i cant open malware

jv308 · November 15, 2009

i try to open malware to do a scan and it doesnt do anything , i uninstaled malwarebites and reinstaled it and it still does not open.

can someone help me with this problem thank you

Kenny94 · November 15, 2009

Hi jv308 and Welcome to Malwarebytes!

Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* HijackThis Uninstall List

* HijackThis log (new)

jv308 · November 15, 2009

Hi jv308 and Welcome to Malwarebytes!
Click here to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:
To get an Uninstall List from HijackThis:
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
In your next reply, please include these log(s):
* HijackThis Uninstall List
* HijackThis log (new)

i try to instal the hijack but it does not let me the screen is blank and it does not give me the option to open or instal the hijack

jv308 · November 15, 2009

i try to instal the hijack but it does not let me the screen is blank and it does not give me the option to open or instal the hijack

can it be because im runing avira scan for more virus?

done it 3 times and it has found about 95 virus since yesterday.

thank you for your time and help

Kenny94 · November 15, 2009

can it be because im runing avira scan for more virus?
done it 3 times and it has found about 95 virus since yesterday.
thank you for your time and help

No avira scan should not stop HJT from running. I would shut it down for now. Right click it and untick the option AntiVir Guard enable in the system tray on the bottom right hand corner.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

Then run HJTInstall.exe and

Launch Malwarebytes' Anti-Malware
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

And post both logs if you can?

jv308 · November 16, 2009

No avira scan should not stop HJT from running. I would shut it down for now. Right click it and untick the option AntiVir Guard enable in the system tray on the bottom right hand corner.
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
rkill.exe
rkill.com
rkill.scr
rkill.pif
Then run HJTInstall.exe and
Launch Malwarebytes' Anti-Malware
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
And post both logs if you can?

the situation i have is that it doesnt let me download or run hjti , so i cant do anything with hjti

sorry it took me so long to reply.

and thanks for your time

jv308 · November 16, 2009

the situation i have is that it doesnt let me download or run hjti , so i cant do anything with hjti
sorry it took me so long to reply.
and thanks for your time

and another thing i forgot to tell you im also geting a lot of popups

Kenny94 · November 16, 2009

OK, lets try a different approach.

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not user I'm helping and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Have infinite patience while any of these are running (especially with Combofix below)

Do NOT do any websurfing; nor play online games.

Only go to websites I guide you to and to this forum.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
RIGHT click on Combo-Fix.exe and select Run as Administrator & follow the prompts.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

Next, Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2510 or later. The latest program version is 1.41

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

& the new (latest) MBAM scan log

& tell me, How is your system now ?

jv308 · November 17, 2009

ok combofix finished the scan and rebooted my computer , i had disable avira just like you told me before i run combofix, but when it came back on avira was enable and detected a virus or program call (HEUR/CRYPTED.E) and on the toolbar on the bottom i get rundll a couple of times.

im in another computer now so i havent touch anything there, is my dauther computer the one with the problem.

what should i do,

and also the screen of combofix is open it says that is prepering log but due to avira it looks frozen

jv308 · November 17, 2009

ok it gave the log for combofix but i cant open malwarebytes , here is the log

ComboFix 09-11-17.01 - Compaq_Owner 11/16/2009 18:55.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.177 [GMT -5:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus

c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk

c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus\EULA.url

c:\documents and settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\AntiVirus Plus.lnk

c:\windows\command

c:\windows\command\EXTRACT.PIF

c:\windows\NDNuninstall6_38.exe

c:\windows\system32\benosafi.dll

c:\windows\system32\buborefu.dll

c:\windows\system32\config\systemprofile\Start Menu\Programs\AntiVirus Plus

c:\windows\system32\config\systemprofile\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk

c:\windows\system32\config\systemprofile\Start Menu\Programs\AntiVirus Plus\EULA.url

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\AntiVirus Plus.lnk

c:\windows\system32\duyivove.dll

c:\windows\system32\fizawawe.dll

c:\windows\system32\gananiro.dll

c:\windows\system32\goyulake.dll

c:\windows\system32\hupekepo.dll

c:\windows\system32\megiheku.dll

c:\windows\system32\moyomego.dll

c:\windows\system32\mudiyabu.dll

c:\windows\system32\ps2.bat

c:\windows\system32\rabuvuti.dll

c:\windows\system32\rayeboke.dll

c:\windows\system32\rirurewi.dll

c:\windows\system32\sevunimo.dll

c:\windows\system32\takahuki.dll

c:\windows\system32\vidiwupu.dll

c:\windows\system32\waziroto.dll

c:\windows\system32\wejureke.dll

c:\windows\system32\wuwelivo.dll

c:\windows\system32\yahonuyi.dll

c:\windows\system32\yejimoya.dll

c:\windows\system32\yulomufu.dll

c:\windows\system32\zaniwimo.dll

c:\windows\Tasks\upayrdrd.job

D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.111

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MYWEBSEARCHSERVICE

-------\Legacy_NNSERV

-------\Service_MyWebSearchService

-------\Service_NNServ

((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))

.

