Jump to content

antivirus 2009 removal logs


bghp

Recommended Posts

Malwarebytes' Anti-Malware 1.30

Database version: 1422

Windows 5.1.2600 Service Pack 2

11/25/2008 11:21:13 AM

mbam-log-2008-11-25 (11-21-13).txt

Scan type: Full Scan (C:\|)

Objects scanned: 97695

Time elapsed: 43 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 6

Registry Values Infected: 7

Registry Data Items Infected: 2

Folders Infected: 2

Files Infected: 74

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\kusewovi.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\hezubuti.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8805ffcf (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38607635945531555325633251357140 (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm8b36cc53 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\morodoremo (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\hezubuti.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\hezubuti.dll -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\Antivirus 2009 (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rebecca\Start Menu\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\kusewovi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ivowesuk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\hezubuti.dll (Trojan.BHO) -> Delete on reboot.

C:\Documents and Settings\Rebecca\Local Settings\Temp\TDSS5261.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104316.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104334.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104352.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104310.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104312.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104313.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104314.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104315.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104317.dll (Adware.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104318.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104319.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104320.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104321.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104322.dll (Adware.TargetServer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104323.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104324.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104325.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104326.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104327.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104328.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104329.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104330.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104331.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104332.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104333.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104335.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104337.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104338.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104340.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104341.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104342.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104343.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104344.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104345.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104346.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104347.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104348.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104349.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104350.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104351.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104353.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104354.exe (Spyware.TargetSaver) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104355.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104356.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104357.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104358.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104359.dll (Adware.CommAd) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104360.exe (Adware.CommAd) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104369.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104378.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104379.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP652\A0104956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP652\A0105956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP652\A0105961.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSScfub.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSoeqh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\TDSSpaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\TDSS6d4b.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Program Files\Antivirus 2009\av2009.exe (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rebecca\Start Menu\Antivirus 2009\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rebecca\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSosvn.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rebecca\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rebecca\Local Settings\Temp\TDSS51e4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\TDSS6c9f.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rebecca\Local Settings\Temp\TDSS6404.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-25 13:02:13

PROTECTIONS: 2

MALWARE: 33

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee Internet Security Suite 2007 8.1 No Yes

McAfee VirusScan Plus 12.1 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00047660 adware/sqwire Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@casalemedia[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Rebecca\Cookies\rebecca@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@atdmt[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@atdmt[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Rebecca\Cookies\rebecca@247realmedia[1].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@fastclick[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@tribalfusion[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Rebecca\Cookies\rebecca@tribalfusion[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@mediaplex[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Rebecca\Cookies\rebecca@com[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@ad.yieldmanager[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@apmebf[2].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Rebecca\Cookies\rebecca@server.iad.liveperson[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Rebecca\Cookies\rebecca@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@advertising[1].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@adrevolver[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Rebecca\Cookies\rebecca@ads.pointroll[2].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Rebecca\Cookies\rebecca@overture[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Rebecca\Cookies\rebecca@realmedia[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@questionmarket[2].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@zedo[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@adrevolver[2].txt

00251146 Adware/SearchAid Adware No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104380.vbs

00262492 Adware/CommAd Adware No 0 Yes No C:\WINDOWS\UmViZWNjYQ\oAp2tqh3sk.vbs

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\rebecca@ads.addynamix[1].txt

00332832 Adware/DollarRevenue Adware No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104375.dll

00444112 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP652\A0105983.sys

00449733 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP652\A0105981.dll

00450047 Adware/GetPack Adware No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0104366.exe

00456116 Adware/Antivirus2009 Adware No 0 Yes No C:\Documents and Settings\Rebecca\Local Settings\Temporary Internet Files\Content.IE5\ANMHQB29\freescan[1].htm

00520936 Application/ViewPoint HackTools No 0 Yes No C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll

01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt

02900692 Application/Playmp3z HackTools No 0 Yes No C:\Documents and Settings\Rebecca\Shared\sexy kanna.zip[setup.exe]

03939308 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP652\A0105980.dll

03939310 Adware/UltimateDefender Adware No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP652\A0105982.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

No C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\ViewBar.dll

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:27:28 PM, on 11/25/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\PRISMSVC.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/msk/en-us/redir....ystempopup=true

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {97e9748b-17b4-4aa5-81fb-c3ca8a336b40} - C:\WINDOWS\system32\rotirufe.dll (file missing)

O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

O20 - AppInit_DLLs: C:\WINDOWS\system32\nejudazo.dll c:\windows\system32\dazetaha.dll c:\windows\system32\vuwizodi.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--

End of file - 6828 bytes

Link to post
Share on other sites

Please uninstall the following software:

Java (j2re1.4.2_03)

We will install the latest version once you are clean

ViewPoint Toolbar

ViewPoint Manager Service

Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove for each. Reboot when finished uninstalling.

