Clairefish Posted February 10, 2010 ID:197389 Share Posted February 10, 2010 So i'm trying to get rid of malware on my gf's computer, its been making the computer run super slow, making the internet go schizo, and seeding random popups. I ran avast using the boot scan, but it didn't seem to work, the bottom bar for the computer is greyed out and won't work, as can be seen here:and malwarebytes won't launch, I've tried scanning malwarebytes with avast, and thats when the bottom bar started greying out. Avast finds stuff whenever I run the scan, but it can't seem to get all of it and malwarebytes still won't run.here is the Hijack this log:------------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:58:43 PM, on 2/9/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16981)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\basfipm.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\System32\bcmwltry.exeC:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exeC:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exeC:\Program Files\Alwil Software\Avast4\ashSimpl.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [bascstray] BascsTray.exeO4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [mijosudus] Rundll32.exe "c:\windows\system32\lofirelo.dll",aO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimizedO4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silentO4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - AppInit_DLLs: yufivibo.dll c:\windows\system32\lofirelo.dllO21 - SSODL: rafojidej - {40881e32-642a-4c86-b001-a6c8cb3905e5} - c:\windows\system32\lofirelo.dllO22 - SharedTaskScheduler: tokatiluy - {40881e32-642a-4c86-b001-a6c8cb3905e5} - c:\windows\system32\lofirelo.dllO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exeO23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exeO23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exeO23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exeO23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 6302 bytes-----------------------------------------------------------------so yeah, please help. Link to post Share on other sites More sharing options...
sys-eng Posted February 10, 2010 ID:197520 Share Posted February 10, 2010 Did you try a scan from Safe Mode? Link to post Share on other sites More sharing options...
sjpritch25 Posted February 10, 2010 ID:197561 Share Posted February 10, 2010 Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix**Note: It is important that it is saved directly to your desktop**--------------------------------------------------------------------1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.--------------------------------------------------------------------Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall Link to post Share on other sites More sharing options...
Clairefish Posted February 11, 2010 Author ID:198074 Share Posted February 11, 2010 Here's the Hijackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:04:21 PM, on 2/10/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16981)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\basfipm.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exeC:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\WLTRAY.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exeC:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: (no name) - {de50656a-9a01-4000-831b-5a81fc522e4c} - lefegosi.dll (file missing)O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silentO4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - AppInit_DLLs: vikuzeja.dllO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exeO23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exeO23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exeO23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exeO23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 6267 bytesThe other one is huge, so it's attached.log.txt Link to post Share on other sites More sharing options...
sjpritch25 Posted February 12, 2010 ID:198539 Share Posted February 12, 2010 1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the quotebox below into it:http://forums.malwarebytes.org/index.php?showtopic=39482&st=0entry198074Collect::c:\windows\system32\lefegosi.dllc:\windows\system32\hogufare.dll.tmpc:\windows\system32\katowola.dllc:\windows\system32\kedawubo.dllc:\windows\system32\lemekipe.dllc:\windows\system32\lofirelo.dllc:\windows\system32\tebanohu.dll.tmpc:\windows\system32\wigimogo.dllc:\windows\system32\yufivibo.dll.tmpRegistry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{de50656a-9a01-4000-831b-5a81fc522e4c}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"appinit_dlls"=""Save this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Link to post Share on other sites More sharing options...
Clairefish Posted February 12, 2010 Author ID:198675 Share Posted February 12, 2010 It said that avast was still running even after I turned it off, so I'm not sure if there's something I'm missing. Here's the log:ComboFix 10-02-11.04 - Claire 02/11/2010 22:03:51.2.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.257 [GMT -5:00]Running from: c:\documents and settings\Claire\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Claire\Desktop\CFScript.txt.txtAV: avast! antivirus 4.8.1368 [VPS 100211-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}file zipped: c:\windows\system32\hogufare.dll.tmpfile zipped: c:\windows\system32\katowola.dllfile zipped: c:\windows\system32\kedawubo.dllfile zipped: c:\windows\system32\lemekipe.dllfile zipped: c:\windows\system32\lofirelo.dllfile zipped: c:\windows\system32\tebanohu.dll.tmpfile zipped: c:\windows\system32\wigimogo.dllfile zipped: c:\windows\system32\yufivibo.dll.tmp.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\havowezi.dllc:\windows\system32\hogufare.dll.tmpc:\windows\system32\katowola.dllc:\windows\system32\kedawubo.dllc:\windows\system32\lemekipe.dllc:\windows\system32\lofirelo.dllc:\windows\system32\tebanohu.dll.tmpc:\windows\system32\vorikope.dllc:\windows\system32\wigimogo.dllc:\windows\system32\yufivibo.dll.tmpc:\windows\system32\zurihaga.dllc:\windows\Tasks\nrbtrmgq.job.((((((((((((((((((((((((( Files Created from 2010-01-12 to 2010-02-12 ))))))))))))))))))))))))))))))).2010-02-12 02:19 . 2010-02-12 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software2010-02-10 00:56 . 