infected with antivirus system pro

water55 · November 30, 2009

Hi

I've just been infected with antivirus system pro and it's taking over my computer. Everytime I try to open malwarebytes, I get a message from system pro that says "application cannot be executed. File corrupted. Do you want to install antivirus program?" The same thing happens when I try to run the log programs. I can't open any programs like word and adobe and I keep on getting security alert pop-ups.

Any help would be appreciated!

Jason2 · December 1, 2009

Hi and Welcome to Malwarebytes!

Please uninstall malwarebytes and then download and reinstall again. Once done, navigate to C:\Program Files\Malwarebytes' Anti-Malware. Locate MBAM.exe and rename it to winlogon.exe.

Once renamed double click on the file to open MBAM and select Quick Scan. Once finished, allow MBAM to remove everything it finds. Cope-'n'-paste the results log in this topic afterwards.

==========

If you receive the same error, try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START --> RUN and copy 'n' paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

water55 · December 1, 2009

Hi! Thank you for your help!

I tried re-installing and renamed the file after pasting in that link, but Malwarebytes still won't open. I keep on getting this message "file infected. Need to download antivirus software"

However last night I managed to get DDS to work, but I can't post the logs because I get the same message as above when I try to open it.

Jason2 · December 1, 2009

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Important: Restart the computer before continuing.

==========

Download the following GMER Rootkit Scanner from here
Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
It may take a minute to load and become available.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically only C:\ should be checked)
- Show All (don't miss this one)
[*]Then click the Scan button & wait for it to finish.
[*]Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop
[*]**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
[*]Click OK and quit the GMER program.
[*]Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.

==========

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

After;

Launch MBAM. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the Perform Quick Scan option is selected.
- Then click on the Scan button.
[*]The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
[*]When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found
[*]Click OK to close the message box and continue with the removal process.
[*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
[*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
[*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

==========

Logs to post:

GMER log
MBAM log

This topic is for the use of water55 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new topic in our Malware Removal - HijackThis Logs forum.

water55 · December 2, 2009

Hi,

I had to use rkill to use ATF Cleaner and GMER. I hope that's okay. Here is the log for GMER rootkit scanner. Thanks in advance.

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-12-01 21:46:33

Windows 5.1.2600 Service Pack 3

Running: nyh08d1y.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\ffkoraog.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF73981C8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7398086]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF7398020]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF7398034]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF739809A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF73980C6]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF7398134]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF739811E]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF739814A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7398208]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF7398176]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7398072]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7397FE4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7397FF8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF73981DC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF73981B2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF7398108]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF73980F2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF73980B0]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF739819E]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF739818A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF739805E]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF739804A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF73980DC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7398237]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF7398160]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF739821E]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF73981F2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

water55 · December 2, 2009

Here is the Malwarebytes log. Thanks again

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

12/2/2009 1:10:12 AM

mbam-log-2009-12-02 (01-10-12).txt

Scan type: Quick Scan

Objects scanned: 100311

Time elapsed: 7 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 2

Registry Values Infected: 3

Registry Data Items Infected: 9

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\jusirodo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\sezogibe.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{6517263b-e04a-4c58-8e03-14eef9a06a8f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rejugajat (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{6517263b-e04a-4c58-8e03-14eef9a06a8f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\popiroduz (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jusirodo.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\jusirodo.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\jusirodo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\defarewo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jadelamo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kunuzavi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lewowesa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mulipiza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sezogibe.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\sidenohe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tehayela.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yejimoya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

water55 · December 2, 2009

When I rebooted, I kept on getting messages like "this file is not a valid Windows Image. Please check installation disk." I did another quick scan and it found some more infected items so I'm posted the log just in case. After this scan, antivirus system pro and this other fake security program (not sure what it is but it's a big red circle with a X in the center on my toolbar) seem to be gone. Also before I got this message before startup that worm.win32.netsky has infected my computer. Should I be worried?

Malwarebytes' Anti-Malware 1.41

Database version: 3181

Windows 5.1.2600 Service Pack 3

12/2/2009 1:42:09 AM

mbam-log-2009-12-02 (01-42-09).txt

Scan type: Quick Scan

Objects scanned: 109775

Time elapsed: 18 minute(s), 57 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\daqdrv (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\exbycanb (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\exbycanb (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\daqdrv.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Christina Le\Local Settings\Application Data\deqyvg\qvyhsysguard.exe (Trojan.FakeAlert.N) -> Delete on reboot.