Please download the KILLBOX. Save it to your desktop.

Open killbox.exe...First click on Tools-->Delete Temp Files.

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files

Temp Files

XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well...next, click on the Button titled Delete Selected Temp Files.

Exit by clicking the Button titled Exit(Save Settings).

Once back into the main killbox program, check the box Delete on Reboot. Now, highlight all the entries below in Bold text and then copy them.

C:\WINDOWS\system32\nusayuta.dll

C:\WINDOWS\system32\nejudazo.dll

c:\windows\system32\dazetaha.dll

c:\windows\system32\vuwizodi.dll

Then in killbox click File-->Paste from Clipboard...Now, Click the All Files button.

Next, click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

A second message will ask to Reboot now? you will need to click No for now.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.

Next, please run HijackThis again and check the box next to the following entries:

O2 - BHO: (no name) - {97e9748b-17b4-4aa5-81fb-c3ca8a336b40} - C:\WINDOWS\system32\rotirufe.dll (file missing)

O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)

O4 - HKLM\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s

O4 - HKUS\S-1-5-19\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s (User 'NETWORK SERVICE')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

O20 - AppInit_DLLs: C:\WINDOWS\system32\nejudazo.dll c:\windows\system32\dazetaha.dll c:\windows\system32\vuwizodi.dll

Now please reboot the system and run a manual update of mbam. Please run a fresh "Quick scan". Please post back that log along with a fresh HijackThis log. Thanks!

Link to post
Share on other sites

Please uninstall the following software:

Java (j2re1.4.2_03)

We will install the latest version once you are clean

ViewPoint Toolbar

ViewPoint Manager Service

Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove for each. Reboot when finished uninstalling.

Please download the KILLBOX. Save it to your desktop.

Open killbox.exe...First click on Tools-->Delete Temp Files.

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files

Temp Files

XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well...next, click on the Button titled Delete Selected Temp Files.

Exit by clicking the Button titled Exit(Save Settings).

Once back into the main killbox program, check the box Delete on Reboot. Now, highlight all the entries below in Bold text and then copy them.

C:\WINDOWS\system32\nusayuta.dll

C:\WINDOWS\system32\nejudazo.dll

c:\windows\system32\dazetaha.dll

c:\windows\system32\vuwizodi.dll

Then in killbox click File-->Paste from Clipboard...Now, Click the All Files button.

Next, click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

A second message will ask to Reboot now? you will need to click No for now.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.

Next, please run HijackThis again and check the box next to the following entries:

O2 - BHO: (no name) - {97e9748b-17b4-4aa5-81fb-c3ca8a336b40} - C:\WINDOWS\system32\rotirufe.dll (file missing)

O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)

O4 - HKLM\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s

O4 - HKUS\S-1-5-19\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s (User 'NETWORK SERVICE')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

O20 - AppInit_DLLs: C:\WINDOWS\system32\nejudazo.dll c:\windows\system32\dazetaha.dll c:\windows\system32\vuwizodi.dll

Now please reboot the system and run a manual update of mbam. Please run a fresh "Quick scan". Please post back that log along with a fresh HijackThis log. Thanks!

Ok I have followed directions to the best of my ability.

There is no "nusayuta.dll" file on the computer.

Each time I restart the computer, it also warns that it does not exist.

Of the remaining 3 files I was asked to copy only the "nejudazo.dll" file exists but will not allow itself to be deleted.

below are the two logs you asked to be posted.

Malwarebytes' Anti-Malware 1.30

Database version: 1427

Windows 5.1.2600 Service Pack 2

11/26/2008 2:34:56 PM

mbam-log-2008-11-26 (14-34-49).txt

Scan type: Quick Scan

Objects scanned: 53127

Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\morodoremo (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:35:30 PM, on 11/26/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\PRISMSVC.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/msk/en-us/redir....ystempopup=true

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {97e9748b-17b4-4aa5-81fb-c3ca8a336b40} - C:\WINDOWS\system32\rotirufe.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [morodoremo] Rundll32.exe "C:\WINDOWS\system32\nusayuta.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\nejudazo.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--

End of file - 5960 bytes

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

I am assuming that I still need to go farther to rid myself of this Virus?

