Having trouble

cantstopfishing · October 30, 2009

Hello.

It seems I have a smart malware program running that will not allow malwarebytes to run or be re-installed.

Per the administrators suggestion I have run hijack this and here is the log:

Logfile of HijackThis v1.99.1

Scan saved at 7:50:55 AM, on 10/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\DOCUME~1\ALLUSE~1\APPLIC~1\42709325\42709325.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ALCXMNTR.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {06f7df88-1ba3-4372-ac32-d0f3138b2fdc} - polekove.dll (file missing)

O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [73413119] C:\DOCUME~1\ALLUSE~1\APPLIC~1\73413119\73413119.exe

O4 - HKLM\..\Run: [42709325] C:\DOCUME~1\ALLUSE~1\APPLIC~1\42709325\42709325.exe

O4 - HKLM\..\Run: [lomafawipi] Rundll32.exe "tonepopo.dll",s

O4 - HKLM\..\Run: [sawodafik] Rundll32.exe "c:\windows\system32\nowikuje.dll",a

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International

O15 - Trusted Zone: http://*.usearchtv.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144238640765

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: c:\windows\system32\yezumoyu.dll dijineho.dll c:\windows\system32\subapade.dll c:\windows\system32\nowikuje.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O21 - SSODL: welojotam - {8e83ad35-3bb2-41ee-985b-739b7f4a0689} - c:\windows\system32\nowikuje.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Alerter AlerterAlerterAlerterALG (AlerterAlerterAlerterALG) - Unknown owner - C:\WINDOWS\system32\d.exe (file missing)

O23 - Service: Alerter AlerterAlerterALG (AlerterAlerterALG) - Unknown owner - C:\WINDOWS\system32\d.exe (file missing)

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

melboy · October 31, 2009

Hi and welcome to the Malwarebytes forums. <_<

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
If you don't know or understand something, please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.

Uninstall list

Please post an Uninstall list.

Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location, such as your Desktop By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.

In your next reply.

1. Uninstall list.

cantstopfishing · October 31, 2009

Hi and welcome to the Malwarebytes forums.
I'm melboy and I am going to try to help you with your problem. Please take note of the following:
I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
If you don't know or understand something, please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.
Uninstall list
Please post an Uninstall list.
Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location, such as your Desktop By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.
In your next reply.
1. Uninstall list.

Thanks Melboy.

Here is the uninstall list.

7-Zip 4.57

Adobe Acrobat Reader 3.01

Adobe Flash Player 10 ActiveX

Adobe Reader 7.0.9

AT&T Labs' Natural Voices Desktop 1.2.1

AVG Free 8.5

Bonjour Core for Windows

Bounce from Hewlett-Packard Desktops (remove only)

Cakewalk Audio Finder Tool

Cakewalk Music Creator 2003

Cakewalk Pyro 1.5

Charter Pipeline

melboy · November 1, 2009

Hi

Unfortunately your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

cantstopfishing · November 2, 2009

Let's try to clean this machine.

Thanks.

melboy · November 2, 2009

Hi

I would strongly impress upon you what I previously said that if you do any banking or other financial transactions on the PC, a reformat and reinstall of the OS would definately be advised.

I can't guarantee that the PC will be at all secure afterwards.

=====================================================================

ComboFix (by sUBs)

Download Combofix from any of the links below but rename it to melboy1.exe before saving it to your desktop.

Link 1

Link 2

Now STOP your security programs (Antivirus/Antispyware Guards) as they could easily interfere with ComboFix.
How to Temporarily Disable your Anti-virus
AVG 8.5
- Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
- Click on Open AVG Interface.
- Double click on Resident Shield
- Deselect the option to "Enable Resident Shield."
- Save changes, and exit the application.
- To re-enable AVG 8.5, please select "Enable Resident Shield" again.
[*]Double click the renamed ComboFix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt so we can continue cleaning the system.

Re-enable all the programs that were disabled during the running of ComboFix

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

cantstopfishing · November 2, 2009

Thank you. Here is the combofix log file.

