Jump to content

Trojan Agent and Vundo

HurrHurr

By HurrHurr
in Resolved Malware Removal Logs

 Share

Recommended Posts

HurrHurr

HurrHurr

Posted
Posted

Here are the logs from my computer, Im having problems with those pesky trojans

MBAM Scan

Malwarebytes' Anti-Malware 1.30

Database version: 1437

Windows 5.1.2600 Service Pack 3

11/30/2008 7:32:50 PM

mbam-log-2008-11-30 (19-32-50).txt

Scan type: Full Scan (C:\|)

Objects scanned: 196901

Time elapsed: 7 hour(s), 3 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 3

Registry Values Infected: 13

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 13

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\vodademo.dll (Trojan.Vundo) -> Delete on reboot.

c:\WINDOWS\SYSTEM32\tusihivi.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb5558 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1934 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga3756 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc2357 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb1803 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd8805 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga5008 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc6937 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1ba91cee (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dupunizome (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\189a2f72 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\vodademo.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\vodademo.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\vodademo.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\magiduko.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\okudigam.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\tohazite.dll_old (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\etizahot.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\vodademo.dll (Trojan.Vundo) -> Delete on reboot.

c:\WINDOWS\SYSTEM32\tusihivi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

c:\WINDOWS\SYSTEM32\serodaba.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1435\A1009673.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1436\A1009973.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1436\A1009975.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\vipepili.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\yinonude.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\kusihino.dll (Trojan.Agent) -> Delete on reboot.

Panda Active Scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-01 03:06:35

PROTECTIONS: 3

MALWARE: 27

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.3903.0 No Yes

McAfee Internet Security Suite 2007 8.1 No No

McAfee VirusScan Plus 12.1 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodeceMedia.zip

00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\altnetdm

00032745 adware/sahagent Adware No 0 Yes No c:\windows\system32\ritsacnk.dat

00032745 adware/sahagent Adware No 0 Yes No c:\windows\system32\bqrufs5f.dat

00040538 adware/zango Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}

00040538 adware/zango Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\jahmard hudson@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\jiquori roberson@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\sandra hudson@doubleclick[1].txt

00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\sandra hudson@centrport[1].txt

00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Sandra Hudson\Cookies\sandra_hudson@clickbank[1].txt

00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Cookies\jahmard_hudson@clickbank[2].txt

00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@findwhat[2].txt

00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Cookies\jahmard_hudson@findwhat[1].txt

00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Sandra Hudson\Cookies\sandra_hudson@findwhat[2].txt

00167730 Cookie/Hitbox TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\sandra hudson@ehg.hitbox[1].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Cookies\jahmard_hudson@toplist[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Sandra Hudson\Cookies\sandra_hudson@apmebf[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@apmebf[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Cookies\jahmard_hudson@apmebf[2].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Local Settings\Temp\Cookies\mimi@www.burstbeacon[2].txt

00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@weborama[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Cookies\jahmard_hudson@advertising[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Sandra Hudson\Cookies\sandra_hudson@advertising[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jiquori Roberson\Cookies\jiquori_roberson@advertising[1].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\sandra hudson@adrevolver[3].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\jiquori roberson@statse.webtrendslive[2].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\jandra hudson@statse.webtrendslive[2].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\jahmard hudson@statse.webtrendslive[2].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\sandra hudson@statse.webtrendslive[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\sandra hudson@adrevolver[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@go[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Sandra Hudson\Cookies\sandra_hudson@go[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jiquori Roberson\Cookies\jiquori_roberson@go[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Cookies\jahmard_hudson@go[1].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Cookies\jahmard_hudson@searchportal.information[2].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Sandra Hudson\Cookies\sandra_hudson@searchportal.information[2].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Sandra Hudson\Cookies\sandra_hudson@target[2].txt

00273914 Adware/EMediaCodec Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1436\A1009971.exe

00286734 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Cookies\jahmard_hudson@adserver.filefront[1].txt

00388689 Adware/AntiSpywareExpert Adware No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Local Settings\Temporary Internet Files\Content.IE5\PMK0L9Q2\params[1].js

00388804 Application/PCPrivacyCleaner HackTools No 0 Yes No C:\Documents and Settings\Jahmard Hudson\Local Settings\Temporary Internet Files\Content.IE5\ITFJQT1U\index[1].js

00456116 Adware/Antivirus2009 Adware No 0 Yes No C:\Documents and Settings\Sandra Hudson\Local Settings\Temporary Internet Files\Content.IE5\IFRN5BLB\freescan[1].htm

00456116 Adware/Antivirus2009 Adware No 0 Yes No C:\Documents and Settings\Jiquori Roberson\Local Settings\Temporary Internet Files\Content.IE5\JYS3VGQH\freescan[1].htm

03587590 Adware/Yassist Adware No 0 No No C:\Documents and Settings\Jiquori Roberson\My Documents\My Videos\DivXInstaller.exe[

Link to post
Share on other sites
Yourhighness

Yourhighness

Posted
Posted

hi HurrHurr!