2009-11-15 22:48 . 2009-11-15 22:48 -------- d--h--w- c:\windows\PIF

2009-11-14 20:07 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-14 20:07 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-14 20:07 . 2009-11-14 20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-14 17:41 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-14 17:41 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-11-14 17:41 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-11-14 17:41 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-11-14 17:41 . 2009-11-14 17:41 -------- d-----w- c:\program files\Avira

2009-11-14 17:41 . 2009-11-14 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-11-12 01:51 . 2009-11-14 19:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AntiVirus Plus

2009-11-12 01:51 . 2009-11-14 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\19551627

2009-11-12 01:51 . 2009-11-12 01:51 274 ----a-w- c:\documents and settings\All Users\Application Data\19551627\19551627.bat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-14 19:31 . 2005-05-09 18:03 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-11-01 18:36 . 2007-05-15 22:37 2454 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat

2009-10-05 21:02 . 2009-07-13 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel

2009-10-05 21:02 . 2009-01-14 23:03 -------- d-----w- c:\program files\Corel

2009-10-05 19:10 . 2009-10-29 14:48 83752 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\ProgUpd.dll

2009-10-05 19:10 . 2009-10-29 14:48 36704 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\postproc.exe

2009-10-05 19:10 . 2009-10-29 14:48 172840 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\setup.exe

2009-10-05 19:10 . 2009-10-29 14:48 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLFirewallMgr.dll

2009-10-05 19:10 . 2009-10-29 14:48 1025384 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\gui.dll

2009-10-04 21:26 . 2009-01-14 23:17 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2009-10-04 21:26 . 2009-01-14 23:17 168 --sh--r- c:\documents and settings\All Users\Application Data\A88E87AE21.sys

2009-08-13 13:51 . 2009-08-13 13:51 61440 --sha-w- c:\windows\system32\gefejuro.dll

2009-08-11 13:56 . 2009-08-11 13:56 3 --sha-w- c:\windows\system32\papulihe.dll

2009-08-16 13:51 . 2009-08-16 13:51 3 --sha-w- c:\windows\system32\sejohedo.dll

2009-08-11 13:56 . 2009-08-11 13:56 3 --sha-w- c:\windows\system32\sozejudu.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-01-04 49152]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\Compaq_Owner\\My Documents\\My Music\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\AWREM32.EXE"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\logon.scr"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"35901:TCP"= 35901:TCP:PORT_35901