C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

kahdah · December 3, 2009

Hi Jason 2 will be away for a bit I will be handling this topic.

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

water55 · December 4, 2009

Hi. Thank you for helping me.

I've tried using OTL, but every time I do it never finishes the scan (it stops at HKEY_Current_user/UninstallList). I've copied and pasted the OTL.txt log, but I don't know that's what you are looking for. I also tried going into safe mode but it never works.

I've also been infected with Vundo H and it's causing McAfee to scan the 3 same files over and over so I keep on getting the same message every second. This pop up prevents me from opening firefox, malwarebytes, and other programs on my comp. I had to restart a couple times just to get firefox to open.

Thanks in advance for the help.

OTL logfile created on: 12/3/2009 10:49:40 PM - Run 1

OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\Christina Le\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.42 Mb Total Physical Memory | 530.20 Mb Available Physical Memory | 52.27% Memory free

2.38 Gb Paging File | 2.05 Gb Available in Paging File | 86.04% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 68.52 Gb Total Space | 51.21 Gb Free Space | 74.74% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: 078A6A7107074FC

Current User Name: Christina Le

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Christina Le\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)

PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)

PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc.)

PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

PRC - C:\Program Files\iTunesHelper.exe (Apple Computer, Inc.)

PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc.)

PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )

PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)

PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)

PRC - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe (Sony Corporation)

PRC - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe (Sony Corporation)

PRC - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (Sony Corporation)

PRC - C:\Program Files\Sony\VAIO Power Management\SPMgr.exe (Sony Corporation)

PRC - C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe (Sony Corporation)

PRC - C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation)

PRC - C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

PRC - C:\WINDOWS\system32\igfxext.exe (Intel Corporation)

PRC - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)

PRC - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe (Sony Corporation)

PRC - C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)

PRC - C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)

PRC - C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Christina Le\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\jaduzumi.dll ()

MOD - C:\WINDOWS\system32\zukenezo.dll ()

========== Win32 Services (SafeList) ==========

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)

SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)

SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)

SRV - (McAfeeEngineService) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)

SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)

SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

SRV - (iPodService) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc.)

SRV - (S24EventMonitor) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )

SRV - (EvtEng) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)

SRV - (RegSrvc) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)

SRV - (VAIOMediaPlatform-IntegratedServer-AppServer) -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe (Sony Corporation)

SRV - (SSScsiSV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (Sony Corporation)

SRV - (VAIOMediaPlatform-Mobile-Gateway) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe (Sony Corporation)

SRV - (VzFw) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe (Sony Corporation)

SRV - (VzCdbSvc) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe (Sony Corporation)

SRV - (Vcsw) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (Sony Corporation)

SRV - (VAIO Entertainment TV Device Arbitration Service) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe (Sony Corporation)

SRV - (MSCSPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation)

SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (Sony Corporation)

SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)

SRV - (VAIOMediaPlatform-IntegratedServer-UPnP) VAIO Media Integrated Server (UPnP) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (Sony Corporation)

SRV - (VAIOMediaPlatform-IntegratedServer-HTTP) VAIO Media Integrated Server (HTTP) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe (Sony Corporation)

SRV - (Image Converter video recording monitor for VAIO Entertainment) -- C:\Program Files\Sony\Image Converter 2\IcVzMon.exe (Sony Corporation)

SRV - (VAIO Event Service) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe (Sony Corporation)

SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)

SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)

SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)

DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)

DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)

DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (MCSTRM) -- C:\WINDOWS\system32\drivers\mcstrm.sys (RealNetworks, Inc.)

DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (AegisP) AEGIS Protocol (IEEE 802.1x) -- C:\WINDOWS\system32\drivers\AegisP.sys (Meetinghouse Data Communications)

DRV - (tifmsony) -- C:\WINDOWS\system32\drivers\tifmsony.sys (Texas Instruments)

DRV - (w29n51) Intel® -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel

kahdah · December 4, 2009

Did you set a proxy to get online if not let me know.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O4 - HKLM..\Run: [rejugajat] C:\WINDOWS\System32\jaduzumi.DLL ()
O20 - AppInit_DLLs: (zukenezo.dll) - C:\WINDOWS\System32\zukenezo.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\jaduzumi.dll) - C:\WINDOWS\system32\jaduzumi.dll ()
O21 - SSODL: nukupagil - {7656c049-273a-4a64-8ba9-a80375ea2884} - C:\WINDOWS\system32\jaduzumi.dll ()
O22 - SharedTaskScheduler: {7656c049-273a-4a64-8ba9-a80375ea2884} - kupuhivus - C:\WINDOWS\system32\jaduzumi.dll ()
[2009/11/29 21:39:04 | 00,046,080 | ---- | C] (AIMP DevTeam) -- C:\vbaaaah.exe
2009/12/02 01:41:10 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2009/12/02 00:46:08 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11478.exe
[2009/12/01 23:56:13 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\15724.exe
[2009/12/01 23:35:05 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19169.exe
[2009/12/01 23:13:12 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26500.exe
[2009/12/01 22:51:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6334.exe
[2009/12/01 19:30:19 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\fiwevoga.dll
[2009/09/03 20:54:01 | 00,092,160 | -HS- | C] () -- C:\WINDOWS\System32\jaduzumi.dll
[2009/09/03 20:54:01 | 00,045,568 | -HS- | C] () -- C:\WINDOWS\System32\rumepopo.dll
[2009/09/03 20:53:57 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\dasofupu.dll
[2009/09/02 16:15:15 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\buyaneju.dll
[2009/09/01 19:28:24 | 00,018,432 | -HS- | C] () -- C:\WINDOWS\System32\loyuwisa.dll
[2009/09/01 19:28:24 | 00,013,312 | -HS- | C] () -- C:\WINDOWS\System32\vasidifu.dll
[2009/08/31 23:06:58 | 00,053,760 | -H-- | C] () -- C:\WINDOWS\System32\zukenezo.dll


:Commands
[emptytemp]
[resethosts]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply.

==============

Please visit this webpage for download links, and instructions for running Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

water55 · December 4, 2009

Hi,

Sorry, but I'm not sure about the proxy thing. How would I check that on internet explorer and firefox?

I'm using another computer right now, but I post the logs once I get back later today. Thanks in advance for the help.

kahdah · December 4, 2009

More than likely you didn't set it but malware does and will prevent you from getting online.

Do this for both browsers:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver.

Post the logs when you get them please.

water55 · December 5, 2009

Hi,

I was unable to change the proxy settings for internet explorer before I ran OTL because it wouldn't open, but it's changed now.

Here is the log. Thanks again, I really appreciate it.

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\rejugajat deleted successfully.

C:\WINDOWS\system32\jaduzumi.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:zukenezo.dll deleted successfully.

C:\WINDOWS\system32\zukenezo.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\jaduzumi.dll deleted successfully.

File C:\WINDOWS\system32\jaduzumi.dll not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\nukupagil not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7656c049-273a-4a64-8ba9-a80375ea2884}\ not found.

File C:\WINDOWS\system32\jaduzumi.dll not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{7656c049-273a-4a64-8ba9-a80375ea2884} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7656c049-273a-4a64-8ba9-a80375ea2884}\ not found.

File C:\WINDOWS\system32\jaduzumi.dll not found.

C:\vbaaaah.exe moved successfully.

C:\WINDOWS\system32\11478.exe moved successfully.

C:\WINDOWS\system32\15724.exe moved successfully.

C:\WINDOWS\system32\19169.exe moved successfully.

C:\WINDOWS\system32\26500.exe moved successfully.

C:\WINDOWS\system32\6334.exe moved successfully.

C:\WINDOWS\system32\fiwevoga.dll moved successfully.

File C:\WINDOWS\System32\jaduzumi.dll not found.

C:\WINDOWS\system32\rumepopo.dll moved successfully.

C:\WINDOWS\system32\dasofupu.dll moved successfully.

C:\WINDOWS\system32\buyaneju.dll moved successfully.

C:\WINDOWS\system32\loyuwisa.dll moved successfully.

C:\WINDOWS\system32\vasidifu.dll moved successfully.