I have been doing all this on my teenage nieces computer.

Being without the internet has been painful for her the last few days and impossible during the holiday.

I think she is on her computer as I write this doing the usual Aim and Facebook and other internet activities.

Once I get back to her will I need to begin again or can I just pick up here and run Combo Fix?

Link to post
Share on other sites

The system appears to be infected with a malicious software that perhaps hides it's files from most other protective applications. We need to take a deeper look at things. You may pick up here by just running the combofix program but while we work to help you clean things up, it might be best to keep that computer off line until successful completion. Thanks!

Link to post
Share on other sites

The system appears to be infected with a malicious software that perhaps hides it's files from most other protective applications. We need to take a deeper look at things. You may pick up here by just running the combofix program but while we work to help you clean things up, it might be best to keep that computer off line until successful completion. Thanks!

OK ran combofix. Now the computer will not go past the initial splash screen that was set as the backscreen. I have no access to any programs, control panel etc. Restarting in safe mode brings the same issues.

The problem seems to be getting worse!

(BTW I do see lovely McAfee starting up upon startup)

Link to post
Share on other sites

OK ran combofix. Now the computer will not go past the initial splash screen that was set as the backscreen. I have no access to any programs, control panel etc. Restarting in safe mode brings the same issues.

The problem seems to be getting worse!

(BTW I do see lovely McAfee starting up upon startup)

OK after getting into Task Manager and trying to run control panel, everything started up with combofix still trying to generate a log.

It did complete it.

Posted are the combofix log-the hijackthis log-and a malwarebyte quick scan log

The malware quick scan did find one infected trojan.

I restarted all the McAfee protection and the Windows firewall as well

ComboFix 08-12-01.01 - Rebecca 2008-12-01 16:10:32.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1550 [GMT -6:00]

Running from: c:\documents and settings\Rebecca\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Rebecca\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\bestwiner.stt

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\fbk.sts

c:\documents and settings\Rebecca\Cookies\buwot.vbs

c:\documents and settings\Rebecca\Cookies\egeniqe.reg

c:\documents and settings\Rebecca\Cookies\ejiwerol.sys

c:\documents and settings\Rebecca\Cookies\osiquzyno.ban

c:\documents and settings\Rebecca\Cookies\owitaz.db

c:\documents and settings\Rebecca\Cookies\paqyw.dat

c:\documents and settings\Rebecca\Cookies\tiquvisy.ban

c:\documents and settings\Rebecca\Cookies\unohases.bat

c:\documents and settings\Rebecca\Cookies\uximopylyn.ban

c:\windows\IE4 Error Log.txt

c:\windows\system32\ewuseruj.ini

c:\windows\system32\kulokuha.dll

c:\windows\system32\nejudazo.dll

c:\windows\system32\pofegohu.dll

c:\windows\system32\vonowiya.dll

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))

.

2008-11-26 13:58 . 2008-11-26 14:17 <DIR> d-------- C:\!KillBox

2008-11-25 13:18 . 2008-11-25 13:18 <DIR> d-------- c:\program files\Trend Micro

2008-11-25 12:14 . 2008-11-25 12:14 <DIR> d-------- c:\program files\Panda Security

2008-11-25 12:14 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-25 11:28 . 2008-11-25 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-25 11:28 . 2008-11-25 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-18 12:33 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll

2008-11-18 12:33 . 2008-12-01 17:05 10,377 --a------ c:\windows\system32\Config.MPF

2008-11-18 12:30 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys

2008-11-18 12:30 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys

2008-11-18 12:30 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys

2008-11-18 12:30 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys

2008-11-18 12:30 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys

2008-11-18 12:30 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys

2008-11-18 12:29 . 2008-11-18 12:30 <DIR> d-------- c:\program files\McAfee.com

2008-11-18 12:29 . 2008-11-18 12:44 <DIR> d-------- c:\program files\McAfee

2008-11-18 12:29 . 2008-11-18 12:30 <DIR> d-------- c:\program files\Common Files\McAfee

2008-11-18 12:22 . 2008-11-18 12:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee

2008-11-17 16:02 . 2008-11-25 11:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-17 16:02 . 2008-11-17 16:02 <DIR> d-------- c:\documents and settings\Rebecca\Application Data\Malwarebytes

2008-11-17 16:02 . 2008-11-17 16:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-17 16:02 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-17 16:02 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-17 15:23 . 2008-11-17 15:23 17,332 --a------ c:\program files\Common Files\esizapa.scr

2008-11-17 15:23 . 2008-11-17 15:23 17,258 --a------ c:\program files\Common Files\sosumituh.vbs

2008-11-17 15:23 . 2008-11-17 15:23 15,155 --a------ c:\documents and settings\All Users\Application Data\ulezefo.dll

2008-11-17 15:23 . 2008-11-17 15:23 14,953 --a------ c:\windows\system32\etivel.pif

2008-11-17 15:23 . 2008-11-17 15:23 13,908 --a------ c:\windows\hevulynud.exe

2008-11-17 15:23 . 2008-11-17 15:23 13,906 --a------ c:\program files\Common Files\fyfine.bin

2008-11-17 15:23 . 2008-11-17 15:23 13,114 --a------ c:\windows\pudyfemov.com

2008-11-17 15:23 . 2008-11-17 15:23 11,869 --a------ c:\documents and settings\Rebecca\Application Data\ubozala.sys

2008-11-17 15:23 . 2008-11-17 15:23 11,411 --a------ c:\windows\ebesoz.ban

2008-11-17 15:23 . 2008-11-17 15:23 10,154 --a------ c:\documents and settings\Rebecca\Application Data\qizojejil.exe

2008-11-17 14:32 . 2008-11-17 14:32 19,408 --a------ c:\documents and settings\All Users\Application Data\ilobyk.dat

2008-11-17 14:32 . 2008-11-17 14:32 19,127 --a------ c:\windows\qagu.pif

2008-11-17 14:32 . 2008-11-17 14:32 18,626 --a------ c:\windows\system32\ycox.lib

2008-11-17 14:32 . 2008-11-17 14:32 18,508 --a------ c:\documents and settings\All Users\Application Data\ulagofe.bat

2008-11-17 14:32 . 2008-11-17 14:32 18,122 --a------ c:\windows\yryne.scr

2008-11-17 14:32 . 2008-11-17 14:32 17,542 --a------ c:\windows\wypoxyhyc.reg

2008-11-17 14:32 . 2008-11-17 14:32 17,398 --a------ c:\windows\system32\xaremuk._dl

2008-11-17 14:32 . 2008-11-17 14:32 16,965 --a------ c:\documents and settings\Rebecca\Application Data\etuz.reg

2008-11-17 14:32 . 2008-11-17 14:32 16,692 --a------ c:\windows\system32\doqer.lib

2008-11-17 14:32 . 2008-11-17 14:32 16,213 --a------ c:\windows\pakiw.com

2008-11-17 14:32 . 2008-11-17 14:32 11,521 --a------ c:\documents and settings\Rebecca\Application Data\awinaje.vbs

2008-11-17 14:32 . 2008-11-17 14:32 10,452 --a------ c:\windows\ohom.reg

2008-11-09 18:20 . 2008-11-09 18:20 <DIR> d-------- c:\windows\qqor

2008-11-09 18:20 . 2008-11-12 20:26 <DIR> d-------- c:\program files\Common Files\qqor

2008-11-09 18:05 . 2008-12-01 14:28 <DIR> d--hs---- c:\windows\UmViZWNjYQ

2008-11-06 18:56 . 2008-11-06 18:56 18,597 --a------ c:\documents and settings\All Users\Application Data\qywi.exe

2008-11-06 18:56 . 2008-11-06 18:56 18,453 --a------ c:\windows\dyrotyreq.db

2008-11-06 18:56 . 2008-11-06 18:56 18,392 --a------ c:\windows\sujubiwof._dl

2008-11-06 18:56 . 2008-11-06 18:56 15,196 --a------ c:\documents and settings\Rebecca\Application Data\ecupote.com

2008-11-06 18:56 . 2008-11-06 18:56 14,449 --a------ c:\windows\system32\qyxoxuviw.pif

2008-11-06 18:56 . 2008-11-06 18:56 14,410 --a------ c:\documents and settings\Rebecca\Application Data\hedoziqe.bat

