Jump to content

Recommended Posts

Im trying to fix a work computer with valuable files. It's been infected with the Defense Center trojan. I tried using Malwarebytes, and it took some stuff out but now not much opens.

When i want to open malwarebytes, the computer asks me what do i want to open the program with, i get redirected to other sites while web browsing, some programs won't run because it says that rundll32.exe is missing, task manager is locked and i can't access regedit from run

I can't even run hijack this because it tells me i need to open it with a program

Link to post
Share on other sites

Hello llennnn16! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please follow these instructions:

http://forums.malwarebytes.org/index.php?showtopic=54634

Let me know how are things.

Link to post
Share on other sites

(Sorry for all those posts, that's just prove there's still something wrong. i clicked like 8 times and the page did not move. I even tried to email this to myself so i could post from my phone but even the yahoo button wouldn't budge. Really would be good if there was an edit button for the posts here)

Well i have been able to get rid of most of the problem, but i had to use another program, because Malwarebytes would not run or let me install a fresh copy, even in safe mode, it kept telling me that rundll32.exe was not found and then when the malware recognized the file, it told me that it needed to open with something.

Problems that seem to still be present are: Malwarebytes blocking anything to do with google.com or google-related sites just not loading, I keep getting redirected to spam sites or spam sites just open on a new tab, and Java is acting up, some players won't load, and some buttons just don't work, i click them and nothing happens.

I have been able to run Hijack This! now, here's the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:30:29 AM, on 6/29/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TouchKit\xTouchMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O1 - Hosts: 89.149.193.137 www.google.com

O1 - Hosts: 89.149.193.137 us.search.yahoo.com

O1 - Hosts: 89.149.193.137 uk.search.yahoo.com

O1 - Hosts: 89.149.193.137 search.yahoo.com

O1 - Hosts: 89.149.193.137 www.google.com.br

O1 - Hosts: 89.149.193.137 www.google.it

O1 - Hosts: 89.149.193.137 www.google.es

O1 - Hosts: 89.149.193.137 www.google.co.jp

O1 - Hosts: 89.149.193.137 www.google.com.mx

O1 - Hosts: 89.149.193.137 www.google.ca

O1 - Hosts: 89.149.193.137 www.google.com.au

O1 - Hosts: 89.149.193.137 www.google.nl

O1 - Hosts: 89.149.193.137 www.google.co.za

O1 - Hosts: 89.149.193.137 www.google.be

O1 - Hosts: 89.149.193.137 www.google.gr

O1 - Hosts: 89.149.193.137 www.google.at

O1 - Hosts: 89.149.193.137 www.google.se

O1 - Hosts: 89.149.193.137 www.google.ch

O1 - Hosts: 89.149.193.137 www.google.pt

O1 - Hosts: 89.149.193.137 www.google.dk

O1 - Hosts: 89.149.193.137 www.google.fi

O1 - Hosts: 89.149.193.137 www.google.ie

O1 - Hosts: 89.149.193.137 www.google.no

O1 - Hosts: 89.149.193.137 www.google.de

O1 - Hosts: 89.149.193.137 www.google.fr

O1 - Hosts: 89.149.193.137 www.google.co.uk

O1 - Hosts: 89.149.193.137 www.bing.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [xTouchMon] C:\Program Files\TouchKit\xTouchMon.exe

O4 - HKLM\..\Run: [ClearTKHandle] C:\Program Files\TouchKit\ClearTKHandle.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Vnukopa] rundll32.exe "C:\WINDOWS\ujisejadaza.dll",Startup

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' A

Link to post
Share on other sites

It's not the entire log file from HiJackThis. What about DDS log? GMER log?

Sorry but the button for reply just wouldn't budge. For some reason it loaded like 5 replies with only half the log. If it happens again, it's not me its the computer, i did put the entire Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:01:23 AM, on 7/1/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TouchKit\xTouchMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O1 - Hosts: 89.149.193.137 www.google.com

