View Full Version : Antivirus Plus
chrisbattista03
2010-01-18, 02:01
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:34 PM, on 1/17/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mygiantssearch.swagbucks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [dududodin] Rundll32.exe "c:\docume~1\alluse~1\applic~1\fafaropu\fafaropu.dll",a
O4 - HKCU\..\Run: [D9Q071WKGS] C:\DOCUME~1\Guest\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [YNO00BFRKM] C:\DOCUME~1\Guest\LOCALS~1\Temp\c.exe
O4 - HKCU\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Guest\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll", start 70700
O4 - HKCU\..\Run: [klrvjyxm] C:\Documents and Settings\Guest\Local Settings\Application Data\qxlcky\nlicsysguard.exe
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [dududodin] Rundll32.exe "c:\docume~1\alluse~1\applic~1\fafaropu\fafaropu.dll",a (User '?')
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [D9Q071WKGS] C:\DOCUME~1\Guest\LOCALS~1\Temp\b.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [YNO00BFRKM] C:\DOCUME~1\Guest\LOCALS~1\Temp\c.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Guest\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll", start 70700 (User '?')
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [klrvjyxm] C:\Documents and Settings\Guest\Local Settings\Application Data\qxlcky\nlicsysguard.exe (User '?')
O4 - S-1-5-21-73586283-1592454029-839522115-501 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User '?')
O4 - S-1-5-21-73586283-1592454029-839522115-501 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 4493 bytes
Hello
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Please download RootRepeal from one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
chrisbattista03
2010-01-21, 04:08
attempting to run this file on the guest account(the only account that seems to be infected) I get an "extraction error (5)" so I ran it from an administrator account I created earlier.
the process went as you advised except I was NOT prompted to choose a drive, the scan ran automatically and quickly. the following report popped up in notepad automatically.:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/20 22:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9BF3000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADE4000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9798000 Size: 49152 File Visible: No Signed: -
Status: -
==EOF==
Good Morning,
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
chrisbattista03
2010-01-22, 03:12
mbam ran successfully from the "guest"(infected) account
Malwarebytes' Anti-Malware 1.44
Database version: 3611
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13
1/21/2010 9:09:45 PM
mbam-log-2010-01-21 (21-09-45).txt
Scan type: Quick Scan
Objects scanned: 92665
Time elapsed: 2 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\D9Q071WKGS (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\YNO00BFRKM (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d9q071wkgs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus plus (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\klrvjyxm (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yno00bfrkm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Guest\Start Menu\Programs\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Guest\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Start Menu\Programs\AntiVirus Plus\EULA.url (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
chrisbattista03
2010-01-22, 03:23
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:14 PM, on 1/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mygiantssearch.swagbucks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [dududodin] Rundll32.exe "c:\docume~1\alluse~1\applic~1\fafaropu\fafaropu.dll",a
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [dududodin] Rundll32.exe "c:\docume~1\alluse~1\applic~1\fafaropu\fafaropu.dll",a (User '?')
O4 - S-1-5-21-73586283-1592454029-839522115-501 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 3344 bytes
There is most likely more to remove
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
chrisbattista03
2010-01-22, 05:59
I attempted to run combofix from the guest account. i got an error message "were you trying to run CFScript? the name CFScript appears to be incorrectly spelt."
I successfully ran CF from the admin account i created earlier. here is the CF LOG:
ComboFix 10-01-21.02 - Fixxer 01/21/2010 23:39:18.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1646 [GMT -5:00]
Running from: c:\documents and settings\Guest\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Guest\Local Settings\Application Data\qxlcky
c:\documents and settings\Guest\Local Settings\Application Data\qxlcky\nlicsysguard.exe
c:\recycler\S-1-5-21-1292428093-842925246-725345543-1005
c:\recycler\S-1-5-21-796845957-1677128483-725345543-1003
.
((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.