ComboFix 09-11-01.04 - Owner 11/02/2009 11:30.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.324 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\melboy1.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\tejanizyx.inf

c:\documents and settings\All Users\Documents\ehudyqy.inf

c:\documents and settings\All Users\documents\setup.exe

c:\documents and settings\All Users\Documents\ufupo.bat

c:\documents and settings\Owner\Application Data\xunawynu.bat

c:\documents and settings\Sarah\Application Data\iniasd.txt

c:\documents and settings\Sarah\Desktop\Security Tool.lnk

c:\documents and settings\Sarah\Start Menu\Programs\Security Tool.lnk

c:\program files\WinPCap

c:\program files\WinPCap\rpcapd.exe

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

c:\windows\Fonts\acrsec.fon

c:\windows\patch.exe

c:\windows\pubosi.vbs

c:\windows\system32\dakagego.dll

c:\windows\system32\dowileyi.dll

c:\windows\system32\drivers\ndisrd.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\duhavevo.dll

c:\windows\system32\gadonesi.exe

c:\windows\system32\iAlmcoin.dll

c:\windows\system32\kojofaba.dll.tmp

c:\windows\system32\ndisapi.dll

c:\windows\system32\nfr.assembly

c:\windows\system32\nfr.gpref

c:\windows\system32\nopulana.dll

c:\windows\system32\Packet.dll

c:\windows\system32\petolahu.dll

c:\windows\system32\pmkmudme.ini

c:\windows\system32\ps2.bat

c:\windows\system32\pthreadVC.dll

c:\windows\system32\regoyivu.dll.tmp

c:\windows\system32\rijikoyi.dll

c:\windows\system32\sibogaya.exe

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

c:\windows\system32\yabohoyu.dll.tmp

c:\windows\system32\ziluyuda.dll

c:\windows\system32\zuhuyaba.dll

c:\windows\Tasks\xqougtbu.job

c:\windows\uwyfagugo.inf

c:\windows\viassary-hp.reg

c:\windows\yfulojiryk._sy

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NDISRD

((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))

.

2009-11-02 12:59 . 2009-11-02 13:00 -------- d-----w- c:\windows\SxsCaPendDel

2009-10-30 23:20 . 2009-10-30 23:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

2009-10-30 01:43 . 2009-10-30 01:43 -------- d-----w- c:\documents and settings\Owner\NTI-Shadow

2009-10-30 01:19 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-30 01:19 . 2009-10-30 12:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-30 01:19 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-30 00:44 . 2009-10-30 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\42709325

2009-10-29 12:45 . 2009-10-30 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\73413119

2009-10-20 19:05 . 2009-10-20 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX

2009-10-20 19:01 . 2009-11-02 17:47 -------- d-----w- c:\program files\DivX

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-02 13:53 . 2006-10-03 23:19 -------- d-----w- c:\program files\Lx_cats

2009-11-02 13:00 . 2009-04-24 02:21 -------- d-----w- c:\program files\Easy DVD Player

2009-11-01 18:50 . 2008-09-13 18:21 0 ----a-w- c:\documents and settings\Sarah\Local Settings\Application Data\prvlcl.dat

2009-10-30 17:20 . 2009-08-06 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-10-17 21:31 . 2003-08-23 14:19 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-28 00:57 . 2009-09-28 00:57 -------- d-----w- c:\documents and settings\Sarah\Application Data\InstallShield Installation Information

2009-09-28 00:56 . 2009-09-28 00:56 -------- d-----w- c:\program files\NewTech Infosystems

2009-09-26 19:20 . 2004-05-30 21:39 -------- d-----w- c:\program files\Google

2009-09-08 02:25 . 2009-09-03 01:30 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft

2009-09-05 21:18 . 2009-09-03 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft

2009-09-05 21:18 . 2009-09-05 21:16 -------- d-----w- c:\documents and settings\Geoffrey\Application Data\ArcSoft

2009-08-30 07:10 . 2005-12-28 22:50 39896 ----a-w- c:\documents and settings\Geoffrey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-30 00:58 . 2009-08-30 00:58 14879 ----a-w- c:\program files\Common Files\yxixib.dl

2009-08-30 00:58 . 2009-08-30 00:58 13848 ----a-w- c:\windows\herafuhod.bin

2009-08-30 00:58 . 2009-08-30 00:58 12368 ----a-w- c:\documents and settings\All Users\Application Data\jyjaqozedo.sys