O1 - Hosts: 89.149.193.137 us.search.yahoo.com

O1 - Hosts: 89.149.193.137 uk.search.yahoo.com

O1 - Hosts: 89.149.193.137 search.yahoo.com

O1 - Hosts: 89.149.193.137 www.google.com.br

O1 - Hosts: 89.149.193.137 www.google.it

O1 - Hosts: 89.149.193.137 www.google.es

O1 - Hosts: 89.149.193.137 www.google.co.jp

O1 - Hosts: 89.149.193.137 www.google.com.mx

O1 - Hosts: 89.149.193.137 www.google.ca

O1 - Hosts: 89.149.193.137 www.google.com.au

O1 - Hosts: 89.149.193.137 www.google.nl

O1 - Hosts: 89.149.193.137 www.google.co.za

O1 - Hosts: 89.149.193.137 www.google.be

O1 - Hosts: 89.149.193.137 www.google.gr

O1 - Hosts: 89.149.193.137 www.google.at

O1 - Hosts: 89.149.193.137 www.google.se

O1 - Hosts: 89.149.193.137 www.google.ch

O1 - Hosts: 89.149.193.137 www.google.pt

O1 - Hosts: 89.149.193.137 www.google.dk

O1 - Hosts: 89.149.193.137 www.google.fi

O1 - Hosts: 89.149.193.137 www.google.ie

O1 - Hosts: 89.149.193.137 www.google.no

O1 - Hosts: 89.149.193.137 www.google.de

O1 - Hosts: 89.149.193.137 www.google.fr

O1 - Hosts: 89.149.193.137 www.google.co.uk

O1 - Hosts: 89.149.193.137 www.bing.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [xTouchMon] C:\Program Files\TouchKit\xTouchMon.exe

O4 - HKLM\..\Run: [ClearTKHandle] C:\Program Files\TouchKit\ClearTKHandle.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Vnukopa] rundll32.exe "C:\WINDOWS\ujisejadaza.dll",Startup

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202951857765

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe

O23 - Service: Workstation lanmanworkstationdmserver (lanmanworkstationdmserver) - Unknown owner - C:\WINDOWS\system32\ahuia.exe (file missing)

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Remote Desktop Help Session Manager RDSessMgrwuauserv (RDSessMgrwuauserv) - Unknown owner - C:\WINDOWS\system32\adsntl.exe (file missing)

O23 - Service: Telephony TapiSrvPlugPlay (TapiSrvPlugPlay) - Unknown owner - C:\WINDOWS\system32\1054n.exe

O23 - Service: Network Provisioning Service xmlprovAlerter (xmlprovAlerter) - Unknown owner - C:\WINDOWS\system32\acelpdecx.exe (file missing)

--

End of file - 6563 bytes

As for the other 2 logs, im sorry but im not familiar with them

Link to post
Share on other sites

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

Link to post
Share on other sites

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

Here you go. Thank you for the fast response.

Adobe Download Manager

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 7.0

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

BPA Support Files

BPA Touch POS

Dell Resource CD

EPSON Advanced Printer Driver 3

High Definition Audio Driver Package - KB888111

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.0 (KB932471)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections 12.1.12.0

LiveReg (Symantec Corporation)

LiveUpdate 2.5 (Symantec Corporation)

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft National Language Support Downlevel APIs

Microsoft SQL Server 2005

Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)

Microsoft SQL Server 2005 Tools Express Edition

Microsoft SQL Server Management Studio Express

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft SQL Server VSS Writer

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft WinUsb 1.0

MosChip Multi-IO Controller

Mozilla Firefox (3.6.2)

MSN

MSXML 6 Service Pack 2 (KB973686)

QuickTime

Realtek High Definition Audio Driver

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981349)

Sunix PCI Multi-I/O Driver V6.001

Symantec pcAnywhere

TouchKit

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Verizon High Speed Internet

Visual Retail Plus Ver 7

Windows Imaging Component

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 11

Windows Media Player 11

Windows Presentation Foundation

Windows XP Service Pack 3

WinRAR archiver

Link to post
Share on other sites

Step 1

Please, uninstall the following applications:

  1. Adobe Reader 7.0

You can read, how to this here:

Step 2

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

O4 - HKLM\..\Run: [Vnukopa] rundll32.exe "C:\WINDOWS\ujisejadaza.dll",Startup

Then, close all open windows except that of HijackThis, and select Fix Checked.

Step 3

Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.

