Jump to content

Need Help with Malware Removal, Halts Malwarebytes


Recommended Posts

Hi, I've been trying the past few days to get rid of malware off my machine and so far i've been unsuccessful. I tried everything I can think of.

First, It disables Malwarebytes so I can't run it, It just deletes the .exe, I did rename it and it still won't run. I did Spybot scans which comes up with Virtumonde and a few other things. I have my Combofix log which I'll be posting after this. I do have anti-virus, I use AVAST and it does find some stuff but it just won't get it removed completely. Any help would be appreciated.

ComboFix 09-11-02.02 - Administrator 3/2009 Tue 9:05.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.3070.2495 [GMT -6:00]

Running from: C:\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: avast! antivirus 4.8.1356 [VPS 091103-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))

.

2009-11-03 14:57 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-03 14:57 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-03 14:14 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-03 14:14 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-11-03 14:14 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-11-03 14:14 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-11-03 14:14 . 2009-11-03 14:14 -------- d-----w- c:\program files\Avira

2009-11-03 14:14 . 2009-11-03 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-11-03 14:13 . 2009-11-03 14:13 33961728 ----a-w- C:\avira_antivir_personal_en.exe

2009-11-02 21:23 . 2009-11-03 15:03 3533588 ----a-r- C:\ComboFix.exe

2009-11-02 21:15 . 2009-11-02 21:15 -------- d-----w- c:\program files\Trend Micro

2009-11-02 21:15 . 2009-11-02 21:15 812344 ----a-w- C:\HijackThisInstaller.exe

2009-11-02 19:10 . 2009-11-02 19:10 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2009-11-02 19:03 . 2009-11-02 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-11-02 19:02 . 2009-11-02 19:02 77086488 ----a-w- C:\Ad-AwareInstallation.exe

2009-11-02 18:44 . 2009-11-02 18:44 -------- d-----w- C:\VundoFix Backups

2009-11-02 18:44 . 2009-11-02 18:44 119808 ----a-w- C:\VundoFix.exe

2009-11-02 14:25 . 2009-11-02 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-11-02 14:25 . 2009-11-02 14:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-02 14:15 . 2009-11-02 14:15 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-11-02 05:05 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-11-02 05:05 . 2009-11-02 05:05 -------- d-----w- c:\program files\Panda Security

2009-11-02 05:02 . 2009-11-02 05:02 4045528 ----a-w- C:\KaioKill.exe

2009-11-02 04:23 . 2009-11-02 04:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\DivX

2009-11-01 19:29 . 2009-11-01 19:29 -------- d-----w- C:\Muddy

2009-11-01 06:36 . 2009-11-01 06:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo

2009-11-01 06:35 . 2009-11-01 06:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!

2009-11-01 06:34 . 2009-11-01 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-11-01 06:34 . 2009-11-02 04:22 -------- d-----w- c:\program files\Yahoo!

2009-11-01 06:34 . 2009-11-02 04:22 -------- d-----w- c:\windows\SxsCaPendDel

2009-10-31 19:57 . 2009-10-31 19:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2009-10-31 19:17 . 2009-11-01 17:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-31 18:05 . 2009-11-01 17:41 -------- d-----w- c:\program files\Zuma's Revenge!

2009-10-31 18:05 . 2009-10-31 18:05 -------- d-----w- c:\windows\Zuma's Revenge!

2009-10-31 18:05 . 2009-10-31 18:05 -------- d-----w- c:\program files\Zuma Deluxe

2009-10-31 17:44 . 2009-10-31 17:44 -------- d-----w- c:\program files\DivX

2009-10-31 17:44 . 2009-10-31 17:44 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-10-26 12:25 . 2009-10-26 12:25 -------- d-----w- c:\program files\Sengoku Rance English

2009-10-26 12:25 . 2009-10-26 12:25 65316044 ----a-w- C:\Sengoku_Rance_English_v1.0_[Yandere_Translations].exe

2009-10-26 02:11 . 2009-10-26 02:11 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-26 02:05 . 2009-10-26 02:05 -------- d-----w- c:\windows\Sun

2009-10-25 12:23 . 2009-10-25 12:32 -------- d-----w- C:\JWPCE

2009-10-24 19:34 . 2009-10-24 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Paradox Interactive

2009-10-24 19:29 . 2007-03-05 17:42 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll

2009-10-24 19:28 . 2009-10-24 19:28 -------- d-----w- c:\program files\Paradox Interactive

2009-10-23 17:23 . 2009-10-23 17:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Fujitsu

2009-10-23 17:23 . 2009-10-23 17:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fujitsu

2009-10-23 17:23 . 2009-10-23 17:23 256 ---ha-w- c:\windows\system32\LTAW14FN.BIN

2009-10-23 17:23 . 2009-10-23 17:23 256 ---ha-w- c:\windows\system32\FJLTAFOU.BIN

2009-10-23 17:22 . 2009-10-23 17:23 -------- d-----w- c:\program files\ATLAS V14

2009-10-23 17:15 . 2009-10-23 17:15 162075896 ----a-w- C:\ATLASV14ETrial.exe

2009-10-23 17:07 . 2009-10-23 17:07 217199 ----a-w- C:\AtlTransText.zip

2009-10-23 17:07 . 2009-10-23 17:07 60299 ----a-w- C:\ATLCHECK.zip

2009-10-23 17:06 . 2009-10-23 17:07 -------- d-----w- C:\AGTH

2009-10-23 17:01 . 2009-10-23 17:01 -------- d-----w- c:\program files\SMEE

2009-10-23 14:25 . 2009-10-26 12:25 -------- d-----w- C:\AliceSoft

2009-10-23 14:20 . 2009-10-23 14:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\BDL+D

2009-10-23 14:10 . 2009-10-23 14:10 0 ----a-w- c:\windows\nsreg.dat

2009-10-23 14:10 . 2009-10-23 14:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-10-21 00:17 . 2009-10-26 01:35 25 ----a-w- c:\windows\popcinfot.dat

2009-10-20 23:39 . 2009-10-26 01:35 -------- d-----w- C:\Plants vs Zombies

2009-10-20 18:35 . 2009-10-20 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\FreshGames

2009-10-20 18:20 . 2009-10-20 18:21 -------- d-----w- c:\program files\Ranch Rush

2009-10-20 18:20 . 2009-10-20 18:20 -------- d-----w- c:\windows\Ranch Rush

2009-10-20 15:30 . 2009-10-21 16:36 -------- d-----w- c:\program files\maidin

2009-10-20 15:28 . 2009-10-20 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-10-20 15:28 . 2009-10-20 15:28 -------- d-----w- c:\program files\DAEMON Tools Toolbar

2009-10-20 15:28 . 2009-10-21 15:07 -------- d-----w- c:\program files\DAEMON Tools Lite

2009-10-20 15:25 . 2009-10-20 15:25 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-10-20 15:25 . 2009-10-20 15:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite

2009-10-19 21:20 . 2009-10-19 21:20 89487540 ----a-w- C:\Qfg2vga11.exe

2009-10-19 09:47 . 2009-10-19 09:47 25 ----a-w- C:\popcinfot.dat

2009-10-19 09:34 . 2009-10-19 09:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

2009-10-19 08:38 . 2009-10-23 14:18 -------- d-----w- c:\program files\VALKYRIA

2009-10-18 18:42 . 2009-10-18 18:42 6688 ----a-w- c:\windows\movexe.exe

2009-10-18 18:42 . 2009-10-18 18:43 -------- d-----w- c:\program files\Tamagotchi Simulator

2009-10-18 18:42 . 2009-10-18 18:49 -------- d-----w- C:\tamagosim

2009-10-18 18:42 . 2009-10-18 18:42 1807167 ----a-w- C:\01tamagosim.zip

2009-10-18 13:54 . 2009-10-18 13:55 -------- d-----w- C:\Fonts

2009-10-18 12:36 . 2009-10-18 12:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterVideo

2009-10-17 03:15 . 2009-10-17 03:15 -------- d-----w- c:\program files\IrfanView

2009-10-15 17:56 . 2009-10-15 17:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2009-10-15 14:16 . 2007-12-10 13:00 61440 ----a-w- c:\windows\system32\ZIMF.DLL

2009-10-15 14:16 . 2007-12-10 13:00 53248 ----a-w- c:\windows\system32\ZTAG.DLL

2009-10-15 14:16 . 2007-12-10 13:00 430080 ----a-w- c:\windows\system32\ZSHP1020.EXE

2009-10-15 14:16 . 2007-12-10 13:00 106496 ----a-w- c:\windows\system32\ZSPOOL.DLL

