PDA

View Full Version : Infected with yileduyu virus> PLEASE HELP



rasten
2009-10-11, 17:53
I need help. Here is my combofix log. Let me know what else i need to do please.

ComboFix 09-10-10.02 - Gary 10/11/2009 9:24.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.88 [GMT -5:00]
Running from: c:\documents and settings\Gary\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 03:17 . 2009-10-11 03:17 -------- d-----w- c:\documents and settings\T\Application Data\IObit
2009-10-11 03:02 . 2009-10-11 03:02 -------- d-----w- c:\documents and settings\T\Application Data\Office Genuine Advantage
2009-10-11 01:45 . 2009-10-11 01:45 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-10-09 16:13 . 2009-10-09 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-09 16:13 . 2009-10-09 16:13 -------- d-----w- c:\documents and settings\Gary\Application Data\Office Genuine Advantage
2009-10-08 16:58 . 2009-10-08 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-08 14:44 . 2009-10-08 14:44 -------- d-----w- c:\documents and settings\Gary\Application Data\IObit
2009-10-08 14:43 . 2009-10-08 14:43 -------- d-----w- c:\program files\IObit
2009-10-08 14:05 . 2009-10-08 14:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 13:04 . 2009-10-08 13:04 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-07 13:24 . 2009-10-07 13:24 -------- d-----w- C:\FOUND.000
2009-10-07 13:20 . 2009-10-07 13:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-10-07 13:02 . 2009-10-07 13:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-10-06 17:48 . 2009-10-06 17:48 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Temp
2009-10-05 10:41 . 2009-10-05 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-05 10:41 . 2009-10-05 10:41 -------- d-----w- c:\program files\McAfee Security Scan
2009-09-12 01:26 . 2009-09-12 01:26 354744 ----a-w- c:\documents and settings\T\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2009-09-12 01:26 . 2009-09-12 01:26 79872 ----a-w- c:\documents and settings\T\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2009-09-12 01:26 . 2009-09-12 01:26 548792 ----a-w- c:\documents and settings\T\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2009-09-12 01:25 . 2009-09-12 01:25 -------- d-----w- c:\documents and settings\T\Application Data\SanDisk
2009-09-12 01:20 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-09-12 01:18 . 2008-10-14 17:01 14608 ----a-w- c:\windows\system32\iviaspi.sys
2009-09-12 01:17 . 2009-09-12 01:17 -------- d-----w- c:\program files\SanDisk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 01:41 . 2008-12-20 01:10 256 ----a-w- c:\documents and settings\T\pool.bin
2009-09-20 23:17 . 2009-09-01 23:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-12 22:39 . 2006-03-01 23:50 38992 ----a-w- c:\documents and settings\Gary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 23:33 . 2009-09-10 23:33 262144 ----a-w- C:\ntuser.dat
2009-09-01 23:43 . 2004-01-01 14:49 38992 ----a-w- c:\documents and settings\T\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 23:37 . 2009-09-01 23:37 -------- d-----w- c:\program files\NetLibrary
2009-09-01 23:24 . 2009-09-01 23:24 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-29 02:10 . 2009-01-04 17:39 256 ----a-w- c:\windows\system32\pool.bin
2009-08-22 08:20 . 2009-08-22 08:20 -------- d-----w- c:\program files\MSBuild
2009-08-22 08:20 . 2009-08-22 08:20 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 00:24 . 2004-08-16 11:22 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-16 11:22 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-16 11:22 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2003-01-22 22:02 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2003-01-22 21:55 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-16 11:22 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-09-14 18:05 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2005-05-26 09:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2003-01-22 22:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2003-08-12 11:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-17 19:01 . 2003-01-22 21:55 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 01:22 . 2009-07-16 01:22 49152 ----a-r- c:\documents and settings\T\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-07-16 01:22 . 2009-07-16 01:22 49152 ----a-r- c:\documents and settings\T\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-07-14 04:43 . 2004-09-22 23:46 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2004-07-27 00:31 . 2004-07-24 21:33 25456 ----a-w- c:\program files\adupdmanager.xml
2009-07-07 09:33 . 2009-07-07 09:33 53248 --sha-w- c:\windows\system32\yunuvofu.dll
2009-07-08 23:07 . 2009-07-08 23:07 51712 --sha-w- c:\windows\system32\guvebosa.dll
2009-07-08 23:09 . 2009-07-08 23:09 51712 --sha-w- c:\windows\system32\waseyibe.dll
2009-07-07 09:33 . 2009-07-07 09:33 53248 --sha-w- c:\windows\system32\heyehita.dll.tmp
2009-07-07 09:33 . 2009-07-07 09:33 53248 --sha-w- c:\windows\system32\yunuvofu.dll.tmp
2009-07-08 10:40 . 2009-07-08 10:40 88576 --sha-w- c:\windows\system32\duzileru(2).dll
2009-07-07 22:40 . 2009-07-07 22:40 88576 --sha-w- c:\windows\system32\lugapeda(2).dll
2009-07-07 21:40 . 2009-07-07 21:40 51200 --sha-w- c:\windows\system32\jegehude(2).dll
2009-07-07 21:40 . 2009-07-07 21:40 51200 --sha-w- c:\windows\system32\dotewawa(2).dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-07 39408]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-09-29 1241872]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YBrowser"="c:\progra~1\YAHOO!\browser\ybrwicon.exe" [2006-07-21 129536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-04-09 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-01-23 684032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-8-17 217088]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-5-2 1283608]
Auto Detect.lnk - c:\program files\iConcepts Music Express\MEAutoDetect.exe [2008-6-8 270336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\YAHOO!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\System32\\WBEM\\unsecapp.exe"=
"c:\\Program Files\\McAfee\\MSC\\MCUPDMGR.EXE"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/15/2009 8:49 PM 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/27/2008 11:09 PM 24652]
S2 gupdate1ca474e5efabce0;Google Update Service (gupdate1ca474e5efabce0);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 8:01 AM 133104]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [10/8/2009 11:58 AM 309008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\c3bd4587-e7aa-46f8-a70a-59ef3d4158df]
c:\windows\System32\cmsdr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 18:42]

2009-10-11 c:\windows\Tasks\User_Feed_Synchronization-{7783813C-2EF6-497B-BDF5-EABC1DBCBE09}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-16 13:57]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-16 13:57]

2009-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 13:01]

2009-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 13:01]

2009-10-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - ?p=ZKxdm011YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\usotmm89.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -

BHO-{5b75a89d-6e58-4c8c-a385-2544c840f5e2} - heyehita.dll
HKLM-Run-sufoseriw - c:\windows\system32\yileduyu.dll
SharedTaskScheduler-{daa83640-7798-48e8-93a6-8d00ed76c049} - (no file)
SSODL-lenijasar-{daa83640-7798-48e8-93a6-8d00ed76c049} - (no file)
AddRemove-demo - c:\goofy golf deluxe demo\unstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 09:34
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3824)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL

- - - - - - - > 'explorer.exe'(1108)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-11 9:39
ComboFix-quarantined-files.txt 2009-10-11 14:39

Pre-Run: 356,311,040 bytes free
Post-Run: 401,047,552 bytes free

254 --- E O F --- 2009-10-09 01:49

shelf life
2009-10-16, 00:35
hi rasten,

Your log is several days old. If you still need help reply to my post.