Step 4

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. MalwareBytes' Anti-Malware log
  2. a new fresh HiJackThis log

Link to post
Share on other sites

When I was running the quick scan, Malwarebytes said some files were trying to damage my computer or something, i clicked quarantine to all of them. Don't know if it makes much difference. Anyway, here are the two logs:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4264

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

7/1/2010 12:28:19 PM

mbam-log-2010-07-01 (12-28-19).txt

Scan type: Quick scan

Objects scanned: 138406

Time elapsed: 13 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\usow.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\l_acc0037.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

----------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:30:46 PM, on 7/1/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TouchKit\xTouchMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O1 - Hosts: 89.149.193.137 www.google.com

O1 - Hosts: 89.149.193.137 us.search.yahoo.com

O1 - Hosts: 89.149.193.137 uk.search.yahoo.com

O1 - Hosts: 89.149.193.137 search.yahoo.com

O1 - Hosts: 89.149.193.137 www.google.com.br

O1 - Hosts: 89.149.193.137 www.google.it

O1 - Hosts: 89.149.193.137 www.google.es

O1 - Hosts: 89.149.193.137 www.google.co.jp

O1 - Hosts: 89.149.193.137 www.google.com.mx

O1 - Hosts: 89.149.193.137 www.google.ca

O1 - Hosts: 89.149.193.137 www.google.com.au

O1 - Hosts: 89.149.193.137 www.google.nl

O1 - Hosts: 89.149.193.137 www.google.co.za

O1 - Hosts: 89.149.193.137 www.google.be

O1 - Hosts: 89.149.193.137 www.google.gr

O1 - Hosts: 89.149.193.137 www.google.at

O1 - Hosts: 89.149.193.137 www.google.se

O1 - Hosts: 89.149.193.137 www.google.ch

O1 - Hosts: 89.149.193.137 www.google.pt

O1 - Hosts: 89.149.193.137 www.google.dk

O1 - Hosts: 89.149.193.137 www.google.fi

O1 - Hosts: 89.149.193.137 www.google.ie

O1 - Hosts: 89.149.193.137 www.google.no

O1 - Hosts: 89.149.193.137 www.google.de

O1 - Hosts: 89.149.193.137 www.google.fr

O1 - Hosts: 89.149.193.137 www.google.co.uk

O1 - Hosts: 89.149.193.137 www.bing.com

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [xTouchMon] C:\Program Files\TouchKit\xTouchMon.exe

O4 - HKLM\..\Run: [ClearTKHandle] C:\Program Files\TouchKit\ClearTKHandle.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe"

Link to post
Share on other sites

I'm sorry, i don't know why it keeps cutting my logs in half when i post. i copy and paste everything!

im gonna try again with the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:30:46 PM, on 7/1/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TouchKit\xTouchMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:30:46 PM, on 7/1/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TouchKit\xTouchMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54

Link to post
Share on other sites

attached it. just like i did before, but for some reason it didn't load. everytime i click add reply, it loads a page unconnected to the internet, as if i can't connect to this site's ip address. maybe it cuts off after a certain amount of characters. im not sure. im im telling u im copying and pasting everything and hitting add reply, but nothing, and when something goes through, its only half. im terribly sorry. maybe i should just hold off till im in a safe computer and then post the log file.

btw and edit button would really help here.

Link to post
Share on other sites

Hope this last one works, if not, im going to wait till i get home and post the log from there.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:30:46 PM, on 7/1/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TouchKit\xTouchMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend M

Link to post
Share on other sites

Hope this last one works, if not, im going to wait till i get home and post the log from there.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:30:46 PM, on 7/1/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TouchKit\xTouchMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Link to post
Share on other sites

Hope this last one works, if not, im going to wait till i get home and post the log from there.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:30:46 PM, on 7/1/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TouchKit\xTouchMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Link to post
Share on other sites

sorry it took forever.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:01:58 PM, on 7/2/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TouchKit\xTouchMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\pos\rp7.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O1 - Hosts: 89.149.193.137 www.google.com

