24 23:27 . 2009-07-24 23:27 215378 ----a-w- C:\mjxrscq.exe

2003-08-27 21:19 . 2004-08-31 03:58 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll

2009-07-08 23:10 . 2009-07-08 23:10 169472 --sha-w- c:\windows\SYSTEM32\bizivata.dll

2009-07-08 23:11 . 2009-07-08 23:11 1011755 --sha-w- c:\windows\SYSTEM32\nosamoti.exe

2009-07-14 13:03 . 2009-07-14 13:03 51712 --sha-w- c:\windows\SYSTEM32\silugihi.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_05.56.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2002-09-03 07:08 . 2009-10-14 13:02 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

- 2002-09-03 07:08 . 2009-10-14 05:12 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955efbf4-884f-4aea-9436-cefac07635b4}]

2009-07-14 13:03 51712 --sha-w- c:\windows\SYSTEM32\silugihi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2009-10-14 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-29 107112]

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]

"matideyap"="c:\windows\system32\tayijobu.dll" [bU]

"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]

"padivuvobi"="hevolofo.dll" [bU]

c:\documents and settings\Michelle\Start Menu\Programs\Startup\

mhbupd32.exe [2004-8-4 29184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-01-13 20:17 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]

path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk

backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk]

path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\Memeo AutoSync Launcher.lnk

backup=c:\windows\pss\Memeo AutoSync Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^RD2010.lnk]

path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\RD2010.lnk

backup=c:\windows\pss\RD2010.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Nevo\\NevoMedia Server\\NevoMediaServer.exe"=

"c:\\Program Files\\Nevo\\NevoMedia Player\\NevoMediaPlayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 4:30 PM 101936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2005-09-27 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2200 seriesF56855811176EC24C9B302F94878AD886AF77CFF111767218.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 09:46]

2004-08-24 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 07:56]

2009-07-18 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Jeremy.job

- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 06:38]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://start.verizon.net/vznisp/portal/main.aspx

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCYYYYYYYYUS

FF - ProfilePath - c:\documents and settings\Jeremy\Application Data\Mozilla\Firefox\Profiles\7gj66b6m.default\

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{3b1a5fb3-0bbb-416b-ab17-2608b0e0cc53} - c:\windows\system32\tayijobu.dll

SSODL-jetafijar-{3b1a5fb3-0bbb-416b-ab17-2608b0e0cc53} - c:\windows\system32\tayijobu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-14 19:43

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\LgNotify.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ati2evxx.exe

c:\windows\SYSTEM32\S24EvMon.exe

c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE

c:\windows\SYSTEM32\LEXBCES.EXE

c:\windows\SYSTEM32\LEXPPS.EXE

c:\windows\SYSTEM32\scardsvr.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\windows\SYSTEM32\RegSrvc.exe

c:\windows\SYSTEM32\wdfmgr.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\SYSTEM32\ZCfgSvc.exe

c:\windows\SYSTEM32\ati2evxx.exe

c:\windows\SYSTEM32\1XConfig.exe

.

**************************************************************************

.

Completion time: 2009-10-15 19:49 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-15 02:49

ComboFix2.txt 2009-10-14 13:41

ComboFix3.txt 2009-10-14 06:48

ComboFix4.txt 2009-10-14 06:02

Pre-Run: 17,925,386,240 bytes free

Post-Run: 18,138,005,504 bytes free

202 --- E O F --- 2009-07-15 16:01

Thanks!

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

This may cause problems. Make sure it's disabled before the next run

---------------

Open NOTEPAD and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=27790&st=0entry143395
COLLECT::
c:\windows\system32\himepuka.dll
c:\windows\system32\pimenuda.dll
c:\windows\system32\tafiwizo.dll
c:\documents and settings\Michelle\Start Menu\Programs\Startup\mhbupd32.exe
C:\bdluh.exe
C:\mjxrscq.exe
c:\windows\SYSTEM32\bizivata.dll
c:\windows\SYSTEM32\nosamoti.exe
c:\windows\SYSTEM32\silugihi.dll
FILE::
c:\windows\system32\suxalawi.dat
c:\windows\cyzisor.dat
c:\windows\system32\BITC.tmp
c:\windows\system32\xaniguf.dat
FOLDER::
C:\Program Files\CS
REGISTRY::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955efbf4-884f-4aea-9436-cefac07635b4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"matideyap"=-
"padivuvobi"=-