2010-01-22 01:41 . 2010-01-22 01:41 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
2010-01-22 01:40 . 2010-01-22 01:40 -------- d-----w- c:\documents and settings\Fixxer\Application Data\Malwarebytes
2010-01-22 01:40 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-22 01:40 . 2010-01-22 01:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 01:40 . 2010-01-22 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-22 01:40 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 00:08 . 2010-01-18 00:08 -------- d-----w- c:\documents and settings\Fixxer\Local Settings\Application Data\Mozilla
2010-01-17 23:54 . 2010-01-17 23:54 -------- d-----w- c:\program files\Trend Micro
2010-01-14 23:40 . 2010-01-14 23:40 -------- d-----w- c:\windows\system32\MpEngineStore
2010-01-13 14:34 . 2010-01-22 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\fafaropu
2010-01-13 14:34 . 2010-01-13 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\weziyolo
2010-01-13 01:01 . 2010-01-13 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\tapubanu
2010-01-13 01:01 . 2010-01-13 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\mesekaho
2010-01-12 13:01 . 2010-01-12 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\yavayusa
2010-01-12 13:01 . 2010-01-12 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\subabala
2010-01-11 16:57 . 2010-01-11 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\rinewiyi
2010-01-11 16:57 . 2010-01-11 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\jogejase
2010-01-11 04:56 . 2010-01-11 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\linoseku
2010-01-11 04:56 . 2010-01-11 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\bubeguto
2010-01-10 15:50 . 2010-01-10 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\neremije
2010-01-10 15:50 . 2010-01-10 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\fenofaki
2010-01-10 02:53 . 2010-01-10 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\zumunegi
2010-01-10 02:53 . 2010-01-10 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\vuwilamu
2010-01-09 14:53 . 2010-01-09 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\jesonowe
2010-01-09 14:53 . 2010-01-09 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\jebufijo
2010-01-09 01:33 . 2010-01-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\pasaruwe
2010-01-09 01:33 . 2010-01-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\neduwozi
2010-01-07 22:07 . 2010-01-07 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\yesigoju
2010-01-07 22:07 . 2010-01-07 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\gatinuro
2010-01-07 00:46 . 2010-01-07 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\miyahewe
2010-01-07 00:46 . 2010-01-07 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\dikemude
2010-01-06 12:46 . 2010-01-06 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\zarorero
2010-01-06 12:46 . 2010-01-06 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\logibeja
2010-01-06 12:46 . 2010-01-06 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\hapoyuho
2010-01-05 16:19 . 2010-01-05 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\refurepo
2010-01-05 16:19 . 2010-01-05 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\nedoyita
2010-01-05 16:19 . 2010-01-05 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\kolojebe
2010-01-05 00:45 . 2010-01-05 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\ladakaku
2010-01-05 00:45 . 2010-01-05 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\folelali
2010-01-05 00:45 . 2010-01-05 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\bikusono
2010-01-03 16:30 . 2010-01-03 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\nayazika
2010-01-03 16:30 . 2010-01-03 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\hizupoye
2010-01-03 04:30 . 2010-01-03 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\yirepoje
2010-01-03 04:30 . 2010-01-03 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\hozekopo
2010-01-02 13:04 . 2010-01-02 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\wifukolu
2010-01-02 13:04 . 2010-01-02 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\vajozesi
2010-01-01 16:37 . 2010-01-01 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\kohirovu
2010-01-01 16:37 . 2010-01-01 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\degejiba
2009-12-31 21:37 . 2009-12-31 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\lolanayo
2009-12-31 21:37 . 2009-12-31 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\jobagiyu
2009-12-31 00:38 . 2009-12-31 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\suzeyiji
2009-12-31 00:38 . 2009-12-31 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\fewohite
2009-12-30 12:37 . 2009-12-30 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\mubakopu
2009-12-30 12:37 . 2009-12-30 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\guyubaha
2009-12-29 23:19 . 2009-12-29 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\junehoda
2009-12-29 23:19 . 2009-12-29 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\giveyaha
2009-12-29 02:47 . 2009-12-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\jukajeyi
2009-12-29 02:47 . 2009-12-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\guzazuwo
2009-12-28 13:13 . 2009-12-28 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\nazehogi
2009-12-28 13:13 . 2009-12-28 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\merisemo
2009-12-28 00:32 . 2009-12-28 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\verahuna
2009-12-28 00:32 . 2009-12-28 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\kupirire
2009-12-27 12:01 . 2009-12-27 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\yeyanido