"36015:TCP"= 36015:TCP:PORT_36015

"14363:TCP"= 14363:TCP:PORT_14363

"14137:TCP"= 14137:TCP:PORT_14137

"58300:TCP"= 58300:TCP:PORT_58300

"42810:TCP"= 42810:TCP:PORT_42810

"27547:TCP"= 27547:TCP:PORT_27547

"56336:TCP"= 56336:TCP:PORT_56336

"16721:TCP"= 16721:TCP:PORT_16721

"52740:TCP"= 52740:TCP:PORT_52740

"58344:TCP"= 58344:TCP:PORT_58344

"37975:TCP"= 37975:TCP:PORT_37975

"16535:TCP"= 16535:TCP:PORT_16535

"60000:TCP"= 60000:TCP:PORT_60000

"52194:TCP"= 52194:TCP:PORT_52194

"60121:TCP"= 60121:TCP:PORT_60121

"33836:TCP"= 33836:TCP:PORT_33836

"45680:TCP"= 45680:TCP:PORT_45680

"53493:TCP"= 53493:TCP:PORT_53493

"8465:TCP"= 8465:TCP:PORT_8465

"57886:TCP"= 57886:TCP:PORT_57886

"50953:TCP"= 50953:TCP:PORT_50953

"32593:TCP"= 32593:TCP:PORT_32593

"48895:TCP"= 48895:TCP:PORT_48895

"49556:TCP"= 49556:TCP:PORT_49556

"17866:TCP"= 17866:TCP:PORT_17866

"20763:TCP"= 20763:TCP:PORT_20763

"58961:TCP"= 58961:TCP:PORT_58961

"49295:TCP"= 49295:TCP:PORT_49295

"60754:TCP"= 60754:TCP:PORT_60754

"26600:TCP"= 26600:TCP:PORT_26600

"49785:TCP"= 49785:TCP:PORT_49785

"19176:TCP"= 19176:TCP:PORT_19176

"13326:TCP"= 13326:TCP:PORT_13326

"23700:TCP"= 23700:TCP:PORT_23700

"35161:TCP"= 35161:TCP:PORT_35161

"27641:TCP"= 27641:TCP:PORT_27641

"7540:TCP"= 7540:TCP:PORT_7540

"55399:TCP"= 55399:TCP:PORT_55399

"33367:TCP"= 33367:TCP:PORT_33367

"38863:TCP"= 38863:TCP:PORT_38863

"11030:TCP"= 11030:TCP:PORT_11030

"23228:TCP"= 23228:TCP:PORT_23228

"55170:TCP"= 55170:TCP:PORT_55170

"43521:TCP"= 43521:TCP:PORT_43521

"48700:TCP"= 48700:TCP:PORT_48700

"17594:TCP"= 17594:TCP:PORT_17594

"26996:TCP"= 26996:TCP:PORT_26996

"15350:TCP"= 15350:TCP:PORT_15350

"34606:TCP"= 34606:TCP:PORT_34606

"63407:TCP"= 63407:TCP:PORT_63407

"35101:TCP"= 35101:TCP:PORT_35101

"9600:TCP"= 9600:TCP:PORT_9600

"58883:TCP"= 58883:TCP:PORT_58883

"18320:TCP"= 18320:TCP:PORT_18320

"7188:TCP"= 7188:TCP:PORT_7188

"30985:TCP"= 30985:TCP:PORT_30985

"48863:TCP"= 48863:TCP:PORT_48863

"33825:TCP"= 33825:TCP:PORT_33825

"50010:TCP"= 50010:TCP:PORT_50010

"33235:TCP"= 33235:TCP:PORT_33235

"18770:TCP"= 18770:TCP:PORT_18770

"56004:TCP"= 56004:TCP:PORT_56004

"20825:TCP"= 20825:TCP:PORT_20825

"35879:TCP"= 35879:TCP:PORT_35879

"15121:TCP"= 15121:TCP:PORT_15121

"15236:TCP"= 15236:TCP:PORT_15236

"44825:TCP"= 44825:TCP:PORT_44825

"5457:TCP"= 5457:TCP:PORT_5457

"40083:TCP"= 40083:TCP:PORT_40083

"26973:TCP"= 26973:TCP:PORT_26973

"54255:TCP"= 54255:TCP:PORT_54255

"46961:TCP"= 46961:TCP:PORT_46961

"23988:TCP"= 23988:TCP:PORT_23988

"5461:TCP"= 5461:TCP:PORT_5461

"53852:TCP"= 53852:TCP:PORT_53852

"31645:TCP"= 31645:TCP:PORT_31645

"62654:TCP"= 62654:TCP:PORT_62654

"63219:TCP"= 63219:TCP:PORT_63219

"7469:TCP"= 7469:TCP:PORT_7469

"63582:TCP"= 63582:TCP:PORT_63582

"24243:TCP"= 24243:TCP:PORT_24243

"18208:TCP"= 18208:TCP:PORT_18208

"61547:TCP"= 61547:TCP:PORT_61547

"54583:TCP"= 54583:TCP:PORT_54583

"5805:TCP"= 5805:TCP:PORT_5805

"63617:TCP"= 63617:TCP:PORT_63617

"45241:TCP"= 45241:TCP:PORT_45241

"30005:TCP"= 30005:TCP:PORT_30005

"61763:TCP"= 61763:TCP:PORT_61763

"14190:TCP"= 14190:TCP:PORT_14190

"39607:TCP"= 39607:TCP:PORT_39607

"38645:TCP"= 38645:TCP:PORT_38645

"30931:TCP"= 30931:TCP:PORT_30931

"5848:TCP"= 5848:TCP:PORT_5848

"45395:TCP"= 45395:TCP:PORT_45395

"19191:TCP"= 19191:TCP:PORT_19191

"14078:TCP"= 14078:TCP:PORT_14078

"30137:TCP"= 30137:TCP:PORT_30137

"64565:TCP"= 64565:TCP:PORT_64565

"18523:TCP"= 18523:TCP:PORT_18523

"22610:TCP"= 22610:TCP:PORT_22610

"27395:TCP"= 27395:TCP:PORT_27395

"8133:TCP"= 8133:TCP:PORT_8133

"22043:TCP"= 22043:TCP:PORT_22043

"53461:TCP"= 53461:TCP:PORT_53461

"28260:TCP"= 28260:TCP:PORT_28260

"63226:TCP"= 63226:TCP:PORT_63226

"38466:TCP"= 38466:TCP:PORT_38466

"21759:TCP"= 21759:TCP:PORT_21759

"59818:TCP"= 59818:TCP:PORT_59818

"6578:TCP"= 6578:TCP:PORT_6578

"41098:TCP"= 41098:TCP:PORT_41098

"34255:TCP"= 34255:TCP:PORT_34255

"15219:TCP"= 15219:TCP:PORT_15219

"45707:TCP"= 45707:TCP:PORT_45707

"23075:TCP"= 23075:TCP:PORT_23075

"40066:TCP"= 40066:TCP:PORT_40066

"30776:TCP"= 30776:TCP:PORT_30776

"34940:TCP"= 34940:TCP:PORT_34940

"61588:TCP"= 61588:TCP:PORT_61588

"26790:TCP"= 26790:TCP:PORT_26790

"24665:TCP"= 24665:TCP:PORT_24665

"57149:TCP"= 57149:TCP:PORT_57149

"24667:TCP"= 24667:TCP:PORT_24667

"43656:TCP"= 43656:TCP:PORT_43656

"10076:TCP"= 10076:TCP:PORT_10076

"35184:TCP"= 35184:TCP:PORT_35184