Save this as "CFScript"

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip

Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4

---------------

ESET Online Scanner

  • Please go to the following link ESET Online Scanner Link
  • Tick the box YES, I accept the Terms Of Use
  • Click the Start button
  • Now click the Install button
  • Click Start
    The scanner engine will initialise and update
  • Do Not tick the box Remove found threats
  • Click the Scan button
    The scan will now run, please be patient
  • When the scan finishes click the Details tab
  • Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

---------------

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------

In your next post, please include fresh logs from:

  1. Online scan
  2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Link to post
Share on other sites
heisiam1513

heisiam1513

Posted
  • Author
Posted

I'm having trouble disabling Norton. It is not in the system tray, and when I open the program it goes directly into a scan, with no options to enable/disable anything. I followed the link you provided (thanks!), and have had no success. Is my next step to uninstall? I was going to do that, but could only start in safe mode, in which the Norton uninstaller will not run.

Link to post
Share on other sites
heisiam1513

heisiam1513

Posted
  • Author
Posted

Thanks, it looks as thought the installer you recommended is working in safe mode. I cannot, however run the computer normal mode. The popups have disabled pretty much anything from running. I can't move programs (such as ComboFix) from my thumbdrive to the desktop. Should I attempt to rename the file and run it, or just run it in safe mode?

Link to post
Share on other sites
heisiam1513

heisiam1513

Posted
  • Author
Posted

Sorry, I should have explained further...In normal mode, the desktop is now blank, no background pic, no icons, and when I try to open task manager, run msconfig or the norton remover (which just finished in safe mode) the attempt is stopped and nothing happens, just more popups. I'll try it in safe mode. Again, thanks so much for your time!

Link to post
Share on other sites
heisiam1513

heisiam1513

Posted
  • Author
Posted

So I ran CF without dropping cfscript onto it first. Not sure if you need this log, too, but here it is:

http://www.malwarebytes.org/forums/index.p...mp;#entry143395

COLLECT::

c:\windows\system32\himepuka.dll

c:\windows\system32\pimenuda.dll

c:\windows\system32\tafiwizo.dll

c:\documents and settings\Michelle\Start Menu\Programs\Startup\mhbupd32.exe

C:\bdluh.exe

C:\mjxrscq.exe

c:\windows\SYSTEM32\bizivata.dll

c:\windows\SYSTEM32\nosamoti.exe

c:\windows\SYSTEM32\silugihi.dll

FILE::

c:\windows\system32\suxalawi.dat

c:\windows\cyzisor.dat

c:\windows\system32\BITC.tmp

c:\windows\system32\xaniguf.dat

FOLDER::

C:\Program Files\CS

REGISTRY::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955efbf4-884f-4aea-9436-cefac07635b4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"matideyap"=-

"padivuvobi"=-

Link to post
Share on other sites
heisiam1513

heisiam1513

Posted
  • Author
Posted

Here is the CF log after dropping CFScript into CF:

ComboFix 09-10-16.02 - Jeremy 10/16/2009 14:27.6.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.260 [GMT -7:00]

Running from: c:\documents and settings\Jeremy\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Jeremy\Desktop\CFScript.txt

* Created a new restore point

FILE ::

"c:\windows\cyzisor.dat"

"c:\windows\system32\BITC.tmp"

"c:\windows\system32\suxalawi.dat"

"c:\windows\system32\xaniguf.dat"

file zipped: C:\bdluh.exe

file zipped: C:\mjxrscq.exe

file zipped: c:\windows\system32\pimenuda.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\bdluh.exe

C:\mjxrscq.exe

c:\program files\CS

c:\windows\cyzisor.dat

c:\windows\system32\BITC.tmp

c:\windows\system32\pimenuda.dll

c:\windows\system32\suxalawi.dat

c:\windows\system32\xaniguf.dat

.

((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))

.