2009-10-15 14:16 . 2007-12-10 13:00 102400 ----a-w- c:\windows\system32\ZLhp1020.DLL

2009-10-15 14:16 . 2009-11-02 20:27 -------- dc----w- c:\windows\system32\DRVSTORE

2009-10-15 14:16 . 2009-10-15 14:16 -------- d-----w- c:\program files\Hewlett-Packard

2009-10-15 13:15 . 2009-10-24 04:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss

2009-10-15 08:45 . 2004-08-04 04:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-10-15 08:45 . 2004-08-04 04:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-10-15 08:43 . 2009-10-15 08:43 19125 ----a-w- c:\windows\ykybucizu.com

2009-10-15 08:43 . 2009-10-15 08:43 15334 ----a-w- c:\windows\fevyfovob.com

2009-10-15 08:43 . 2009-10-15 08:43 14523 ----a-w- c:\windows\system32\yzebihuku.dat

2009-10-15 07:33 . 2009-10-15 07:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\ImgBurn

2009-10-15 07:28 . 2009-10-15 07:28 -------- d-----w- c:\program files\ImgBurn

2009-10-15 06:16 . 2009-10-15 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2009-10-15 06:07 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-10-15 06:07 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-10-15 06:07 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-10-15 06:07 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-10-15 06:07 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-10-15 06:07 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-10-15 06:07 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-10-15 06:07 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-10-15 06:06 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe

2009-10-15 06:06 . 2009-10-15 06:06 -------- d-----w- c:\program files\Alwil Software

2009-10-15 06:06 . 2009-10-15 06:06 39045408 ----a-w- C:\setupengpro.exe

2009-10-15 06:02 . 2009-10-15 06:02 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2009-10-15 06:02 . 2009-11-01 18:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso

2009-10-15 06:02 . 2007-03-19 02:37 65602 ----a-w- c:\windows\system32\cook3260.dll

2009-10-15 06:02 . 2006-09-29 18:26 176165 ----a-w- c:\windows\system32\drv23260.dll

2009-10-15 06:02 . 2006-09-29 18:25 208935 ----a-w- c:\windows\system32\drv33260.dll

2009-10-15 06:02 . 2006-09-29 18:24 217127 ----a-w- c:\windows\system32\drv43260.dll

2009-10-15 06:02 . 2006-05-20 22:16 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll

2009-10-15 06:02 . 2006-05-12 01:21 626688 ----a-w- c:\windows\system32\vp7vfw.dll

2009-10-15 06:02 . 2002-12-10 08:20 102439 ----a-w- c:\windows\system32\sipr3260.dll

2009-10-15 06:02 . 2009-10-15 06:02 -------- d-----w- c:\program files\VSO

2009-10-15 04:57 . 2009-10-15 04:57 18879 ----a-w- c:\windows\qyzodezo.dat

2009-10-14 22:14 . 2009-10-14 22:14 13229447 ----a-w- C:\R.B-02.zip

2009-10-14 13:16 . 2009-10-14 13:16 102143798 ----a-w- C:\R.B-01.zip

2009-10-14 01:56 . 2009-10-14 01:56 -------- d-----w- c:\program files\uTorrent

2009-10-14 01:56 . 2009-11-03 15:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-10-14 01:30 . 2009-10-14 01:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-26 02:11 . 2006-07-26 21:35 -------- d-----w- c:\program files\Java

2009-10-21 16:34 . 2006-07-26 23:07 53480 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-16 05:18 . 2007-10-19 17:36 1774432 ----a-w- C:\Rootkit_Detective.exe

2009-10-15 06:02 . 2009-10-15 06:02 47360 ----a-w- c:\documents and settings\Administrator\Application Data\pcouffin.sys

2009-10-13 23:49 . 2006-07-26 22:27 -------- d-----w- c:\program files\Common Files\Sony Shared

2009-10-13 22:27 . 2006-07-26 21:30 -------- d-----w- c:\program files\Intel

2009-10-13 22:26 . 2006-07-26 22:28 -------- d-----w- c:\program files\Sony

2009-10-13 22:26 . 2006-07-26 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

2009-10-13 14:31 . 2006-07-26 22:52 -------- d-----w- c:\program files\Common Files\Adobe

2009-10-13 14:20 . 2009-10-13 14:20 -------- d-----w- c:\program files\Sonic

2009-10-13 14:20 . 2009-10-13 14:20 -------- d-----w- c:\program files\Common Files\Ulead Systems