2009-12-27 12:01 . 2009-12-27 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\nojepake
2009-12-27 00:01 . 2009-12-27 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\lokubaja
2009-12-27 00:01 . 2009-12-27 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\jijejamu
2009-12-26 11:51 . 2009-12-26 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\piyadayi
2009-12-26 11:51 . 2009-12-26 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\dehehoji
2009-12-25 23:50 . 2009-12-25 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\vinelewe
2009-12-25 23:50 . 2009-12-25 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\dazetaha
2009-12-24 20:06 . 2009-12-24 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\zuhuyaba
2009-12-24 20:06 . 2009-12-24 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\hijagolu
2009-12-24 20:06 . 2009-12-24 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\danipowu
2009-12-24 00:04 . 2009-12-24 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\wuzijopu
2009-12-24 00:04 . 2009-12-24 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\visoziyo
2009-12-24 00:04 . 2009-12-24 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\zodabuma
2009-12-23 10:20 . 2009-12-23 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\wonutego
2009-12-23 10:20 . 2009-12-23 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\putabiwo
2009-12-23 10:20 . 2009-12-23 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\sufojeni
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 23:40 . 2007-07-28 20:21 451456 ----a-w- c:\windows\system32\drivers\Dr71WU.sys
2010-01-14 23:40 . 2009-12-13 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\kiwayoro
2010-01-05 20:04 . 2009-08-14 23:06 1 ----a-w- c:\documents and settings\Guest\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-22 00:20 . 2008-12-07 05:51 1 ----a-w- c:\documents and settings\Heber & Dianne\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-20 15:36 . 2009-12-20 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\yegusaso
2009-12-20 15:36 . 2009-12-20 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\luribepo
2009-12-20 15:36 . 2009-12-20 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\jasutudo
2009-12-19 23:27 . 2009-12-19 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\yagehusi
2009-12-19 23:27 . 2009-12-19 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\wifenoho
2009-12-19 23:27 . 2009-12-19 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\mofawulo
2009-12-18 23:52 . 2009-12-18 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\tiwurufe
2009-12-18 23:52 . 2009-12-18 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\niyihifi
2009-12-18 23:52 . 2009-12-18 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\dobokehi
2009-12-15 13:16 . 2009-12-15 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\zuyijuli
2009-12-15 13:16 . 2009-12-15 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\pejejuwu
2009-12-15 13:16 . 2009-12-15 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\domohodu
2009-12-14 14:40 . 2009-12-14 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\jovulide
2009-12-14 14:40 . 2009-12-14 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\jilubeju
2009-12-14 14:40 . 2009-12-14 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\jeteroje
2009-12-13 23:46 . 2009-12-13 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\pakiyavo
2009-12-13 23:46 . 2009-12-13 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\januzeko
2009-12-13 23:46 . 2009-11-29 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\sufokiyu
2009-12-13 23:46 . 2009-11-29 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\sovetayu
2009-12-13 23:46 . 2009-11-29 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\mavasoze
2009-12-13 23:45 . 2009-12-13 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\sokogufe
2009-12-13 23:45 . 2009-12-13 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\nifayoga
2009-12-13 23:45 . 2009-12-13 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\movulohu
2009-12-13 23:45 . 2009-12-13 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\fofugapi
2009-12-05 13:59 . 2009-12-05 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\rejanote
2009-12-05 13:59 . 2009-12-05 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\loyejosu
2009-12-05 13:59 . 2009-12-05 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\hiniripa
2009-12-03 22:53 . 2009-12-03 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\kohuhoro
2009-12-03 22:53 . 2009-12-03 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\fuhaleke
2009-12-03 02:24 . 2009-12-03 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\navifaya
2009-12-03 02:24 . 2009-12-03 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\fegenope
2009-12-02 14:23 . 2009-12-02 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\piyudijo
2009-12-02 14:23 . 2009-12-02 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\monekuho
2009-12-02 02:01 . 2009-12-02 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ladobenu
2009-12-02 02:01 . 2009-12-02 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\hurunika
2009-12-01 14:01 . 2009-12-01 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\wugitude
2009-12-01 14:01 . 2009-12-01 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\vejoroki
2009-11-30 16:11 . 2009-11-30 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\zudotumo
2009-11-30 16:11 . 2009-11-30 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\zilozama
2009-11-30 16:11 . 2009-11-30 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\susalade
2009-11-30 02:14 . 2009-11-30 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\jevaziji
2009-11-30 02:14 . 2009-11-30 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ruginefo