2009-10-16 21:24 . 2009-10-16 21:24 -------- d-----w- c:\windows\LastGood

2009-10-14 13:48 . 2009-10-14 13:48 -------- d-----w- c:\program files\Trend Micro

2009-10-14 06:12 . 2009-10-14 06:12 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\Mozilla

2009-10-14 05:51 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe

2009-10-14 05:51 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-14 05:07 . 2009-10-14 05:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-10-14 04:50 . 2009-10-14 04:50 -------- d-----w- C:\Combo-Fix

2009-10-14 00:36 . 2006-10-05 02:42 2560 ------w- c:\windows\system32\drivers\cdralw2k.sys

2009-10-14 00:36 . 2006-10-05 02:42 2432 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2009-10-14 00:35 . 2009-10-14 00:36 -------- d-----w- c:\program files\Picasa2

2009-10-14 00:31 . 2009-10-14 00:31 -------- d-----w- c:\program files\Western Digital

2009-10-14 00:31 . 2009-10-14 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2009-10-14 00:29 . 2009-10-14 00:29 -------- d-----w- c:\program files\Common Files\eSellerate

2009-10-14 00:28 . 2009-10-14 00:28 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\{4F717BFB-FF31-477F-85D1-7BABC44363EC}

2009-10-14 00:26 . 2009-10-14 00:29 -------- d-----w- c:\program files\Memeo

2009-10-14 00:26 . 2009-10-14 00:29 -------- d-s---w- c:\documents and settings\Jeremy\Local Settings\Application Data\Memeo

2009-10-14 00:26 . 2009-10-14 00:29 -------- d-s---w- c:\documents and settings\All Users\Application Data\Memeo

2009-10-14 00:25 . 2009-10-14 00:25 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\{73DF8C24-FEEC-41AF-B020-3FABC7890954}

2009-10-14 00:09 . 2009-10-14 00:09 -------- d-----w- c:\program files\Western Digital Technologies

2009-10-13 23:15 . 2009-10-13 23:15 -------- d-----w- C:\ProgramData

2009-10-13 23:15 . 2009-10-13 23:15 -------- d-----w- c:\program files\Angle Interactive

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-16 20:58 . 2004-08-10 13:35 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-10-16 20:56 . 2004-08-10 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-10-14 04:48 . 2009-10-14 04:42 79632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-14 04:37 . 2004-08-24 02:52 79632 -c--a-w- c:\documents and settings\Jeremy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-14 01:56 . 2006-11-14 03:07 -------- d-----w- c:\program files\Google

2009-10-14 00:31 . 2004-08-10 13:24 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-13 22:38 . 2004-07-03 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-13 22:30 . 2004-08-31 03:38 -------- d-----w- c:\program files\Common Files\Roxio Shared

2009-09-09 16:42 . 2009-09-09 16:42 -------- d-----w- c:\program files\Dell 720

2009-09-02 17:22 . 2009-04-26 06:57 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2009-09-02 17:20 . 2009-04-26 06:57 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-09-02 17:20 . 2009-04-26 06:57 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-09-02 17:12 . 2004-07-03 13:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-23 00:24 . 2004-08-31 04:53 -------- d-----w- c:\program files\DiMAGE Viewer

2003-08-27 21:19 . 2004-08-31 03:58 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll

2009-07-15 20:50 . 2009-07-15 20:50 1115040 --sha-w- c:\windows\SYSTEM32\kewowupa.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_05.56.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2002-09-03 07:08 . 2009-10-14 13:02 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

- 2002-09-03 07:08 . 2009-10-14 05:12 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2009-10-14 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]

"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-01-13 20:17 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]

path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk

backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk]

path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\Memeo AutoSync Launcher.lnk

backup=c:\windows\pss\Memeo AutoSync Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^RD2010.lnk]

path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\RD2010.lnk

backup=c:\windows\pss\RD2010.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Nevo\\NevoMedia Server\\NevoMediaServer.exe"=

"c:\\Program Files\\Nevo\\NevoMedia Player\\NevoMediaPlayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

S4 AutoSyncService;Memeo AutoSync ;c:\program files\Memeo\AutoSync\MemeoService.exe [7/6/2007 5:28 PM 31768]

.

Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2005-09-27 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2200 seriesF56855811176EC24C9B302F94878AD886AF77CFF111767218.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 09:46]

2004-08-24 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 07:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://start.verizon.net/vznisp/portal/main.aspx

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCYYYYYYYYUS

FF - ProfilePath - c:\documents and settings\Jeremy\Application Data\Mozilla\Firefox\Profiles\7gj66b6m.default\

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-49438230 - c:\docume~1\ALLUSE~1\APPLIC~1\49438230\49438230.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-16 14:35

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\LgNotify.dll

.

Completion time: 2009-10-16 14:38

ComboFix-quarantined-files.txt 2009-10-16 21:38

ComboFix2.txt 2009-10-16 21:21

ComboFix3.txt 2009-10-15 02:49

ComboFix4.txt 2009-10-14 13:41

ComboFix5.txt 2009-10-16 21:25

Pre-Run: 19,712,503,808 bytes free

Post-Run: 19,677,130,752 bytes free

168 --- E O F --- 2009-07-15 16:01

Upload was successful

Link to post
Share on other sites
heisiam1513

heisiam1513

Posted
  • Author
Posted

ESET online scanner log:

C:\Qoobox\Quarantine\[4]-Submit_2009-10-16_14.27.36.zip multiple threats

C:\Qoobox\Quarantine\C\bdluh.exe.vir Win32/Small.NEK trojan

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\49438230\49438230.exe.vir a variant of Win32/Kryptik.AVG trojan

C:\Qoobox\Quarantine\C\Documents and Settings\Michelle\Application Data\lizkavd.exe.vir a variant of Win32/Kryptik.ATV trojan

C:\Qoobox\Quarantine\C\Documents and Settings\Michelle\Application Data\seres.exe.vir a variant of Win32/Kryptik.ASA trojan

C:\Qoobox\Quarantine\C\Documents and Settings\Michelle\Application Data\svcst.exe.vir a variant of Win32/Kryptik.ASA trojan

C:\Qoobox\Quarantine\C\Documents and Settings\Michelle\Start Menu\Programs\Startup\mhbupd32.exe.vir Win32/TrojanDownloader.Bredolab.AA trojan

C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir a variant of Win32/Kryptik.ATV trojan

C:\Qoobox\Quarantine\C\Program Files\Shared\lib.dll.vir a variant of Win32/BHO.NMM trojan

C:\Qoobox\Quarantine\C\Program Files\Shared\_lib.dll.vir a variant of Win32/BHO.NMM trojan