2008-11-06 18:56 . 2008-11-06 18:56 13,857 --a------ c:\windows\system32\adeqijo.lib

2008-11-06 18:56 . 2008-11-06 18:56 13,433 --a------ c:\windows\samu._sy

2008-11-06 18:56 . 2008-11-06 18:56 12,816 --a------ c:\program files\Common Files\dihy.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-26 19:52 --------- d-----w c:\program files\Viewpoint

2008-11-26 19:50 --------- d-----w c:\program files\Java

2008-11-17 21:23 11,099 ----a-w c:\program files\Common Files\ecypivewuj._sy

2008-11-13 03:00 --------- d-----w c:\documents and settings\Rebecca\Application Data\Apple Computer

2008-11-07 00:56 14,300 ----a-w c:\program files\Common Files\enefu.db

2008-11-07 00:56 12,834 ----a-w c:\program files\Common Files\otenuza.ban

2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

----a-w 81,920 2004-07-27 22:50:18 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 221,184 2004-07-27 22:50:42 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w 180,269 2006-03-27 14:43:56 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 49,152 2005-12-10 02:29:52 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 68,856 2007-06-21 01:00:48 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 49,152 2003-06-25 17:24:48 c:\program files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe

----a-w 233,472 2003-10-24 01:51:18 c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 229,952 2006-09-12 06:58:54 c:\program files\iTunes\bak\iTunesHelper.exe

----a-w 289,064 2008-07-30 15:47:56 c:\program files\iTunes\iTunesHelper.exe

----a-w 36,975 2005-04-13 08:48:52 c:\program files\Java\jre1.5.0_03\bin\bak\jusched.exe

----a-w 282,624 2006-09-01 20:57:48 c:\program files\QuickTime\bak\qttask.exe

----a-w 413,696 2008-05-27 15:50:30 c:\program files\QuickTime\QTTask.exe

----a-w 507,904 2006-02-14 09:32:15 c:\windows\Samsung\PanelMgr\bak\ssmmgr.exe

----a-w 15,360 2004-08-04 11:00:00 c:\windows\system32\bak\ctfmon.exe

----a-w 15,360 2004-08-04 11:00:00 c:\windows\system32\ctfmon.exe

----a-w 77,824 2005-04-05 12:19:18 c:\windows\system32\bak\hkcmd.exe

----a-w 114,688 2005-04-05 12:23:14 c:\windows\system32\bak\igfxpers.exe

----a-w 94,208 2005-04-05 12:22:32 c:\windows\system32\bak\igfxtray.exe

----a-w 122,940 2005-09-08 11:20:00 c:\windows\system32\DLA\bak\DLACTRLW.EXE

----a-w 188,416 2006-01-13 07:14:58 c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [N/A]

"morodoremo"="c:\windows\system32\nusayuta.dll" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-03-22 921704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]

2005-12-22 20:08 450646 c:\windows\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

c:\windows\System32\DLA\DLACTRLW.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

c:\windows\system32\hkcmd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

c:\program files\HP\hpcoretech\hpcmpmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

c:\windows\system32\igfxtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

c:\program files\Common Files\InstallShield\UpdateService\issch.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

--a------ 2007-11-01 18:12 582992 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

--a------ 2007-12-06 14:10 419152 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]

c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

c:\program files\McAfee.com\VSO\oasclnt.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

c:\windows\system32\igfxpers.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]

c:\windows\Samsung\PanelMgr\ssmmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

c:\program files\Java\jre1.5.0_03\bin\jusched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

c:\program files\McAfee.com\VSO\mcvsshld.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-25 28544]

R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.EXE [2006-03-22 61526]

S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service []

.

Contents of the 'Scheduled Tasks' folder

2008-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-18 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-11-18 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

.

- - - - ORPHANS REMOVED - - - -

BHO-{97e9748b-17b4-4aa5-81fb-c3ca8a336b40} - c:\windows\system32\rotirufe.dll

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-01 17:09:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SM_sugo3_FUService]

"ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\userinit.exe

c:\windows\system32\PRISMSVR.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\wdfmgr.exe

c:\progra~1\McAfee\MSC\mcuimgr.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-12-01 17:15:30 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-01 23:15:10

Pre-Run: 112,552,878,080 bytes free

Post-Run: 112,335,724,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

275 --- E O F --- 2008-12-01 22:38:16

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:22:44 PM, on 12/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\PRISMSVC.EXE

C:\WINDOWS\system32\svchost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/msk/en-us/redir....ystempopup=true

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--

End of file - 5721 bytes

Malwarebytes' Anti-Malware 1.30

Database version: 1442

Windows 5.1.2600 Service Pack 2

12/1/2008 5:21:58 PM

mbam-log-2008-12-01 (17-21-58).txt

Scan type: Quick Scan

Objects scanned: 53073

Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\morodoremo (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Run a disk check from the Recovery Console...