2009-10-13 14:20 . 2009-10-13 14:20 -------- d-----w- c:\program files\Ulead Systems

2009-10-13 14:20 . 2009-10-13 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems

2009-09-27 23:12 . 2009-09-27 23:12 888832 ----a-w- c:\windows\system32\nvapi.dll

2009-09-27 23:12 . 2009-09-27 23:12 2194024 ----a-w- c:\windows\system32\nvcuvid.dll

2009-09-27 23:12 . 2009-09-27 23:12 2007040 ----a-w- c:\windows\system32\nvcuda.dll

2009-09-27 23:12 . 2009-09-27 23:12 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll

2009-09-27 23:12 . 2009-09-27 23:12 1604482 ----a-w- c:\windows\system32\nvdata.bin

2009-09-27 23:12 . 2006-07-26 20:46 10756096 ----a-w- c:\windows\system32\nvoglnt.dll

2009-09-27 23:12 . 2006-07-26 20:46 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-09-27 23:12 . 2006-07-26 20:46 5900416 ----a-w- c:\windows\system32\nv4_disp.dll

2009-09-27 23:12 . 2006-07-26 20:46 170600 ----a-w- c:\windows\system32\nvcodins.dll

2009-09-27 23:12 . 2006-07-26 20:46 170600 ----a-w- c:\windows\system32\nvcod.dll

2009-09-27 23:12 . 2006-07-26 13:53 490088 ----a-w- c:\windows\system32\nvudisp.exe

2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll

2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll

2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll

2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll

2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll

2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll

2009-08-14 20:36 . 2009-08-14 20:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll

2009-08-02 15:07 . 2009-08-02 15:07 39424 --sha-w- c:\windows\system32\bitonuta.dll

2009-08-02 15:07 . 2009-08-02 15:07 53248 --sha-w- c:\windows\system32\hewalote.dll

2009-08-03 15:01 . 2009-08-03 15:01 3 --sha-w- c:\windows\system32\kakijigu.dll

2009-08-02 23:15 . 2009-08-02 23:15 39424 --sha-w- c:\windows\system32\migezomu.dll

2009-08-02 17:01 . 2009-08-02 17:01 39424 --sha-w- c:\windows\system32\mivimoru.dll

2009-08-02 18:14 . 2009-08-02 18:14 39424 --sha-w- c:\windows\system32\sudinasu.dll

2009-08-02 17:01 . 2009-08-02 17:01 91648 --sha-w- c:\windows\system32\sufokiyu.dll

2009-08-03 11:15 . 2009-08-03 11:15 39424 --sha-w- c:\windows\system32\tuhenato.dll

2009-08-02 21:15 . 2009-08-02 21:15 39424 --sha-w- c:\windows\system32\valopawi.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-11-02_21.31.32 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 08:19 . 2007-11-07 08:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2009-11-03 15:11 . 2009-11-03 15:11 16384 c:\windows\Temp\Perflib_Perfdata_670.dat

+ 2009-11-03 15:11 . 2009-11-03 15:11 16384 c:\windows\Temp\Perflib_Perfdata_1ec.dat

+ 2006-07-26 20:46 . 2009-11-03 15:00 60312 c:\windows\system32\perfc009.dat

- 2006-07-26 20:46 . 2009-11-02 21:23 60312 c:\windows\system32\perfc009.dat

+ 2009-11-03 14:14 . 2009-05-11 16:12 28520 c:\windows\system32\drivers\ssmdrv.sys

- 2006-07-26 20:46 . 2009-11-02 21:23 398180 c:\windows\system32\perfh009.dat

+ 2006-07-26 20:46 . 2009-11-03 15:00 398180 c:\windows\system32\perfh009.dat

+ 2009-11-03 14:13 . 2009-11-03 14:13 228352 c:\windows\Installer\395f46a.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-14 289072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

"pupehuruh"="c:\windows\system32\pawagibe.dll" [bU]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"hetalemiro"="gaduvoma.dll" [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Steam\\steamapps\\sharinganguardian\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Paradox Interactive\\Majesty 2\\Majesty2.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Sony\\VAIO Event Service\\VESMgr.exe"=

"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/1/2009 11:05 PM 28552]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/15/2009 12:07 AM 114768]

R1 regi;regi;c:\windows\system32\drivers\regi.sys [10/13/2009 8:26 AM 4864]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/3/2009 8:14 AM 108289]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/15/2009 12:07 AM 20560]

S3 23294;23294;\??\c:\windows\system32\23294.sys --> c:\windows\system32\23294.sys [?]