2009-08-30 00:58 . 2009-08-30 00:58 10992 ----a-w- c:\program files\Common Files\lepa.sys

2009-08-30 00:58 . 2009-08-30 00:58 10905 ----a-w- c:\program files\Common Files\duky.exe

2009-08-30 00:58 . 2009-08-30 00:58 10531 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\sygo.sys

2009-08-30 00:58 . 2009-08-30 00:58 19670 ----a-w- c:\windows\jerawybos.com

2009-08-30 00:58 . 2009-08-30 00:58 14636 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\xasyf.bin

2009-08-30 00:58 . 2009-08-30 00:58 12412 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fimi.sys

2009-08-30 00:58 . 2009-08-30 00:58 11554 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\pimerex.bin

2009-08-26 12:32 . 2003-08-23 14:12 39896 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 01:19 . 2009-08-06 01:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-06 01:19 . 2009-08-06 01:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-08-06 01:19 . 2009-08-06 01:19 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-06 01:19 . 2009-08-06 01:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2004-01-08 02:27 . 2004-01-08 02:27 0 --sha-w- c:\windows\SMINST\HPCD.sys

2009-05-02 00:06 . 2009-05-02 00:06 48640 --sha-w- c:\windows\system32\figohele.dll.tmp

2009-01-19 21:17 . 2009-01-19 21:17 1403021 --sh--w- c:\windows\system32\hspkthog.tmp

2009-07-30 12:44 . 2009-07-30 12:44 1054752 --sha-w- c:\windows\system32\latabaye.exe

2009-05-02 00:06 . 2009-05-02 00:06 48640 --sha-w- c:\windows\system32\yawikofe.dll.tmp

2009-05-02 00:06 . 2009-05-02 00:06 48640 --sha-w- c:\windows\system32\yimazitu.dll.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-23 3026944]

"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-06 01:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear ARIA Device Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Philips GoGear ARIA Device Manager.lnk

backup=c:\windows\pss\Philips GoGear ARIA Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sarah^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]

path=c:\documents and settings\Sarah\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk

backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\ATTNaturalVoices\\TTS1.2\\Desktop\\bin\\ttsdesktopproxy.exe"=

"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\Patcher.exe"=

"c:\\Program Files\\WIZET\\MSEA\\NewPatcher.exe"=

"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\MapleStory.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 7:19 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 7:19 PM 108552]

R1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\GEARASPISYS.SYS [2/6/2004 10:23 PM 53412]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 7:18 PM 297752]

S2 AlerterAlerterAlerterALG;Alerter AlerterAlerterAlerterALG;c:\windows\system32\d.exe run --> c:\windows\system32\d.exe run [?]

S2 AlerterAlerterALG;Alerter AlerterAlerterALG;c:\windows\system32\d.exe run --> c:\windows\system32\d.exe run [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/26/2009 1:15 PM 133104]

S2 mrtRate;mrtRate; [x]

S3 2874e298-29f2-4b77-b190-2895f2a8df59;2874e298-29f2-4b77-b190-2895f2a8df59;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: usearchtv.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{06f7df88-1ba3-4372-ac32-d0f3138b2fdc} - polekove.dll

Toolbar-Locked - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

HKLM-Run-sawodafik - c:\windows\system32\ziberone.dll

HKLM-Run-lomafawipi - tonepopo.dll

SharedTaskScheduler-{fa7404b5-4ef8-4477-817f-1c48a67fd03b} - c:\windows\system32\ziberone.dll

SSODL-yuzezajuj-{fa7404b5-4ef8-4477-817f-1c48a67fd03b} - c:\windows\system32\ziberone.dll

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

AddRemove-D11F7128-8CBD-408B-8BF8-034604DEDD42 - c:\program files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-02 11:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(740)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\System32\MsPMSPSv.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wscntfy.exe

c:\program files\AVG\AVG8\avgui.exe

.

**************************************************************************

.