  • Boot up to the Recovery Console. You will be asked to choose which Windows installation you would like to log into. Most users will only have one choice.
  • You will be prompted to enter the administrator password. This is the password set for the user profile "Administrator". You may have set this password when you first configured your computer. If no password was set up, then just press ENTER.
  • You will be presented with a C: prompt. Type or copy and paste: chkdsk /r and press ENTER.
  • Checkdisk will now run. The scan may run for several hours...it depends on the size of the disk and volume of data.
  • When the scan is complete, a report will be displayed. At this point, you need only to type Exit at the command prompt and press "Enter"

Post back your results. Thanks!

Link to post
Share on other sites

Run a disk check from the Recovery Console...
  • Boot up to the Recovery Console. You will be asked to choose which Windows installation you would like to log into. Most users will only have one choice.

  • You will be prompted to enter the administrator password. This is the password set for the user profile "Administrator". You may have set this password when you first configured your computer. If no password was set up, then just press ENTER.

  • You will be presented with a C: prompt. Type or copy and paste: chkdsk /r and press ENTER.

  • Checkdisk will now run. The scan may run for several hours...it depends on the size of the disk and volume of data.

  • When the scan is complete, a report will be displayed. At this point, you need only to type Exit at the command prompt and press "Enter"

Post back your results. Thanks!

Will do!

I did get into the recovery console but only ran "fixboot".

It was after this that I found my workaround

Right now when I restart it comes up to only the desktop background...no icons.

My work around right now is to go into ctrl/alt/delete then choose from task manager-"new task"

If I type in "control Panel" and hit enter the full desktop comes up with Icons instead of just the desktop background.

Control panel comes up. I close it and all seems to be OK.

Your suggestion then is to run "chkdsk" correct?

Can you tell from my logs anything about the virus?

Link to post
Share on other sites

What I did was open your last email first...then when I went to the first one I found you had posted the cf log which made my post make not much sense at all. I am still going over the log and will have some more instructions for you in a short while. Thanks for you patience!

Link to post
Share on other sites

OK, we have several infections going on here simultaneously so don't get discouraged...this may take several more runs to finish up.

Your java is out of date and is creating some security issues. We will download and install the latest version later once we are certain you are clean but for now, please just uninstall the java components that you have.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

c:\windows\system32\nusayuta.dll

c:\program files\Common Files\esizapa.scr

c:\program files\Common Files\sosumituh.vbs

c:\documents and settings\All Users\Application Data\ulezefo.dll

c:\windows\system32\etivel.pif

c:\windows\hevulynud.exe

c:\program files\Common Files\fyfine.bin

c:\windows\pudyfemov.com

c:\documents and settings\Rebecca\Application Data\ubozala.sys

c:\windows\ebesoz.ban

c:\documents and settings\Rebecca\Application Data\qizojejil.exe

c:\documents and settings\All Users\Application Data\ilobyk.dat

c:\windows\qagu.pif

c:\windows\system32\ycox.lib

c:\documents and settings\All Users\Application Data\ulagofe.bat

c:\windows\yryne.scr

c:\windows\wypoxyhyc.reg

c:\windows\system32\xaremuk._dl

c:\documents and settings\Rebecca\Application Data\etuz.reg

c:\windows\system32\doqer.lib

c:\windows\pakiw.com

c:\documents and settings\Rebecca\Application Data\awinaje.vbs

c:\windows\ohom.reg

c:\documents and settings\All Users\Application Data\qywi.exe

c:\windows\dyrotyreq.db

c:\windows\sujubiwof._dl

c:\documents and settings\Rebecca\Application Data\ecupote.com

c:\windows\system32\qyxoxuviw.pif

c:\documents and settings\Rebecca\Application Data\hedoziqe.bat

c:\windows\system32\adeqijo.lib

c:\windows\samu._sy

c:\program files\Common Files\dihy.bin

c:\program files\Common Files\ecypivewuj._sy

c:\program files\Common Files\enefu.db

c:\program files\Common Files\otenuza.ban

Folder::

c:\Program Files\LimeWire

c:\program files\Viewpoint

c:\windows\qqor

c:\program files\Common Files\qqor

c:\windows\UmViZWNjYQ

Driver::

ubozala

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"morodoremo"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\Program Files\LimeWire\LimeWire.exe"=-

Link to post
Share on other sites

OK, we have several infections going on here simultaneously so don't get discouraged...this may take several more runs to finish up.