C:\Qoobox\Quarantine\C\WINDOWS\mark_32.dll.vir Win32/TrojanDownloader.Agent.PGX trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\apubxncd.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\BITC.tmp.vir a variant of Win32/Kryptik.AVG trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bizivata.dll.vir a variant of Win32/Kryptik.AVG trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bnksblcn.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bokuwavi.dll.vir Win32/KillAV.NFO trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ccixmmyg.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cqbcutjx.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\crpxplyb.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\delekuwu.dll.vir a variant of Win32/Adware.SuperJuan.F application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dsnowsxn.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hevolofo.dll.vir a variant of Win32/Adware.SuperJuan.H application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\himepuka.dll.vir a variant of Win32/Adware.SuperJuan.H application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iemmvkov.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jehsqlav.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kejefuru.dll.vir a variant of Win32/Kryptik.AVG trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lopibeki.dll.vir Win32/KillAV.NFO trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nkvivpsb.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nonomaso.dll.vir a variant of Win32/KillAV.NFZ trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nosamoti.exe.vir a variant of Win32/Kryptik.ATL trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\npafxpxp.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\perutigu.dll.vir a variant of Win32/Adware.SuperJuan.H application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pigopimu.dll.vir a variant of Win32/KillAV.NFZ trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qpoqr.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qpoqr.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rutobuki.exe.vir a variant of Win32/Kryptik.AVG trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\silugihi.dll.vir a variant of Win32/Adware.SuperJuan.H application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sxtkdgpl.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tafiwizo.dll.vir a variant of Win32/Kryptik.AVG trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tijmijaj.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tknbfxwe.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tnoclvdw.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vjjwvrwi.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wkcfggvo.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wnwelvme.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\woigcmio.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zadiyoju.dll.vir a variant of Win32/Kryptik.AVG trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_sdra64_.exe.zip Win32/Spy.Zbot.UN trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\~.exe.vir a variant of Win32/Kryptik.ASY trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WBEM\proquota.exe.vir a variant of Win32/Kryptik.ABM trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0201704.sys Win32/Rustock trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP581\A0213052.exe a variant of Win32/Kryptik.AHY trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP589\A0220171.dll a variant of Win32/BHO.NMM trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP593\A0221188.exe Win32/TrojanDownloader.Bredolab.AA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP597\A0227243.exe Win32/Spy.Zbot.UN trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP599\A0228263.exe Win32/Spy.Zbot.UN trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP599\A0229276.exe a variant of Win32/Kryptik.AHY trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0230282.exe a variant of Win32/Kryptik.ASA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0230291.exe a variant of Win32/Kryptik.ASA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0230299.exe a variant of Win32/Kryptik.ASA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231298.exe a variant of Win32/Kryptik.ASA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231301.exe a variant of Win32/Kryptik.ASA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231314.exe a variant of Win32/Kryptik.ASA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231324.dll Win32/Adware.Virtumonde.NFU application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231333.exe a variant of Win32/Kryptik.ASA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232214.exe a variant of Win32/Kryptik.ATV trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232216.exe a variant of Win32/Kryptik.ASA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232217.exe a variant of Win32/Kryptik.ASA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232225.exe a variant of Win32/Kryptik.ATV trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232227.dll a variant of Win32/BHO.NMM trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232228.dll a variant of Win32/BHO.NMM trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232233.exe a variant of Win32/Kryptik.ASY trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232234.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232235.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232236.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232237.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232238.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232242.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232243.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232244.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232245.dll a variant of Win32/Kryptik.AVG trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232248.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232249.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232250.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232251.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232252.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232253.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232254.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232255.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232256.exe a variant of Win32/Kryptik.ABM trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232257.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232258.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232259.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232382.dll Win32/TrojanDownloader.Agent.PGX trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0232595.dll Win32/KillAV.NFO trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0232596.dll a variant of Win32/Adware.SuperJuan.F application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0232598.dll Win32/KillAV.NFO trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236365.exe a variant of Win32/Kryptik.AVG trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236368.exe Win32/TrojanDownloader.Bredolab.AA trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236369.dll a variant of Win32/Kryptik.AVG trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236370.dll a variant of Win32/Adware.SuperJuan.H application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236372.dll a variant of Win32/KillAV.NFZ trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236373.exe a variant of Win32/Kryptik.ATL trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236374.exe a variant of Win32/Kryptik.AVG trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236375.dll a variant of Win32/Adware.SuperJuan.H application

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236376.dll a variant of Win32/Kryptik.AVG trojan

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP606\A0236538.exe Win32/Small.NEK trojan

C:\WINDOWS\SYSTEM32\kewowupa.exe a variant of Win32/Kryptik.AVG trojan

Link to post
Share on other sites
heisiam1513

heisiam1513

Posted
  • Author
Posted

Looks like the Kapersky scan is not available right now:

Coming soon:

A new, improved version of the

Kaspersky Online Scanner

The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience

The computer seems to be runnign much better now. I am able to use Firefox, and I was able to install and update Malwarebyes. I do however, still have a listing for Registry Defender under start>all programs.

Thanks so much for your help to this point! Any further thoughts?

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

ESET alone will do just fine.

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
C:\WINDOWS\SYSTEM32\kewowupa.exe
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this: bat_icon.gif

Double click on fix.bat & allow it to run

Post back to tell me what it says

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

Of the stuff found,

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while

----------------------

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /U
  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  3. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  4. http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  5. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  6. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywareinfoforum.com/index.php?showtopic=60955

After doing all these, your system will be optimised against future threats.

.

Have a safe & happy computing day. wave.gif

Kindly respond to this thread once more so we can mark this thread as resolved.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept