Win32/Huer; won't sign onto wireless network

[ssmontecarlo82]

Hello,

I'm trying to fix my girlfriend's brother's Dell Inspiron 1501 Laptop. He uses Limewire quite extensively, so I suspect he caught whatever the laptop has through there.

Anyways, I proceeded to follow the instructions for posting. Malwarebytes had problems running yesterday, but today it ran fine. AVG Free 9.0 is installed on the laptop, and it identififed almost 600 infected or suspected infected files. DDS ran file and created both logs. When GMER was running a blue screen of death appeared and the scan stopped. This happened twice.

The DDS.txt file is below. The attached zip file has the attach.txt and Malwarebytes log in it. Thanks in advance for the help!

DDS (Ver_10-03-17.01) - NTFSx86

Run by capponi at 20:03:52.93 on Sun 04/04/2010

Internet Explorer: 8.0.6001.18702

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6071210

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

mSearchAssistant = hxxp://www.google.com

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: {fad8fff1-ca87-4d6d-8394-d66cbe423172} - nudeleze.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ares] "c:\program files\ares\Ares.exe" -h

uRun: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

uRun: [autofmtxp.exe] c:\docume~1\capponi\locals~1\temp\autofmtxp.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [ECenter] c:\dell\e-center\EULALauncher.exe

mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"

mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime

mRun: [rmosnq] RUNDLL32.EXE c:\windows\system32\msyblkya.dll,w

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: &Search

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

AppInit_DLLs: c:\windows\cru629.dat,yarobefe.dll

LSA: Notification Packages = scecli yarobefe.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-04-04 23:15:25 94720 ----a-w- c:\documents and settings\capponi\rundll32.exe

2010-04-04 21:34:32 238920 ----a-w- c:\windows\system32\556602.exe

2010-04-04 21:34:27 36865 ----a-w- c:\windows\system32\mssapsmr.dll

2010-04-04 18:55:52 0 d-----w- c:\docume~1\capponi\applic~1\Malwarebytes

2010-04-04 18:55:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-04 18:55:44 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-04 18:55:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-04 18:55:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-04-04 18:54:32 94720 ----a-w- c:\documents and settings\capponi\rundll32 .exe

2010-04-04 18:54:18 94720 ----a-w- c:\documents and settings\capponi\stsystra.exe

2010-04-04 18:54:18 94720 ----a-w- c:\documents and settings\capponi\stsystra .exe

2010-04-04 17:20:01 0 d-----w- C:\7695d2399e33e7dbc28fda3bafc459

2010-04-03 20:00:27 94720 ----a-w- c:\windows\system32\stsystra.exe

2010-04-03 20:00:27 94720 ----a-w- c:\windows\system32\stsystra .exe

2010-04-03 19:55:23 0 d-----w- c:\windows\system32\wbem\Repository

2010-04-03 19:44:50 0 d--h--r- C:\$VAULT$.AVG

2010-04-03 19:44:50 0 d-----w- c:\docume~1\capponi\applic~1\AVG7

2010-04-03 18:18:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2010-04-03 16:06:09 0 d-----w- C:\$AVG8.VAULT$

2010-04-03 15:45:02 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8(2)

2010-03-31 20:29:05 238920 ----a-w- c:\windows\system32\8701396.exe

2010-03-31 01:10:34 238920 ----a-w- c:\windows\system32\7743754.exe

2010-03-31 01:10:00 45568 ----a-w- c:\windows\system32\so.bin

2010-03-31 01:10:00 35840 ----a-w- c:\windows\system32\ms.bin

2010-03-31 01:09:59 44 ----a-w- c:\windows\system32\5.tmp

2010-03-30 23:57:59 32768 ----a-w- c:\windows\system32\23rh46g.4e

2010-03-30 23:57:58 65024 ----a-w- c:\windows\system32\bb52fkri.few

2010-03-30 23:56:29 238920 ----a-w- c:\windows\system32\6140971.exe

2010-03-30 23:55:37 28515 ----a-w- c:\windows\system32\F.tmp

2010-03-30 23:55:29 44 ----a-w- c:\windows\system32\D.tmp

2010-03-30 22:49:22 1100 ----a-w- c:\windows\system32\d3d8caps.dat

2010-03-30 22:47:56 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-03-30 22:33:56 30720 ----a-w- c:\windows\system32\OLD92.tmp