O1 - Hosts: 89.149.193.137 us.search.yahoo.com

O1 - Hosts: 89.149.193.137 uk.search.yahoo.com

O1 - Hosts: 89.149.193.137 search.yahoo.com

O1 - Hosts: 89.149.193.137 www.google.com.br

O1 - Hosts: 89.149.193.137 www.google.it

O1 - Hosts: 89.149.193.137 www.google.es

O1 - Hosts: 89.149.193.137 www.google.co.jp

O1 - Hosts: 89.149.193.137 www.google.com.mx

O1 - Hosts: 89.149.193.137 www.google.ca

O1 - Hosts: 89.149.193.137 www.google.com.au

O1 - Hosts: 89.149.193.137 www.google.nl

O1 - Hosts: 89.149.193.137 www.google.co.za

O1 - Hosts: 89.149.193.137 www.google.be

O1 - Hosts: 89.149.193.137 www.google.gr

O1 - Hosts: 89.149.193.137 www.google.at

O1 - Hosts: 89.149.193.137 www.google.se

O1 - Hosts: 89.149.193.137 www.google.ch

O1 - Hosts: 89.149.193.137 www.google.pt

O1 - Hosts: 89.149.193.137 www.google.dk

O1 - Hosts: 89.149.193.137 www.google.fi

O1 - Hosts: 89.149.193.137 www.google.ie

O1 - Hosts: 89.149.193.137 www.google.no

O1 - Hosts: 89.149.193.137 www.google.de

O1 - Hosts: 89.149.193.137 www.google.fr

O1 - Hosts: 89.149.193.137 www.google.co.uk

O1 - Hosts: 89.149.193.137 www.bing.com

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [xTouchMon] C:\Program Files\TouchKit\xTouchMon.exe

O4 - HKLM\..\Run: [ClearTKHandle] C:\Program Files\TouchKit\ClearTKHandle.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Vnukopa] rundll32.exe "C:\WINDOWS\ujisejadaza.dll",Startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202951857765

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe

O23 - Service: Workstation lanmanworkstationdmserver (lanmanworkstationdmserver) - Unknown owner - C:\WINDOWS\system32\ahuia.exe (file missing)

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Remote Desktop Help Session Manager RDSessMgrwuauserv (RDSessMgrwuauserv) - Unknown owner - C:\WINDOWS\system32\adsntl.exe (file missing)

O23 - Service: Telephony TapiSrvPlugPlay (TapiSrvPlugPlay) - Unknown owner - C:\WINDOWS\system32\1054n.exe

O23 - Service: Network Provisioning Service xmlprovAlerter (xmlprovAlerter) - Unknown owner - C:\WINDOWS\system32\acelpdecx.exe (file missing)

--

End of file - 6380 bytes

Link to post
Share on other sites

1. Please download ComboFix from: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Save it on your Desktop.

3. Open Notepad and copy and paste the text in the code box below into it:

Collect::[8]
C:\WINDOWS\ujisejadaza.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Here's the log:

ComboFix 10-07-01.02 - Owner_2 07/03/2010 12:49:55.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.730 [GMT -4:00]

Running from: c:\documents and settings\Owner_2\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner_2\Desktop\CFScript.txt

file zipped: c:\windows\ujisejadaza.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner_2\Local Settings\Application Data\{BABEB4DB-0EBF-4D4B-9AFA-23EE0958E455}

c:\documents and settings\Owner_2\Local Settings\Application Data\{BABEB4DB-0EBF-4D4B-9AFA-23EE0958E455}\chrome.manifest

c:\documents and settings\Owner_2\Local Settings\Application Data\{BABEB4DB-0EBF-4D4B-9AFA-23EE0958E455}\chrome\content\_cfg.js

c:\documents and settings\Owner_2\Local Settings\Application Data\{BABEB4DB-0EBF-4D4B-9AFA-23EE0958E455}\chrome\content\overlay.xul

c:\documents and settings\Owner_2\Local Settings\Application Data\{BABEB4DB-0EBF-4D4B-9AFA-23EE0958E455}\install.rdf

c:\windows\system32\1054n.exe

c:\windows\system32\2121545666.dat

c:\windows\system32\3640667064.dat

c:\windows\system32\drivers\tpuecu.sys

c:\windows\system32\drivers\wamcpbh.sys

c:\windows\system32\drivers\wrollp.sys

c:\windows\system32\rundll32.exe.exe

c:\windows\ujisejadaza.dll

Infected copy of c:\windows\system32\DRIVERS\RDPCDD.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_LANMANWORKSTATIONDMSERVER

-------\Legacy_PRAGMAOUUFHTRPPR

-------\Legacy_RDSESSMGRWUAUSERV

-------\Legacy_TAPISRVPLUGPLAY

-------\Legacy_XMLPROVALERTER

-------\Service_lanmanworkstationdmserver

-------\Service_PRAGMAouufhtrppr

-------\Service_RDSessMgrwuauserv

-------\Service_TapiSrvPlugPlay

-------\Service_xmlprovAlerter

-------\Legacy_dbngqyr

-------\Legacy_gnivu

-------\Legacy_xygiow

-------\Service_dbngqyr

-------\Service_gnivu

-------\Service_xygiow

((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))

.