File C:\WINDOWS\System32\zukenezo.dll not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Christina Le

->Temp folder emptied: 1229712521 bytes

->Temporary Internet Files folder emptied: 9668874 bytes

->Java cache emptied: 28077576 bytes

->FireFox cache emptied: 61841885 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 131206 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

Windows Temp folder emptied: 50368512 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 169811 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 1316.09 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

OTL by OldTimer - Version 3.1.11.4 log created on 12042009_162835

Files\Folders moved on Reboot...

File\Folder C:\WINDOWS\temp\Perflib_Perfdata_5c8.dat not found!

Registry entries deleted on Reboot...

water55 · December 5, 2009

Here is the Combofix log. Thanks a bunch.

ComboFix 09-12-04.02 - Christina Le 12/04/2009 17:10.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.403 [GMT -8:00]

Running from: c:\documents and settings\Christina Le\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Christina Le\Application Data\Logs\scns.log

c:\recycler\S-1-5-21-1229272821-706699826-839522115-1005

c:\recycler\S-1-5-21-1388569314-1795991618-3006732738-1003

c:\recycler\S-1-5-21-1482476501-776561741-839522115-1003

c:\recycler\S-1-5-21-2380657726-3734598010-3631447877-1003

c:\recycler\S-1-5-21-2674361505-969318620-4082022749-1003

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\setup.exe

c:\windows\system32\18467.exe

c:\windows\system32\dezifamu.dll

c:\windows\system32\jatipife.dll

c:\windows\system32\veyevida.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.29

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))

.

2009-12-05 00:28 . 2009-12-05 00:28 -------- d-----w- C:\_OTL

2009-12-02 08:55 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-02 08:55 . 2009-12-02 09:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-02 08:55 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-02 03:33 . 2009-12-02 03:33 -------- d--h--w- c:\windows\PIF

2009-11-30 05:40 . 2009-12-02 09:43 -------- d-----w- c:\documents and settings\Christina Le\Local Settings\Application Data\deqyvg

2009-11-09 04:58 . 2009-11-09 04:58 -------- d-----w- c:\program files\Common Files\DVDVideoSoft

2009-11-09 04:58 . 2009-11-09 04:58 -------- d-----w- c:\program files\DVDVideoSoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-05 01:23 . 2009-09-12 00:28 -------- d-----w- c:\documents and settings\Christina Le\Application Data\Logs

2009-10-11 20:07 . 2009-10-11 20:08 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-11 20:07 . 2006-03-02 08:56 -------- d-----w- c:\program files\Java

2009-10-11 20:07 . 2009-10-11 20:07 152576 ----a-w- c:\documents and settings\Christina Le\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-10-07 00:46 . 2006-03-02 08:11 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-07 00:46 . 2009-10-07 00:46 -------- d-----w- c:\program files\Veoh Networks

2009-09-19 07:37 . 2008-01-27 06:47 33568 ----a-w- c:\documents and settings\Christina Le\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-13 20:23 . 2009-09-13 20:23 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe

2008-02-18 03:00 . 2008-02-18 02:59 13905056 ----a-w- c:\program files\Install_AIM.exe

2008-02-01 01:11 . 2008-02-01 01:11 22528 ----a-w- c:\program files\willow_project_profile_2008.doc

2006-02-23 23:31 . 2006-02-23 23:31 14144000 ----a-w- c:\program files\iTunes.exe

2006-02-23 22:56 . 2006-02-23 22:56 102400 ----a-w- c:\program files\iTunesMiniPlayer.dll

2006-02-23 22:45 . 2006-02-23 22:45 278528 ----a-w- c:\program files\iTunesHelper.exe

2006-02-22 17:47 . 2006-02-22 17:47 4634 ----a-w- c:\program files\About iTunes.rtf

2005-08-09 23:33 . 2005-08-09 23:33 8356 ----a-w- c:\program files\Acknowledgements.rtf

2004-07-15 16:07 . 2004-07-15 16:07 434176 ----a-w- c:\program files\CDDBControlApple.dll

2004-03-08 21:07 . 2004-03-08 21:07 49152 ----a-w- c:\program files\ITDetector.ocx

2008-09-29 15:07 . 2009-09-19 07:26 22576 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