"31688:TCP"= 31688:TCP:PORT_31688

"32223:TCP"= 32223:TCP:PORT_32223

"59961:TCP"= 59961:TCP:PORT_59961

"21681:TCP"= 21681:TCP:PORT_21681

"12373:TCP"= 12373:TCP:PORT_12373

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/14/2009 12:41 PM 108289]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 10:29 AM 118106]

S3 ZD1211BU(Atheros);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [3/26/2009 6:17 PM 500736]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-11-16 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-05-09 07:26]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZKfox000&ptb=4yqASPdNIn_oD0adXidsGA

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Compaq_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk

TCP: {7DB16D75-9859-40C9-B40B-556A19E4868C} = 4.2.2.1,4.2.2.2

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\zbxv1l4a.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - MyWebSearch

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=4yqASPdNIn_oD0adXidsGA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\zbxv1l4a.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.zencast - );user_pref(yahoo.homepage.dontask, true);user_pref(general.useragent.extra.zencast, .

- - - - ORPHANS REMOVED - - - -

BHO-{028213f1-d143-48b1-bf5e-afa283a4e5f3} - yahonuyi.dll

HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL

HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\3.bin\m3SrchMn.exe

HKLM-Run-hovikoges - c:\windows\system32\wuwelivo.dll

HKLM-Run-mutiguvahe - buborefu.dll

SharedTaskScheduler-{f209b149-63dd-45e3-815e-a92227921d46} - c:\windows\system32\wuwelivo.dll

SSODL-nitokigis-{f209b149-63dd-45e3-815e-a92227921d46} - c:\windows\system32\wuwelivo.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-16 19:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)

c:\windows\system32\awgina.dll

- - - - - - - > 'Explorer.EXE'(384)

c:\program files\Microsoft Office\OFFICE11\msohev.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\program files\Avira\AntiVir Desktop\GUARDGUI.EXE

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\Rundll32.exe

c:\program files\Avira\AntiVir Desktop\GUARDGUI.EXE

c:\program files\AIM6\aolsoftware.exe

c:\program files\Java\jre1.6.0_03\bin\jucheck.exe

c:\hp\KBD\KBD.EXE

c:\windows\AGRSMMSG.exe

.

**************************************************************************

.

Completion time: 2009-11-16 19:36 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-17 00:36

Pre-Run: 121,415,176,192 bytes free

Post-Run: 122,817,945,600 bytes free

- - End Of File - - 79D363ACBE935FFC8BC2F7E9EAD79081

Kenny94 · November 17, 2009

I see Symantec is still in your computer. With Avira\AntiVir there's no need for Symantec

To remove the leftovers download and run the Norton Removal Tool, read HERE

Next

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Next

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\system32\gefejuro.dll
c:\windows\system32\papulihe.dll
c:\windows\system32\sejohedo.dll
c:\windows\system32\sozejudu.dll
c:\windows\system32\wuwelivo.dll
c:\documents and settings\All Users\Application Data\A88E87AE21.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

jv308 · November 17, 2009

hello kenny

thank you for your time

i just did what you ask me and is telling me there is a new version of combofix ,should i update combofix?before continuing?

jv308 · November 17, 2009

hello kenny

ok its done here is the log from combofix

ComboFix 09-11-18.04 - Compaq_Owner 11/17/2009 17:37.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.96 [GMT -5:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\documents and settings\All Users\Application Data\A88E87AE21.sys"

"c:\windows\system32\gefejuro.dll"

"c:\windows\system32\papulihe.dll"

"c:\windows\system32\sejohedo.dll"

"c:\windows\system32\sozejudu.dll"

"c:\windows\system32\wuwelivo.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\A88E87AE21.sys

c:\windows\system32\config\systemprofile\Application Data\AntiVirus Plus

c:\windows\system32\gefejuro.dll

c:\windows\system32\papulihe.dll

c:\windows\system32\sejohedo.dll

c:\windows\system32\sozejudu.dll

.

((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))

.

2009-11-17 19:10 . 2009-11-17 19:13 -------- d-----w- c:\windows\LastGood

2009-11-17 08:03 . 2009-11-17 08:03 -------- d-----w- c:\windows\ServicePackFiles