2010-03-30 22:33:15 203264 ----a-w- c:\windows\Jgydea.exe

2010-03-30 22:32:25 57856 ----a-w- c:\windows\system32\OLD8A.tmp

2010-03-30 22:32:24 49152 ----a-w- c:\windows\system32\OLD87.tmp

2010-03-30 22:30:52 0 d-----w- c:\docume~1\capponi\applic~1\OpenOffice.org

2010-03-30 22:20:25 0 d-----w- c:\program files\OpenOffice.org 3

2010-03-30 22:10:30 0 d-----w- c:\program files\Skype

2010-03-30 22:10:27 0 d-----w- c:\program files\Atrinsic

2010-03-30 22:10:26 0 d-----w- c:\docume~1\capponi\applic~1\WeatherBug

2010-03-30 22:09:56 0 d-----w- c:\docume~1\capponi\applic~1\PriceGong

2010-03-30 22:09:55 0 d-----w- c:\program files\PriceGong

2010-03-12 15:26:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-06 17:21:50 54496 ---ha-w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2010-04-03 19:46:18 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-30 23:54:55 577536 ----a-w- c:\windows\system32\user32.DLL

2010-03-30 23:54:55 577536 ----a-w- c:\windows\system32\dllcache\user32.dll

2010-03-30 22:23:33 2044 ----a-w- c:\docume~1\capponi\applic~1\wklnhst.dat

2010-03-12 15:26:49 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-12 15:25:16 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-01-05 10:00:21 133120 ------w- c:\windows\system32\dllcache\extmgr.dll

2009-08-21 18:33:35 11828 ----a-w- c:\program files\common files\zekuvy.dll

2009-08-21 18:33:35 10542 ----a-w- c:\program files\common files\wabilydaf.pif

2009-08-21 18:33:34 18912 ----a-w- c:\program files\common files\zafilemas.scr

2009-08-21 18:33:34 15091 ----a-w- c:\program files\common files\xonofe.exe

2009-08-21 18:01:43 19176 ----a-w- c:\program files\common files\odug.ban

2009-08-21 18:01:43 15443 ----a-w- c:\program files\common files\bisexo.bat

2009-08-21 16:11:34 18474 ----a-w- c:\program files\common files\hoselutew.pif

2009-08-21 16:11:34 18156 ----a-w- c:\program files\common files\asopafedi.pif

2009-08-21 16:11:34 17613 ----a-w- c:\program files\common files\hiky.vbs

2009-08-21 16:11:34 17519 ----a-w- c:\program files\common files\kewok.sys

2009-08-21 16:11:34 14860 ----a-w- c:\program files\common files\exeqyrys.db

2009-08-14 03:06:05 12775 ----a-w- c:\program files\common files\nobugezubu.sys

2007-12-15 05:35:10 31768752 ----a-w- c:\program files\avg75free_503a1205.exe

2007-12-15 05:30:42 21216112 ----a-w- c:\program files\aaw2007.exe

1601-01-01 00:03:28 709 --sha-w- c:\windows\system32\buhepine.exe

============= FINISH: 20:09:49.18 ===============

files.zip

[miekiemoes]

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.

Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Please RESCAN with malwarebytes and post the log from malwarebytes in your next reply together with a new DDS log (created after reboot, after the malwarebytes scan)

[ssmontecarlo82]

Cool dog!

I just went ahead and did a recovery for the system. I appreciate your help and insight. Pleass consider this topic closed.

[miekiemoes]

Hi,

In your case, you made the right decision, because it would have been a real hassle to clean up all these nasty infections and your system would have stayed compromised anyway.

In either way, just make sure this won't happen again, so Please read my Prevention page with lots of info and tips how to prevent this in the future.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.