Your java is out of date and is creating some security issues. We will download and install the latest version later once we are certain you are clean but for now, please just uninstall the java components that you have.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

c:\windows\system32\nusayuta.dll

c:\program files\Common Files\esizapa.scr

c:\program files\Common Files\sosumituh.vbs

c:\documents and settings\All Users\Application Data\ulezefo.dll

c:\windows\system32\etivel.pif

c:\windows\hevulynud.exe

c:\program files\Common Files\fyfine.bin

c:\windows\pudyfemov.com

c:\documents and settings\Rebecca\Application Data\ubozala.sys

c:\windows\ebesoz.ban

c:\documents and settings\Rebecca\Application Data\qizojejil.exe

c:\documents and settings\All Users\Application Data\ilobyk.dat

c:\windows\qagu.pif

c:\windows\system32\ycox.lib

c:\documents and settings\All Users\Application Data\ulagofe.bat

c:\windows\yryne.scr

c:\windows\wypoxyhyc.reg

c:\windows\system32\xaremuk._dl

c:\documents and settings\Rebecca\Application Data\etuz.reg

c:\windows\system32\doqer.lib

c:\windows\pakiw.com

c:\documents and settings\Rebecca\Application Data\awinaje.vbs

c:\windows\ohom.reg

c:\documents and settings\All Users\Application Data\qywi.exe

c:\windows\dyrotyreq.db

c:\windows\sujubiwof._dl

c:\documents and settings\Rebecca\Application Data\ecupote.com

c:\windows\system32\qyxoxuviw.pif

c:\documents and settings\Rebecca\Application Data\hedoziqe.bat

c:\windows\system32\adeqijo.lib

c:\windows\samu._sy

c:\program files\Common Files\dihy.bin

c:\program files\Common Files\ecypivewuj._sy

c:\program files\Common Files\enefu.db

c:\program files\Common Files\otenuza.ban

Folder::

c:\Program Files\LimeWire

c:\program files\Viewpoint

c:\windows\qqor

c:\program files\Common Files\qqor

c:\windows\UmViZWNjYQ

Driver::

ubozala

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"morodoremo"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\Program Files\LimeWire\LimeWire.exe"=-

Thanks again and will do but probably not until tomorrow.

I could have sworn we just downloaded the latest Java in one of the directions prior.

No matter I will uninstall again.

Do you think "chkdsk" will fix my other problem?

You indicate I have multiple infections going.

Do you think what we run here will finish it or will there be more on top of that.

Patience I have...my teenage niece is another thing!

Not connected is the kiss of death to their generation.

I have offered my spare laptop but her mother negated that option!

Link to post
Share on other sites

I could have sworn we just downloaded the latest Java in one of the directions prior.

No matter I will uninstall again.

You uninstalled java version 1.4.2_03 and we haven't yet installed the latest version. The instruction indicated:

"We will install the latest version once you are clean"

...however, someone downloaded and installed version jre1.5.0_03 which is also out of date and has been exploited. Please keep this computer off of the internet until it is cleaned. Otherwise, we all just end up chasing our tails with never ending returned logs filled with more and more malicious software

Do you think "chkdsk" will fix my other problem?

Once the system is clean it surely should. I think your other problem is a combination of bad disk sectors combined with what infections remain.

You indicate I have multiple infections going.

Do you think what we run here will finish it or will there be more on top of that...

There will be more. Your niece has also managed to pick up a nasty AWF infection which creates duplicated copies of itself and replaces legitimate files with those malicious files, then hides those legitimate files in backed up folders strewn about. We need to find them, replace the legitimate files, remove the impostors, then remove the backed up copies. That infection alone takes several steps to complete. It's a bit more involved than that but didn't want to complicate things just to explain in brief.

An example of problems that can occur is when this computer goes back online and the user opens a messenger thinking it's just fine, when in fact the messenger is one of the files that has been corrupted. You would not know this since everything about the file appears normal...but the behavior isn't.