Completion time: 2009-11-02 11:55 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-02 17:55

Pre-Run: 15,112,269,824 bytes free

Post-Run: 15,234,433,024 bytes free

- - End Of File - - E9E2C1A8EEE6C0BF8DE2ACBFE9C8AE40

melboy · November 3, 2009

Hi CSF

COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

http://www.malwarebytes.org/forums/index.php?showtopic=29441&view=findpost&p=152578

Folder::
c:\documents and settings\All Users\Application Data\42709325
c:\documents and settings\All Users\Application Data\73413119

Collect::
c:\windows\system32\d.exe
C:\WINDOWS\system32\drivers\svchost.exe
c:\documents and settings\Sarah\Local Settings\Application Data\prvlcl.dat
c:\program files\Common Files\yxixib.dl
c:\windows\herafuhod.bin
c:\documents and settings\All Users\Application Data\jyjaqozedo.sys
c:\program files\Common Files\lepa.sys 
c:\program files\Common Files\duky.exe
c:\documents and settings\Owner\Local Settings\Application Data\sygo.sys
c:\windows\jerawybos.com
c:\documents and settings\Owner\Local Settings\Application Data\xasyf.bin
c:\documents and settings\Owner\Local Settings\Application Data\fimi.sys
c:\documents and settings\Owner\Local Settings\Application Data\pimerex.bin
c:\windows\system32\hspkthog.tmp
c:\windows\system32\latabaye.exe
c:\windows\system32\yawikofe.dll.tmp
c:\windows\system32\yimazitu.dll.tmp

Driver::
AlerterAlerterAlerterALG
AlerterAlerterALG

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\drivers\svchost.exe"=-

DDS::
uInternet Settings,ProxyServer = http=localhost:7171
Trusted Zone: usearchtv.com

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
If you need help to disable your protection programs see here.

AVG 8.5
Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
Click on Open AVG Interface.
Double click on Resident Shield
Deselect the option to "Enable Resident Shield."
Save changes, and exit the application.
To re-enable AVG 8.5, please select "Enable Resident Shield" again.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

cantstopfishing · November 3, 2009

Thanks Melboy. I got a prompt that there was a newer version of combofix when I ran this. I did not update it. Here is the new log.

ComboFix 09-11-01.04 - Owner 11/03/2009 7:03.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.354 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\melboy1.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\All Users\Application Data\jyjaqozedo.sys

file zipped: c:\documents and settings\Owner\Local Settings\Application Data\fimi.sys

file zipped: c:\documents and settings\Owner\Local Settings\Application Data\pimerex.bin

file zipped: c:\documents and settings\Owner\Local Settings\Application Data\sygo.sys

file zipped: c:\documents and settings\Owner\Local Settings\Application Data\xasyf.bin

file zipped: c:\documents and settings\Sarah\Local Settings\Application Data\prvlcl.dat

file zipped: c:\program files\Common Files\duky.exe

file zipped: c:\program files\Common Files\yxixib.dl

file zipped: c:\windows\herafuhod.bin

file zipped: c:\windows\jerawybos.com

file zipped: c:\windows\system32\hspkthog.tmp

file zipped: c:\windows\system32\latabaye.exe

file zipped: c:\windows\system32\yawikofe.dll.tmp

file zipped: c:\windows\system32\yimazitu.dll.tmp

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\42709325

c:\documents and settings\All Users\Application Data\73413119

c:\documents and settings\All Users\Application Data\jyjaqozedo.sys

c:\documents and settings\Owner\Local Settings\Application Data\fimi.sys

c:\documents and settings\Owner\Local Settings\Application Data\pimerex.bin

c:\documents and settings\Owner\Local Settings\Application Data\sygo.sys

c:\documents and settings\Owner\Local Settings\Application Data\xasyf.bin

c:\documents and settings\Sarah\Local Settings\Application Data\prvlcl.dat

c:\program files\Common Files\duky.exe

c:\program files\Common Files\yxixib.dl

c:\windows\herafuhod.bin

c:\windows\jerawybos.com

c:\windows\system32\hspkthog.tmp

c:\windows\system32\latabaye.exe

c:\windows\system32\yawikofe.dll.tmp

c:\windows\system32\yimazitu.dll.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ALERTERALERTERALERTERALG

-------\Legacy_ALERTERALERTERALG

-------\Service_AlerterAlerterAlerterALG

-------\Service_AlerterAlerterALG

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))

.

2009-11-02 12:59 . 2009-11-02 17:47 -------- d-----w- c:\windows\SxsCaPendDel