PDA

View Full Version : Virtumonde (Cont.)


natediz
2008-06-05, 06:18
Hi, my last topic (http://forums.spybot.info/showthread.php?p=195345#post195345) was closed down. Sorry about that, it took a little longer then I had expected to get a USB drive and transfer ComboFix.

However, I have done so, and have both ComboFix log and HJT log below.

ComboFix 08-06-04.1 - Owner 2008-06-04 19:20:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.128 [GMT -7:00]
Running from: E:\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\UVJFEKUQ\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\UVJFEKUQ\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\UVJFEKUQ\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\BM6368eadf.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AbKQqBeg.ini
C:\WINDOWS\system32\AbKQqBeg.ini2
C:\WINDOWS\system32\ajlfauno.ini
C:\WINDOWS\system32\anlubvjg.dll
C:\WINDOWS\system32\bigqhjyr.ini
C:\WINDOWS\system32\cvvyihnn.dll
C:\WINDOWS\system32\elyfxiyo.ini
C:\WINDOWS\system32\exaxtfli.ini
C:\WINDOWS\system32\fjpbyenn.dll
C:\WINDOWS\system32\fmauxamr.ini
C:\WINDOWS\system32\gcjvqbwn.dll
C:\WINDOWS\system32\hgGXOHXP.dll
C:\WINDOWS\system32\ilftxaxe.dll
C:\WINDOWS\system32\jogbmwqo.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ocskiyss.ini
C:\WINDOWS\system32\onuaflja.dll
C:\WINDOWS\system32\oqwmbgoj.ini
C:\WINDOWS\system32\osxqmsbt.dll
C:\WINDOWS\system32\PXHOXGgh.ini
C:\WINDOWS\system32\PXHOXGgh.ini2
C:\WINDOWS\system32\rmaxuamf.dll
C:\WINDOWS\system32\rutuwyay.ini
C:\WINDOWS\system32\rutuwyay.ini2
C:\WINDOWS\system32\ryjhqgib.dll
C:\WINDOWS\system32\txjrhqgq.dll
C:\WINDOWS\system32\yfhogyox.ini
C:\WINDOWS\system32\YIRtAJlm.ini
C:\WINDOWS\system32\YIRtAJlm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-01 15:11 . 2008-06-04 19:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-01 15:11 . 2008-06-01 15:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-25 20:07 . 2008-05-25 20:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 18:53 . 2002-07-07 15:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-05-23 18:51 . 2008-05-23 18:51 <DIR> d-------- C:\Program Files\Image-Line
2008-05-23 17:28 . 2008-05-23 17:28 22 --a------ C:\WINDOWS\system32\ati64hl2.stb
2008-05-22 23:04 . 2008-05-25 19:10 269 --a------ C:\WINDOWS\wininit.ini
2008-05-21 22:09 . 2008-05-21 22:09 56,320 --a------ C:\WINDOWS\system32\cbXOGArS.dll
2008-05-16 19:00 . 2008-05-17 21:17 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-10 18:48 . 2008-05-10 18:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Propellerhead Software
2008-05-10 18:48 . 2008-05-10 18:48 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-05-10 18:48 . 2008-05-10 18:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-05-10 18:47 . 2008-05-10 18:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Propellerhead Software
2008-05-10 18:45 . 2008-05-10 18:45 <DIR> d-------- C:\Program Files\Propellerhead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 02:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-30 04:38 2,803,200 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-30 04:38 1,585,664 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-24 01:53 --------- d-----w C:\Program Files\Vstplugins
2008-05-23 06:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-23 06:04 1,577,984 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-23 04:34 --------- d-----w C:\Program Files\uTorrent
2008-05-12 07:19 --------- d-----r C:\Program Files\Tunes
2008-05-11 21:50 3,128,832 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-11 19:24 1,536,512 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-07 22:34 673,260 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2006-03-20 22:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
2004-02-04 03:44 4,725,317 ----a-r C:\Program Files\Oreilly.Security.Warrior.eBook-DDU.chm
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

------- Sigcheck -------

2007-02-22 10:33 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6899F47D-E21A-40EC-980A-F3494F6E1022}]
C:\WINDOWS\system32\mlJAtRIY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96C44D7E-4863-477A-B22F-AEA36178425A}]
C:\WINDOWS\system32\yaywutur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
2008-05-21 22:09 56320 --a------ C:\WINDOWS\system32\cbXOGArS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9937555-35DA-4D84-A3DB-034BE08A6278}]
C:\WINDOWS\system32\geBqQKbA.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2006-06-14 21:11 53248]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-02-22 10:34 917504]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 11:59 794624]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\bcmntray" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-16 17:47 1831424]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-12 21:05 339968]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"iPodVideoConverter_upgrade"="C:\Program Files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe" [2007-11-29 00:35 463872]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2006-08-27 11:38:50 1114217]
Monitor Apache Servers.lnk - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-01-09 23:20:44 41041]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"= C:\WINDOWS\system32\cbXOGArS.dll [2008-05-21 22:09 56320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXOGArS]
cbXOGArS.dll 2008-05-21 22:09 56320 C:\WINDOWS\system32\cbXOGArS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 02:35:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 19:52:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXOGArS.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\bcmntray.EXE
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-04 20:01:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 02:59:25

Pre-Run: 17,924,784,128 bytes free
Post-Run: 17,895,288,832 bytes free

187 --- E O F --- 2008-05-17 18:03:05

=
==
=

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:44 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPodVideoConverter_upgrade] "C:\Program Files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe" /upgrade
O4 - HKLM\..\Run: [BM6368eadf] Rundll32.exe "C:\WINDOWS\system32\lycsknpf.dll",s
O4 - HKLM\..\Run: [605bd943] rundll32.exe "C:\WINDOWS\system32\oaubyuvm.dll",b
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F284F2C9-C202-4B5E-AFD9-8C100B31C64E}: NameServer = 64.59.144.16,64.59.144.17
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6533 bytes
Blade81
2008-06-06, 21:06
Hi


Start hjt, do a system scan, check:
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\lycsknpf.dll",s
O4 - HKLM\..\Run: [605bd943] rundll32.exe "C:\WINDOWS\system32\oaubyuvm.dll",b

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\cbXOGArS.dll
C:\WINDOWS\system32\lycsknpf.dll
C:\WINDOWS\system32\oaubyuvm.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6899F47D-E21A-40EC-980A-F3494F6E1022}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96C44D7E-4863-477A-B22F-AEA36178425A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9937555-35DA-4D84-A3DB-034BE08A6278}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXOGArS]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) (use Internet Explorer). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click [B]Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
natediz
2008-06-08, 07:30
Hey,

My computer's internet is no longer working so I cannot download anything atm, I will use the computer I am currently on to download the files as soon I get permission, then transfer them to my computer. In the mean time I will get the new log.

If I take longer then five days to respond throughout this fix it's because I am having troubles with my computer, it is badly infected. Last time ComboFix wouldn't download, this time the internet isn't working; sometimes it can hardly even function.

I will repost as soon as I finish what you've told me to do. Thanks for your patience.
Blade81
2008-06-08, 12:52
Ok. Thanks for the heads up.