Welcome to Malwarebytes.org!

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.

Step #1

  • Please download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Step #2

* Clean your Cache and Cookies in InternetExplorer:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Step #3

Please post back with the logs. Thanks!

Link to post
Share on other sites
HurrHurr

HurrHurr

Posted
  • Author
Posted

INFO

info.txt logfile of random's system information tool 1.04 2008-12-01 16:14:43

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Acoustica Effects Pack-->C:\PROGRA~1\UNWISE.EXE C:\PROGRA~1\INSTALL.LOG

Adobe Download Manager 2.2 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"

Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}

Apple Mobile Device Support-->MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}

Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}

Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf

Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}

Dell Media Experience-->MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}

Dell Photo AIO Printer 922-->C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBTUNST.EXE -NOLICENSE

Dell Picture Studio v3.0-->MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}

Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}

DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}

Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText

DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}

Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"

Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572

Intel® PRO Network Adapters and Drivers-->Prounstl.exe

Intel® PROSet for Wired Connections-->MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}

Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}

iTunes-->MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}

Jasc Paint Shop Photo Album-->MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}

Java 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}

Macromedia Flash Player-->MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}

Macromedia Shockwave Player-->C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe

Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Encarta Encyclopedia Standard 2005-->MsiExec.exe /I{05410044-64A6-4248-A026-9745C1E9E159}

Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"

Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"

Microsoft Office Converter Pack-->MsiExec.exe /X{6EECB283-E65F-40EF-86D3-D51BF02A8D43}

Microsoft Office PowerPoint Viewer 2003-->MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}

Microsoft Picture It! Premium 10-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM

Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}

Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}

Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}

Microsoft Streets and Trips 2005-->MsiExec.exe /I{67E4EE98-59F4-4210-89A6-A20AF5BEC689}

Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

Microsoft Web Publishing Wizard 1.52-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall

Microsoft Word 2002-->MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}

Microsoft Works 2005 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2005\Setup\Launcher.exe /ARP D:\

Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}

Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}

Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel

MSXML 4.0 SP2 (KB925672)-->MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}

MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}

MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}

Musicmatch

Link to post
Share on other sites
Yourhighness

Yourhighness

Posted
Posted

hi HurrHurr,

Your Panda scan suggests that you have had / have a serious infection aboard! Bagle

Step #1

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

Step #2

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Step #3

Your logs show that you have (a) online poker programme(s) installed on your computer. I know that you may use these (this) game(s) on a regular basis but I think it's important to note that often these kind of programmes are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programmes yourself on purpose. There are so many online poker games out there these days that it is close to impossible to keep track of whether a programme is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the programme, then you can do so by following the below steps:

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs, search for the poker game and remove it.

If you are unsure of anything, please dont hesitate to ask.

Step #4

Run HijackThis, press Scan, and put a check mark next to all these entries:

O2 - BHO: (no name) - {8982ea39-f685-4832-832d-740a2ded7f4a} - C:\WINDOWS\system32\godadoju.dll (file missing)

O4 - HKUS\S-1-5-19\..\Run: [dupunizome] Rundll32.exe "C:\WINDOWS\system32\gayuhiyu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [dupunizome] Rundll32.exe "C:\WINDOWS\system32\gayuhiyu.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: karina.dat c:\windows\system32\yinonude.dll

Close all other windows and browsers, and press the Fix Checked button.

Step #5

Please download ComboFix from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks!

Link to post
Share on other sites
HurrHurr

HurrHurr

Posted
  • Author
Posted

ComboFix 08-12-02.02 - Jiquori Roberson 2008-12-03 14:33:48.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1557 [GMT -5:00]

Running from: c:\documents and settings\Jiquori Roberson\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\afyh.sys

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\edyselyt._sy

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\efihitijix.bat

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\ekarevedut.pif

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\exasi.dll

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\ezewaja.bin

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\feqokuri.inf

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\ibaqata.sys

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\ijodog.scr

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\lylizyhom.dat

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\nolibut.inf

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\nuxizyxu.vbs

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\ocivezy.db

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\onoviver._sy

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\oporuw.lib

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\pekifup.lib

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\qalepi.vbs

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\qyjixilo.dll

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\uxafekykin.pif

c:\documents and settings\Jiquori Roberson\Local Settings\Temporary Internet Files\xube.vbs

c:\windows\IE4 Error Log.txt

c:\windows\system32\onihisuk.ini

c:\windows\system32\usubitaj.ini

.