2010-07-03 16:37 . 2004-08-04 12:00 4224 -c--a-w- c:\windows\system32\dllcache\rdpcdd.sys

2010-07-03 16:37 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.sys

2010-06-29 15:30 . 2010-06-29 15:30 -------- d-----w- c:\program files\Trend Micro

2010-06-28 22:01 . 2010-06-28 22:02 -------- d-----w- c:\documents and settings\Owner_2\Application Data\QuickScan

2010-06-28 22:00 . 2010-05-31 20:34 702120 ----a-w- c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

2010-06-28 22:00 . 2010-05-31 20:34 868456 ----a-w- c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-06-28 21:41 . 2010-06-28 21:41 388608 ----a-w- c:\windows\iexplorer(2)(2).exe

2010-06-28 20:04 . 2010-06-28 20:04 -------- d-----w- c:\program files\NOS

2010-06-28 20:04 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

2010-06-28 20:04 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe

2010-06-28 19:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-28 19:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-20 15:04 . 2010-06-28 17:12 4294968579 --sha-w- c:\windows\system32\ansiz.sys

2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\windows\system32\scripting

2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\windows\system32\en

2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\windows\l2schemas

2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\windows\system32\bits

2010-06-17 14:22 . 2010-06-17 14:22 -------- d-----w- c:\windows\EHome

2010-06-17 14:11 . 2010-06-28 13:54 0 ----a-w- c:\windows\system32\adsntlp.sys

2010-06-10 18:34 . 2010-07-03 13:52 120 ----a-w- c:\windows\Frinanivagoxoyi.dat

2010-06-10 18:34 . 2010-07-03 13:52 0 ----a-w- c:\windows\Knefijike.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-01 16:09 . 2010-03-30 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-28 20:30 . 2010-03-30 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-06-17 14:33 . 2008-02-13 19:26 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-05-24 20:39 . 2010-04-11 18:55 -------- d-----w- c:\program files\iTunes

2010-05-04 17:20 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-19 15:36 . 2010-04-19 15:36 15596 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-11 18:57 . 2009-09-11 17:25 17760 ----a-w- c:\documents and settings\Owner_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]

"xTouchMon"="c:\program files\TouchKit\xTouchMon.exe" [2006-04-17 196608]

"ClearTKHandle"="c:\program files\TouchKit\ClearTKHandle.exe" [2006-04-17 114688]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\pos\\rptcpIP.exe"=

R1 NmPar;MosChip PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [11/2/2009 2:18 PM 76416]

R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]

R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/28/2010 3:11 PM 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/28/2010 3:11 PM 20952]

S3 EGXFilter;EGXFilter;c:\windows\system32\drivers\EGXFilter.sys [6/17/2008 7:25 PM 90624]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [3/30/2010 10:16 AM 9472]

S3 SNXPCARD;SNXPCARD;c:\windows\system32\drivers\snxpcard.sys [2/15/2008 3:54 PM 23040]

S3 SNXPSERX;SNXPSERX;c:\windows\system32\drivers\snxpserx.sys [2/15/2008 3:54 PM 56320]

S3 xTouch;xTouch;c:\windows\system32\drivers\xtouch.sys [3/22/2006 1:59 AM 77952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = local

FF - ProfilePath - c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\

FF - component: c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (rootkit-scan) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

HKLM-Run-Vnukopa - c:\windows\ujisejadaza.dll

AddRemove-O Driver V6.001 Setup - c:\program files\Sunix\PCI_MultiIO_Driver\uninst.exe Software\Sunix\PCI_MultiIO_Driver\Setup

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-03 12:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3560)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Symantec\pcAnywhere\awhost32.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\EpStsSrv.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

.

**************************************************************************

.

Completion time: 2010-07-03 13:02:06 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-03 17:02

Pre-Run: 64,540,938,240 bytes free

Post-Run: 65,189,810,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5B9DD1C66F8DDA44F0882E430B1DAD40

Link to post
Share on other sites

here is the result:

File HijackThis.exe received on 2010.07.03 12:32:52 (UTC)

Current status: finished

Result: 0/41 (0.00%)

Compact Compact

Print results Print results

Antivirus Version Last Update Result

a-squared 5.0.0.31 2010.07.03 -

AhnLab-V3 2010.07.03.00 2010.07.03 -

AntiVir 8.2.4.2 2010.07.02 -

Antiy-AVL 2.0.3.7 2010.07.02 -

Authentium 5.2.0.5 2010.07.03 -

Avast 4.8.1351.0 2010.07.03 -

Avast5 5.0.332.0 2010.07.03 -

AVG 9.0.0.836 2010.07.03 -

BitDefender 7.2 2010.07.03 -

CAT-QuickHeal 11.00 2010.06.30 -

ClamAV 0.96.0.3-git 2010.07.03 -

Comodo 5300 2010.07.03 -

DrWeb 5.0.2.03300 2010.07.03 -

eSafe 7.0.17.0 2010.06.30 -

eTrust-Vet 36.1.7684 2010.07.03 -

F-Prot 4.6.1.107 2010.07.02 -

F-Secure 9.0.15370.0 2010.07.03 -

Fortinet 4.1.133.0 2010.07.03 -

GData 21 2010.07.03 -

Ikarus T3.1.1.84.0 2010.07.03 -

Jiangmin 13.0.900 2010.07.03 -

Kaspersky 7.0.0.125 2010.07.03 -

McAfee 5.400.0.1158 2010.07.03 -

McAfee-GW-Edition 2010.1 2010.07.02 -

Microsoft 1.5902 2010.07.03 -

NOD32 5248 2010.07.03 -

Norman 6.05.10 2010.07.03 -

nProtect 2010-07-03.02 2010.07.03 -

Panda 10.0.2.7 2010.07.02 -

PCTools 7.0.3.5 2010.07.02 -

Prevx 3.0 2010.07.03 -

Rising 22.54.04.04 2010.07.02 -

Sophos 4.54.0 2010.07.03 -

Sunbelt 6539 2010.07.03 -

Symantec 20101.1.0.89 2010.07.03 -

TheHacker 6.5.2.1.307 2010.07.01 -

TrendMicro 9.120.0.1004 2010.07.03 -

TrendMicro-HouseCall 9.120.0.1004 2010.07.03 -

VBA32 3.12.12.5 2010.07.02 -

ViRobot 2010.7.3.3920 2010.07.03 -

VirusBuster 5.0.27.0 2010.07.02 -

Additional information

File size: 388608 bytes

MD5 : 9a2347903d6edb84c10f288bc0578c1c

SHA1 : ae96a47e781ed600704b0b040f6b5c8a92ac5e51

SHA256: 5dca5dad7a63810dacee7f38c098a7b2d68617bf8175f05147e44d19dfa57a04

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x141850

timedatestamp.....: 0x4BC36B8B (Mon Apr 12 20:50:51 2010)

machinetype.......: 0x14C (Intel I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

UPX0 0x1000 0xFD000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 0xFE000 0x44000 0x43C00 7.93 b734d97bc40c26be68087be61dd2a5b8

.rsrc 0x142000 0x1B000 0x1AE00 4.69 e630cabf0b4d798ebc7b64df390d23f3

( 2 imports )

> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

> msvbvm60.dll: -

( 0 exports )

TrID : File type identification

UPX compressed Win32 Executable (39.5%)

Win32 EXE Yoda's Crypter (34.3%)

Win32 Executable Generic (11.0%)

Win32 Dynamic Link Library (generic) (9.8%)

Generic Win/DOS Executable (2.5%)

Symantec reputation: Suspicious.Insight http://www.symantec.com/security_response/...-021223-0550-99

ssdeep: 6144:XHgNL/htwPszyJNUFIuBgjV3b/ItgODuoPh4X464yv2jyE808x2LmLbwsuScGGS5:eVt8BURgxr/V+phmdE808YKXF

sigcheck: publisher....: Trend Micro Inc.

copyright....: © 2007 Trend Micro Inc

product......: HijackThis

description..: HijackThis

original name: HijackThis.exe

internal name: HijackThis

file version.: 2.00.0004

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEiD : -

packers (Kaspersky): PE_Patch.UPX, UPX

packers (F-Prot): UPX

RDS : NSRL Reference Data Set

Link to post
Share on other sites

Thanks!