Link to post
Share on other sites

OK...things are looking much better. Next:

Please download FindAWF and save it to your desktop

Double-click FindAWF.exe to start the tool.

Select option #1 - Scan for "bak" folders by typing 1 and press "Enter"

When the tool has completed, a Notepad report will open. Please post the results of the awf.txt back here on your next reply.

**Do not run any other options for this tool unless directed to do so.**

Link to post
Share on other sites

OK...things are looking much better. Next:

Please download FindAWF and save it to your desktop

Double-click FindAWF.exe to start the tool.

Select option #1 - Scan for "bak" folders by typing 1 and press "Enter"

When the tool has completed, a Notepad report will open. Please post the results of the awf.txt back here on your next reply.

**Do not run any other options for this tool unless directed to do so.**

Here you go!

Find AWF report by noahdfear

Link to post
Share on other sites

Locate FindAWF.exe on your Desktop and double-click on it to start the tool.

Select option #2..."Restore files from bak folders" by typing 2...then hit your Enter key.

Another text file will open.

Please copy/paste the data below in Bold text into that text file:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"

"C:\Program Files\QuickTime\bak\qttask.exe"

"C:\WINDOWS\system32\bak\ctfmon.exe"

"C:\WINDOWS\system32\bak\hkcmd.exe"

"C:\WINDOWS\system32\bak\igfxpers.exe"

"C:\WINDOWS\system32\bak\igfxtray.exe"

"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"

"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"

"C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe"

"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"

"C:\WINDOWS\Samsung\PanelMgr\bak\ssmmgr.exe"

"C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"

"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"

"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"

"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

"C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"

"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"

Close the files.txt and answer Yes to save the changes.

FindAWF will terminate any bad processes that may still be running. It will then delete the bad files and replace them with the good files from the backup copies that were made.

When it completes, another log file will open for you. Copy and paste the contents of that log in your next reply along with a fresh HijackThis log.

Link to post
Share on other sites

Locate FindAWF.exe on your Desktop and double-click on it to start the tool.

Select option #2..."Restore files from bak folders" by typing 2...then hit your Enter key.

Another text file will open.

Please copy/paste the data below in Bold text into that text file:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"

"C:\Program Files\QuickTime\bak\qttask.exe"

"C:\WINDOWS\system32\bak\ctfmon.exe"

"C:\WINDOWS\system32\bak\hkcmd.exe"

"C:\WINDOWS\system32\bak\igfxpers.exe"

"C:\WINDOWS\system32\bak\igfxtray.exe"

"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"

"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"

"C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe"

"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"

"C:\WINDOWS\Samsung\PanelMgr\bak\ssmmgr.exe"

"C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"

"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"

"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"

"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

"C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"

"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"

Close the files.txt and answer Yes to save the changes.

FindAWF will terminate any bad processes that may still be running. It will then delete the bad files and replace them with the good files from the backup copies that were made.

When it completes, another log file will open for you. Copy and paste the contents of that log in your next reply along with a fresh HijackThis log.

Here is the HJT log and the AWF log

HJT indicates an error when I launch it though

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:57:46 PM, on 12/4/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\PRISMSVC.EXE

C:\WINDOWS\system32\svchost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/msk/en-us/redir....ystempopup=true

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--

End of file - 5877 bytes

AWF log

Find AWF report by noahdfear

Link to post
Share on other sites

Please double-click the FindAWF.exe again to start the tool.

Select option #3..."Remove bak folders" by typing 3...then hit your Enter key.

The text file will open up for you again. Please copy/paste the data below in Bold text into that text file:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"

"C:\Program Files\QuickTime\bak\qttask.exe"

"C:\WINDOWS\system32\bak\ctfmon.exe"

"C:\WINDOWS\system32\bak\hkcmd.exe"

"C:\WINDOWS\system32\bak\igfxpers.exe"

"C:\WINDOWS\system32\bak\igfxtray.exe"

"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"

"C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe"

"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"

"C:\WINDOWS\Samsung\PanelMgr\bak\ssmmgr.exe"

"C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"

"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"

"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"

"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

"C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"

"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"

...Now, please close the folders.txt and save the changes made.

FindAWF will remove the backup folders that were made and present you with another log when it completes.

Copy and paste the contents of THAT log in your next reply along with a fresh HijackThis log. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.