((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))

.

2008-12-03 14:12 . 2008-12-03 14:11 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll

2008-12-03 14:12 . 2008-12-03 14:11 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl

2008-12-01 16:14 . 2008-12-01 16:14 <DIR> d----c--- C:\rsit

2008-11-30 00:08 . 2008-11-30 00:08 <DIR> d-------- c:\program files\Trend Micro

2008-11-30 00:05 . 2008-11-30 00:05 <DIR> d-------- c:\program files\Panda Security

2008-11-30 00:05 . 2008-06-19 17:24 28,544 --a------ c:\windows\SYSTEM32\DRIVERS\pavboot.sys

2008-11-29 23:57 . 2008-11-30 00:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-29 23:57 . 2008-11-30 12:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-12 00:25 . 2008-10-24 06:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

2008-11-12 00:24 . 2008-09-04 12:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-03 19:28 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-12-03 19:18 --------- d-----w c:\program files\Real

2008-12-03 19:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2008-12-03 19:11 --------- d-----w c:\program files\Java

2008-12-02 21:03 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2008-12-02 16:53 --------- d-----w c:\program files\McAfee

2008-11-29 07:10 94,772 ------w c:\windows\SYSTEM32\dinizuha.dll

2008-11-23 17:39 --------- d-----w c:\program files\Dl_cats

2008-11-07 16:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2008-11-01 17:14 1,170 -c--a-w c:\documents and settings\Jiquori Roberson\Application Data\wklnhst.dat

2008-10-30 11:17 --------- d-----w c:\program files\SUPERAntiSpyware

2008-10-30 11:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-10-30 11:17 --------- d-----w c:\documents and settings\Jiquori Roberson\Application Data\SUPERAntiSpyware.com

2008-10-29 20:59 --------- d-----w c:\documents and settings\Jiquori Roberson\Application Data\DivX

2008-10-29 20:56 --------- d-----w c:\program files\DivX

2008-10-27 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-22 20:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2008-10-22 20:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2008-10-22 12:25 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe

2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll

2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll

2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll

2008-10-15 22:52 --------- d-----w c:\program files\World of Warcraft

2008-10-15 22:45 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard

2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll

2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll

2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll

2008-09-16 00:14 524,288 ----a-w c:\windows\SYSTEM32\DivXsm.exe

2008-09-16 00:14 3,596,288 -c--a-w c:\windows\SYSTEM32\qt-dx331.dll

2008-09-16 00:14 129,784 ------w c:\windows\SYSTEM32\pxafs.dll

2008-09-16 00:14 120,056 -c----w c:\windows\SYSTEM32\pxcpyi64.exe

2008-09-16 00:14 118,520 -c----w c:\windows\SYSTEM32\pxinsi64.exe

2008-09-16 00:12 81,920 -c--a-w c:\windows\SYSTEM32\dpl100.dll

2008-09-16 00:12 593,920 -c--a-w c:\windows\SYSTEM32\dpuGUI11.dll

2008-09-16 00:12 57,344 -c--a-w c:\windows\SYSTEM32\dpv11.dll

2008-09-16 00:12 53,248 -c--a-w c:\windows\SYSTEM32\dpuGUI10.dll

2008-09-16 00:12 344,064 -c--a-w c:\windows\SYSTEM32\dpus11.dll

2008-09-16 00:12 294,912 -c--a-w c:\windows\SYSTEM32\dpu11.dll

2008-09-16 00:12 294,912 -c--a-w c:\windows\SYSTEM32\dpu10.dll

2008-09-16 00:12 200,704 -c--a-w c:\windows\SYSTEM32\ssldivx.dll

2008-09-16 00:12 196,608 -c--a-w c:\windows\SYSTEM32\dtu100.dll

2008-09-16 00:12 1,044,480 -c--a-w c:\windows\SYSTEM32\libdivx.dll

2008-09-16 00:11 823,296 ----a-w c:\windows\SYSTEM32\divx_xx0c.dll

2008-09-16 00:11 823,296 ----a-w c:\windows\SYSTEM32\divx_xx07.dll

2008-09-16 00:11 815,104 ----a-w c:\windows\SYSTEM32\divx_xx0a.dll

2008-09-16 00:11 802,816 ----a-w c:\windows\SYSTEM32\divx_xx11.dll

2008-09-16 00:11 683,520 ----a-w c:\windows\SYSTEM32\DivX.dll

2008-09-16 00:11 161,096 ----a-w c:\windows\SYSTEM32\DivXCodecVersionChecker.exe

2008-09-16 00:11 12,288 -c--a-w c:\windows\SYSTEM32\DivXWMPExtType.dll

2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys

2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys

2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll

2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll

2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys

2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll

2008-08-27 15:01 17,367 ----a-w c:\documents and settings\Jiquori Roberson\Application Data\ozibydi.sys

2008-08-27 15:01 16,753 ----a-w c:\documents and settings\Jiquori Roberson\Application Data\ydud.dat

2008-08-27 15:01 16,500 ----a-w c:\program files\Common Files\laxifif._dl

2008-08-27 15:01 15,754 ----a-w c:\program files\Common Files\imededa.inf

2008-08-27 15:01 13,300 ----a-w c:\documents and settings\Jiquori Roberson\Application Data\oreve.bin

2008-08-27 15:01 11,366 ----a-w c:\program files\Common Files\olagym.scr

2008-08-27 14:40 19,319 ----a-w c:\documents and settings\Jiquori Roberson\Application Data\nyhohaji.scr

2008-08-27 14:40 17,323 ----a-w c:\documents and settings\All Users\Application Data\dufokymaju.pif

2008-08-27 14:40 14,606 ----a-w c:\documents and settings\Jiquori Roberson\Application Data\iqyzadom.scr

2008-08-27 14:40 14,148 ----a-w c:\program files\Common Files\fijosoqu.dll

2008-08-27 14:40 13,065 ----a-w c:\program files\Common Files\ebepub.inf

2008-08-27 14:40 12,088 ----a-w c:\documents and settings\All Users\Application Data\bevewanuji.exe

2008-08-27 14:40 10,028 ----a-w c:\program files\Common Files\asetewemo.reg

2008-08-27 00:31 19,771 ----a-w c:\documents and settings\All Users\Application Data\pamexime.sys

2008-08-27 00:31 19,547 ----a-w c:\documents and settings\All Users\Application Data\ximeguk.com

2008-08-27 00:31 17,672 ----a-w c:\documents and settings\All Users\Application Data\doha.bat

2008-08-27 00:31 16,877 ----a-w c:\documents and settings\All Users\Application Data\hygefyrec.dll

2008-08-27 00:31 15,543 ----a-w c:\documents and settings\Jiquori Roberson\Application Data\ceqejus.pif

2008-08-27 00:31 13,731 ----a-w c:\documents and settings\All Users\Application Data\rojaz.dll

2008-08-27 00:31 10,072 ----a-w c:\documents and settings\Jiquori Roberson\Application Data\hobyve.com

2008-08-27 00:26 19,447 ----a-w c:\documents and settings\Jiquori Roberson\Application Data\usyse.bin

2008-08-27 00:26 19,234 ----a-w c:\documents and settings\Jiquori Roberson\Application Data\tovyfe.reg

2008-08-27 00:26 16,177 ----a-w c:\documents and settings\All Users\Application Data\volef.sys

2008-08-27 00:26 15,833 ----a-w c:\program files\Common Files\tyqedete.pif

2008-08-27 00:26 13,522 ----a-w c:\documents and settings\All Users\Application Data\tipitudod.reg

2008-08-27 00:26 12,658 ----a-w c:\program files\Common Files\qynilubo.dll

2008-08-27 00:26 10,211 ----a-w c:\documents and settings\All Users\Application Data\izikadelo.sys

2008-08-26 19:36 19,540 ----a-w c:\program files\Common Files\ucocakow.reg

2008-08-26 19:36 16,879 ----a-w c:\program files\Common Files\ihevav.dl

2008-08-26 19:36 16,778 ----a-w c:\documents and settings\All Users\Application Data\amoged.scr

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-16 68856]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"Desksite CMA"="c:\program files\desksite\bin\cma.exe" [2003-10-19 188416]

"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-27 1107848]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-04-12 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"DisableLocalUserRun"= 0 (0x0)