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\Frinanivagoxoyi.dat
c:\windows\Knefijike.bin

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

here's the log:

ComboFix 10-07-03.01 - Owner_2 07/03/2010 20:43:24.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.626 [GMT -4:00]

Running from: c:\documents and settings\Owner_2\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner_2\Desktop\CFScript.txt

FILE ::

"c:\windows\Frinanivagoxoyi.dat"

"c:\windows\Knefijike.bin"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Frinanivagoxoyi.dat

c:\windows\Knefijike.bin

.

((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))

.

2010-07-03 19:26 . 2010-07-03 19:26 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-07-03 16:37 . 2004-08-04 12:00 4224 -c--a-w- c:\windows\system32\dllcache\rdpcdd.sys

2010-07-03 16:37 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.sys

2010-06-29 15:30 . 2010-06-29 15:30 -------- d-----w- c:\program files\Trend Micro

2010-06-28 22:01 . 2010-06-28 22:02 -------- d-----w- c:\documents and settings\Owner_2\Application Data\QuickScan

2010-06-28 22:00 . 2010-05-31 20:34 702120 ----a-w- c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

2010-06-28 22:00 . 2010-05-31 20:34 868456 ----a-w- c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-06-28 19:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-28 19:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-20 15:04 . 2010-06-28 17:12 4294968579 --sha-w- c:\windows\system32\ansiz.sys

2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\windows\system32\scripting

2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\windows\system32\en

2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\windows\l2schemas

2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\windows\system32\bits

2010-06-17 14:22 . 2010-06-17 14:22 -------- d-----w- c:\windows\EHome

2010-06-17 14:11 . 2010-06-28 13:54 0 ----a-w- c:\windows\system32\adsntlp.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-04 00:41 . 2010-03-30 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-01 16:09 . 2010-03-30 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-17 14:33 . 2008-02-13 19:26 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-05-24 20:39 . 2010-04-11 18:55 -------- d-----w- c:\program files\iTunes

2010-05-04 17:20 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-19 15:36 . 2010-04-19 15:36 15596 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-11 18:57 . 2009-09-11 17:25 17760 ----a-w- c:\documents and settings\Owner_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((( SnapShot@2010-07-03_16.57.01 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-03 19:26 . 2010-07-03 19:26 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe

+ 2010-01-27 01:07 . 2010-07-03 19:26 5612496 c:\windows\system32\Macromed\Flash\NPSWF32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]

"xTouchMon"="c:\program files\TouchKit\xTouchMon.exe" [2006-04-17 196608]

"ClearTKHandle"="c:\program files\TouchKit\ClearTKHandle.exe" [2006-04-17 114688]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\pos\\rptcpIP.exe"=

R1 NmPar;MosChip PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [11/2/2009 2:18 PM 76416]

R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]

R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/28/2010 3:11 PM 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/28/2010 3:11 PM 20952]

S3 EGXFilter;EGXFilter;c:\windows\system32\drivers\EGXFilter.sys [6/17/2008 7:25 PM 90624]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [3/30/2010 10:16 AM 9472]

S3 SNXPCARD;SNXPCARD;c:\windows\system32\drivers\snxpcard.sys [2/15/2008 3:54 PM 23040]

S3 SNXPSERX;SNXPSERX;c:\windows\system32\drivers\snxpserx.sys [2/15/2008 3:54 PM 56320]

S3 xTouch;xTouch;c:\windows\system32\drivers\xtouch.sys [3/22/2006 1:59 AM 77952]

.

Contents of the 'Scheduled Tasks' folder

2010-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = local

FF - ProfilePath - c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\

FF - component: c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\jovzbn6a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-03 20:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-07-03 20:51:28

ComboFix-quarantined-files.txt 2010-07-04 00:51

ComboFix2.txt 2010-07-03 17:02

Pre-Run: 65,164,521,472 bytes free

Post-Run: 65,151,672,320 bytes free

- - End Of File - - 14FFA8FD7EC9BF373F99A5EC7D34F531

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.