S3 29498;29498;\??\c:\windows\system32\29498.sys --> c:\windows\system32\29498.sys [?]

S3 49a93;49a93;\??\c:\windows\system32\49a93.sys --> c:\windows\system32\49a93.sys [?]

S3 6489C;6489C;\??\c:\windows\system32\6489C.sys --> c:\windows\system32\6489C.sys [?]

S3 69296;69296;\??\c:\windows\system32\69296.sys --> c:\windows\system32\69296.sys [?]

S3 70192;70192;\??\c:\windows\system32\70192.sys --> c:\windows\system32\70192.sys [?]

S3 85d9E;85d9E;\??\c:\windows\system32\85d9E.sys --> c:\windows\system32\85d9E.sys [?]

S3 86b9A;86b9A;\??\c:\windows\system32\86b9A.sys --> c:\windows\system32\86b9A.sys [?]

S3 8a2A0;8a2A0;\??\c:\windows\system32\8a2A0.sys --> c:\windows\system32\8a2A0.sys [?]

S3 ce49F;ce49F;\??\c:\windows\system32\ce49F.sys --> c:\windows\system32\ce49F.sys [?]

S3 e0d97;e0d97;\??\c:\windows\system32\e0d97.sys --> c:\windows\system32\e0d97.sys [?]

S3 f5a9B;f5a9B;\??\c:\windows\system32\f5a9B.sys --> c:\windows\system32\f5a9B.sys [?]

S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u2sv08d2.default\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{4c472c7b-b477-4e2e-969c-3ecda8b4c305} - c:\windows\system32\pawagibe.dll

SSODL-bosavemom-{4c472c7b-b477-4e2e-969c-3ecda8b4c305} - c:\windows\system32\pawagibe.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-03 09:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\r3cvqfye.TMP

scan completed successfully

hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spsy.sys hal.dll >>UNKNOWN [0x8A4F6938]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\atapi -> 0x8a4ef1f8

Warning: possible MBR rootkit infection !

user & kernel MBR OK

Use "Recovery Console" command "fixmbr" to clear infection !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0xF186 != 0xB7D5D7B0 iaStor.sys

\Driver\iaStor [ IRP_MJ_CLOSE ] 0xF186 != 0xB7D5D7B0 iaStor.sys

\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x12896 != 0xB7D5D7B0 iaStor.sys

\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x12B58 != 0xB7D5D7B0 iaStor.sys

\Driver\iaStor [ IRP_MJ_POWER ] 0x17E66 != 0xB7D5D7B0 iaStor.sys

\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x17FC6 != 0xB7D5D7B0 iaStor.sys

\Driver\iaStor IRP hooks detected !

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2765405622-2405749440-4174155836-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,97,2c,27,7d,81,8d,42,a6,f7,e7,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,97,2c,27,7d,81,8d,42,a6,f7,e7,\

[HKEY_USERS\S-1-5-21-2765405622-2405749440-4174155836-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EROTICA PEACH\T0宗b扱0・0・ *^'`Yeo000k0J0瀅[0c0^]

"Order"=hex:08,00,00,00,02,00,00,00,2a,01,00,00,01,00,00,00,02,00,00,00,80,00,

00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)

c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3320)

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-11-03 9:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-03 15:13

ComboFix2.txt 2009-11-02 21:34

Pre-Run: 123,054,555,136 bytes free

Post-Run: 123,106,480,128 bytes free

- - End Of File - - 5CFC9C7DA58D7FDBC6238FE3698FE626

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

File::
c:\windows\ykybucizu.com
c:\windows\fevyfovob.com
c:\windows\system32\yzebihuku.dat
c:\windows\qyzodezo.dat
c:\windows\system32\kakijigu.dll
c:\windows\system32\bitonuta.dll
c:\windows\system32\hewalote.dll
c:\windows\system32\migezomu.dll
c:\windows\system32\mivimoru.dll
c:\windows\system32\sudinasu.dll
c:\windows\system32\sufokiyu.dll
c:\windows\system32\tuhenato.dll
c:\windows\system32\valopawi.dll


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pupehuruh"=-
"hetalemiro=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.