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.SP54"= SP5X_32.DLL

"VIDC.SP55"= SP5X_32.DLL

"VIDC.SP56"= SP5X_32.DLL

"VIDC.SP57"= SP5X_32.DLL

"VIDC.SP58"= SP5X_32.DLL

"VIDC.SP50"= SP5X_32.DLL

"VIDC.SP51"= SP5X_32.DLL

"VIDC.SP52"= SP5X_32.DLL

"VIDC.SP53"= SP5X_32.DLL

"VIDC.VDOM"= vdowave.drv

"msacm.divxa32"= DivXa32.acm

"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

*Newly Created Service* - JAVAQUICKSTARTERSERVICE

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-11-28 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (JHUDSON-Jandra Hudson).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-11-28 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (JHUDSON-Jiquori Roberson).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-11-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cox.net/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &Search

IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"

IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\EmpirePoker\EmpirePoker.exe

IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\EmpirePoker\EmpirePoker.exe -

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}

hxxp://www.srtest.com/srl_bin/sysreqlab3.cab

c:\windows\Downloaded Program Files\SysReqLab3.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-03 14:37:49

Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:

ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-12-03 14:40:34

ComboFix-quarantined-files.txt 2008-12-03 19:39:51

Pre-Run: 4,103,798,784 bytes free

Post-Run: 4,864,114,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

271 --- E O F --- 2008-11-27 03:00:28

Link to post
Share on other sites
Yourhighness

Yourhighness

Posted
Posted

Hi HurrHurr,

Step #1

  1. Open notepad and copy/paste the text in the codebox below into it:
    http://www.malwarebytes.org/forums/index.php?showtopic=7918&pid=37727&st=0entry37727
Collect::c:\windows\SYSTEM32\dinizuha.dllc:\documents and settings\Jiquori Roberson\Application Data\ozibydi.sysc:\documents and settings\Jiquori Roberson\Application Data\ydud.datc:\program files\Common Files\laxifif._dlc:\program files\Common Files\imededa.infc:\documents and settings\Jiquori Roberson\Application Data\oreve.binc:\program files\Common Files\olagym.scrw c:\documents and settings\Jiquori Roberson\Application Data\nyhohaji.scrc:\documents and settings\All Users\Application Data\dufokymaju.pifc:\documents and settings\Jiquori Roberson\Application Data\iqyzadom.scrc:\program files\Common Files\fijosoqu.dllc:\program files\Common Files\ebepub.infc:\documents and settings\All Users\Application Data\bevewanuji.exec:\program files\Common Files\asetewemo.regc:\documents and settings\All Users\Application Data\pamexime.sysc:\documents and settings\All Users\Application Data\ximeguk.comc:\documents and settings\All Users\Application Data\doha.batc:\documents and settings\All Users\Application Data\hygefyrec.dllc:\documents and settings\Jiquori Roberson\Application Data\ceqejus.pifc:\documents and settings\All Users\Application Data\rojaz.dllc:\documents and settings\Jiquori Roberson\Application Data\hobyve.comc:\documents and settings\Jiquori Roberson\Application Data\usyse.binc:\documents and settings\Jiquori Roberson\Application Data\tovyfe.regc:\documents and settings\All Users\Application Data\volef.sysc:\program files\Common Files\tyqedete.pifc:\documents and settings\All Users\Application Data\tipitudod.regc:\program files\Common Files\qynilubo.dllc:\documents and settings\All Users\Application Data\izikadelo.sysc:\program files\Common Files\ucocakow.regc:\program files\Common Files\ihevav.dlc:\documents and settings\All Users\Application Data\amoged.scr
DirLook::c:\program files\Dl_cats


  2. Save this as CFScript.txt
    CFScript_small.gif
  3. Refering to the picture above, drag CFScript.txt into ComboFix.exe
  4. When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
  5. Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.
    Please include a link to this topic in the message.

Step #2

Please navigate to McAfee.

Then kindly follow all listed steps.

Make sure you save a log file.

You can do this by clicking:

  • the File menu and select Save report to file

Make sure you name it in a manner that is easy for you to remember.

Then save it to a place that will also be easy for you to remember (ie. desktop).

Then select the complete contents of that file and post it in your next reply, along with any other logs that may have been requested to be posted.

Thanks!

Step #3

Please go to Eset Onlinescan (NOD32)

(You need to use InternetExplorer or enable IEView in Firefox)

  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
    • Click into the text area, right-click and chose "select all" (or use ctrl+a)
    • Right-click again and chose "copy" (or ctrl+c)
    • Close Notepad

    [*]Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Step #4

Please post back with the combofix, stinger and nod32 onlinescanner log. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.