2009-09-05 00:10 . 2009-09-05 00:10 62464 --sha-w- c:\windows\system32\besehevi.dll

2009-09-01 07:06 . 2009-09-01 07:06 102400 --sha-w- c:\windows\system32\zadowebi.exe

.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll

[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-20 184320]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-05 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-05 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-05 114688]

"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"iTunesHelper"="c:\program files\iTunesHelper.exe" [2006-02-23 278528]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-06 155648]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\196R994Qd.exe" [2009-12-02 1312080]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-29 14720000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Sony\\VAIO Event Service\\VESMgr.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 7:07 AM 19456]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/24/2009 5:24 PM 67904]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/17/2008 7:01 PM 24652]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/24/2009 5:24 PM 64432]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm

TCP: {308E66E6-E09C-41AC-826A-3DD6D7F83F16} = 193.104.110.38,4.2.2.1,192.168.1.254

TCP: {7942EEBF-CA44-4928-8BAF-EFD01E8BF0DE} = 193.104.110.38,4.2.2.1

FF - ProfilePath - c:\documents and settings\Christina Le\Application Data\Mozilla\Firefox\Profiles\46ab06tt.default\

FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-rejugajat - c:\windows\system32\veyevida.dll

SharedTaskScheduler-{7f0e5319-b7e9-4e0b-8412-33f85c2c04bc} - c:\windows\system32\veyevida.dll

SSODL-yuradiyin-{7f0e5319-b7e9-4e0b-8412-33f85c2c04bc} - c:\windows\system32\veyevida.dll

AddRemove-PictureItSuiteTrial_v11 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe ADDREMOVE=1 SKU=TRIAL VERSION=11

AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-04 17:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)

c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(2952)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

c:\windows\system32\wscntfy.exe

c:\program files\Apoint\Apntex.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\Rundll32.exe

c:\program files\McAfee\Common Framework\McTray.exe

.

**************************************************************************

.

Completion time: 2009-12-04 17:46 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-05 01:46

Pre-Run: 56,136,413,184 bytes free

Post-Run: 56,020,815,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - ECDFD49630840644B0885E3678776AFE

kahdah · December 5, 2009

Great you are missing a system file from your machine we will need to replace it.

I am uploading you a copy.

Please download the following attached .zip file and save it to your desktop.

Right click on it and choose extract.

Extract it to the C:\drive.

It will have to be there in order for the fix to work correctly.

After that do the following:

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

File::
c:\windows\system32\besehevi.dll
c:\windows\system32\zadowebi.exe

FCopy::
C:\eventlog.dll |  c:\windows\ServicePackFiles\i386\eventlog.dll
C:\eventlog.dll |  c:\windows\$NtServicePackUninstall$\eventlog.dll
C:\eventlog.dll |  c:\windows\System32\eventlog.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt

=============

water55 · December 6, 2009

Hi,

Here is the combofix log. Thanks again.

ComboFix 09-12-05.03 - Christina Le 12/06/2009 0:25.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.499 [GMT -8:00]

Running from: c:\documents and settings\Christina Le\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Christina Le\Desktop\CFScript.txt

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::

"c:\windows\system32\besehevi.dll"

"c:\windows\system32\zadowebi.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\zadowebi.exe

.

--------------- FCopy ---------------

c:\eventlog.dll --> c:\windows\ServicePackFiles\i386\eventlog.dll

c:\eventlog.dll --> c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\eventlog.dll --> c:\windows\System32\eventlog.dll

.

((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))

.

2009-12-06 08:38 . 2009-12-06 08:38 -------- d-----w- c:\windows\LastGood

2009-12-06 08:25 . 2008-04-14 09:41 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll

2009-12-06 08:25 . 2008-04-14 09:41 56320 ----a-w- c:\windows\system32\eventlog.dll

2009-12-05 00:28 . 2009-12-05 00:28 -------- d-----w- C:\_OTL

2009-12-02 09:02 . 2009-12-02 09:03 3696032 ----a-w- c:\program files\mbam-rules.exe

2009-12-02 08:55 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-02 08:55 . 2009-12-02 09:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-02 08:55 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-02 08:52 . 2009-12-02 08:54 4045528 ----a-w- c:\program files\mbam-setup.exe