2010-02-10 00:56 -------- d-----w- c:\program files\Trend Micro2010-01-16 23:44 . 2010-01-17 18:21 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Adobe2010-01-13 12:56 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-02-12 03:14 . 2009-11-23 01:07 -------- d-----w- c:\program files\Steam2010-02-12 02:20 . 2008-11-11 22:21 -------- d-----w- c:\program files\Alwil Software2010-02-11 18:53 . 2008-11-11 22:22 38848 ----a-w- c:\windows\system32\avastSS.scr2010-02-11 18:53 . 2008-11-11 22:22 153184 ----a-w- c:\windows\system32\aswBoot.exe2010-02-11 18:42 . 2008-11-11 22:22 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys2010-02-11 18:42 . 2008-11-11 22:22 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys2010-02-11 18:39 . 2008-11-11 22:22 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys2010-02-11 18:38 . 2008-11-11 22:22 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys2010-02-11 18:38 . 2008-11-11 22:22 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys2010-02-11 18:38 . 2008-11-11 22:22 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys2010-02-11 18:38 . 2008-11-11 22:22 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys2010-02-09 18:31 . 2010-01-11 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-01-24 17:42 . 2009-02-22 04:10 -------- d-----w- c:\program files\Microsoft Silverlight2010-01-14 00:59 . 2008-11-12 17:52 -------- d-----w- c:\program files\Paint Shop Pro 62010-01-11 14:17 . 2010-01-11 14:17 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes2010-01-11 14:16 . 2010-01-11 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2010-01-07 22:26 . 2010-01-07 22:26 -------- d-----w- c:\documents and settings\Dad\Application Data\Roxio2010-01-07 21:07 . 2010-01-11 14:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-01-07 21:07 . 2010-01-11 14:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll2010-01-05 10:00 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll2010-01-05 10:00 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll2009-12-22 17:00 . 2009-10-30 16:06 -------- d-----w- c:\documents and settings\Claire\Application Data\vlc2009-12-02 15:21 . 2008-11-11 22:27 36384 ----a-w- c:\documents and settings\Claire\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-12-02 04:59 . 2009-12-02 04:59 1 ----a-w- c:\documents and settings\Claire\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys2009-12-02 01:53 . 2009-12-02 01:53 411368 ----a-w- c:\windows\system32\deploytk.dll2009-11-23 14:02 . 2009-11-23 14:02 664 ----a-w- c:\windows\system32\d3d9caps.dat2009-11-17 01:03 . 2009-11-17 01:03 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\kofidina.dll1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\mijamehu.dll1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\system32\niyuhelu.dll1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\zofetehi.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Steam"="c:\program files\Steam\Steam.exe" [2009-11-23 1217808][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-09-19 1687552]"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-09-19 163840]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-02 149280]"mijosudus"="c:\windows\system32\havowezi.dll" [bU]"kotesefeba"="zurihaga.dll" [bU]c:\documents and settings\Claire\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Ventrilo\\Ventrilo.exe"="c:\\Program Files\\Steam\\Steam.exe"="c:\\Program Files\\Java\\jre6\\bin\\java.exe"="c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"="c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"="c:\\Program Files\\Apoint\\Apoint.exe"=R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/11/2008 5:22 PM 162512]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/11/2008 5:22 PM 19024]R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [8/8/2008 8:31 PM 92550]..------- Supplementary Scan -------.FF - ProfilePath - c:\documents and settings\Claire\Application Data\Mozilla\Firefox\Profiles\ygxxhyee.default\FF - plugin: c:\documents and settings\Claire\Application Data\Mozilla\Firefox\Profiles\ygxxhyee.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll.- - - - ORPHANS REMOVED - - - -SharedTaskScheduler-{221f2978-9611-4149-9907-760eb73bf81e} - c:\windows\system32\havowezi.dllSSODL-hejiyovaz-{221f2978-9611-4149-9907-760eb73bf81e} - c:\windows\system32\havowezi.dll**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-02-11 22:12Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(648)c:\windows\system32\Ati2evxx.dllc:\windows\System32\BCMLogon.dll- - - - - - - > 'explorer.exe'(2024)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\Ati2evxx.exec:\windows\System32\WLTRYSVC.EXEc:\windows\System32\bcmwltry.exec:\program files\Alwil Software\Avast5\AvastSvc.exec:\windows\System32\SCardSvr.exec:\windows\system32\basfipm.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exec:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exec:\windows\system32\wdfmgr.exec:\windows\system32\Ati2evxx.exec:\program files\Apoint\HidFind.exec:\program files\Apoint\Apntex.exec:\program files\OpenOffice.org 3\program\soffice.exec:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exec:\program files\OpenOffice.org 3\program\soffice.bin.**************************************************************************.Completion time: 2010-02-11 22:24:47 - machine was rebootedComboFix-quarantined-files.txt 2010-02-12 03:24ComboFix2.txt 2010-02-11 00:36Pre-Run: 30,455,721,984 bytes freePost-Run: 30,300,350,464 bytes free- - End Of File - - B42F4C59FE8CC99A5164F44021A4D5BA Link to post Share on other sites More sharing options...
sjpritch25 Posted February 12, 2010 ID:198679 Share Posted February 12, 2010 1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the quotebox below into it:http://forums.malwarebytes.org/index.php?showtopic=39482Collect::c:\windows\system32\kofidina.dllc:\windows\system32\mijamehu.dllc:\windows\system32\niyuhelu.dllc:\windows\system32\zofetehi.dllRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"mijosudus"=-"kotesefeba"=-Save this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.Was combofix successful with uploading those requested files? You should of been prompted. And will be again. Link to post Share on other sites More sharing options...
Recommended Posts