2009-11-30 02:14 . 2009-11-30 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\reguligu
2009-11-29 21:12 . 2008-12-12 23:51 -------- d-----w- c:\program files\Quicken
2009-11-29 21:10 . 2009-11-29 21:10 6725632 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll
2009-11-29 21:10 . 2008-12-16 07:11 245760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-11-29 14:14 . 2009-11-28 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\varofeje
2009-11-29 14:14 . 2009-11-28 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\pihuzura
2009-11-29 14:14 . 2009-11-28 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\bisevona
2009-11-29 14:14 . 2009-11-29 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\kamujibi
2009-11-29 14:14 . 2009-11-29 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\jaduguyu
2009-11-29 14:14 . 2009-11-29 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\bilayuje
2009-11-29 14:14 . 2009-11-29 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\besenije
2009-11-28 17:06 . 2009-11-28 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\wumoyuvo
2009-11-28 17:06 . 2009-11-28 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\warewabe
2009-11-21 16:36 . 2004-08-04 10:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:46 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
c:\documents and settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^Heber & Dianne^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Heber & Dianne\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 01:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
2004-09-03 08:58 65536 ------w- c:\program files\Ahead\ODD Toolkit\dvdtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 02:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 02:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 02:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 09:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [12/14/2008 7:06 PM 347648]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Fixxer\Application Data\Mozilla\Firefox\Profiles\y4ihpf58.default\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 23:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-01-21 23:43:13
ComboFix-quarantined-files.txt 2010-01-22 04:43
Pre-Run: 67,107,692,544 bytes free
Post-Run: 67,364,093,952 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 8420931377ADE3D574112FFD7EF78AB1
chrisbattista03
2010-01-22, 06:02
HJT log run from guest account. I'm assuming its better to run anything I can from the infected account.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:53 PM, on 1/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mygiantssearch.swagbucks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [dududodin] Rundll32.exe "c:\docume~1\alluse~1\applic~1\fafaropu\fafaropu.dll",a
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [dududodin] Rundll32.exe "c:\docume~1\alluse~1\applic~1\fafaropu\fafaropu.dll",a (User '?')
O4 - S-1-5-21-73586283-1592454029-839522115-501 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 3118 bytes
chrisbattista03
2010-01-22, 06:03
forgot to mention. when i logged back into the guest account. i received a message that fafaropu.dll could not be located. ComboFix pointed this file out to me before it ran.
Hi,
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::
Folder::
c:\documents and settings\All Users\Application Data\fafaropu
c:\documents and settings\All Users\Application Data\weziyolo
c:\documents and settings\All Users\Application Data\tapubanu
c:\documents and settings\All Users\Application Data\mesekaho
c:\documents and settings\All Users\Application Data\yavayusa
c:\documents and settings\All Users\Application Data\subabala
c:\documents and settings\All Users\Application Data\rinewiyi
c:\documents and settings\All Users\Application Data\jogejase
c:\documents and settings\All Users\Application Data\linoseku
c:\documents and settings\All Users\Application Data\bubeguto
c:\documents and settings\All Users\Application Data\neremije
c:\documents and settings\All Users\Application Data\fenofaki
c:\documents and settings\All Users\Application Data\zumunegi
c:\documents and settings\All Users\Application Data\vuwilamu
c:\documents and settings\All Users\Application Data\jesonowe
c:\documents and settings\All Users\Application Data\jebufijo
c:\documents and settings\All Users\Application Data\pasaruwe
c:\documents and settings\All Users\Application Data\neduwozi
c:\documents and settings\All Users\Application Data\yesigoju
c:\documents and settings\All Users\Application Data\gatinuro
c:\documents and settings\All Users\Application Data\miyahewe
c:\documents and settings\All Users\Application Data\dikemude
c:\documents and settings\All Users\Application Data\zarorero
c:\documents and settings\All Users\Application Data\logibeja
c:\documents and settings\All Users\Application Data\hapoyuho
c:\documents and settings\All Users\Application Data\refurepo
c:\documents and settings\All Users\Application Data\nedoyita
c:\documents and settings\All Users\Application Data\kolojebe
c:\documents and settings\All Users\Application Data\ladakaku
c:\documents and settings\All Users\Application Data\folelali
c:\documents and settings\All Users\Application Data\bikusono
c:\documents and settings\All Users\Application Data\nayazika
c:\documents and settings\All Users\Application Data\hizupoye
c:\documents and settings\All Users\Application Data\yirepoje
c:\documents and settings\All Users\Application Data\hozekopo
c:\documents and settings\All Users\Application Data\wifukolu
c:\documents and settings\All Users\Application Data\vajozesi
c:\documents and settings\All Users\Application Data\kohirovu
c:\documents and settings\All Users\Application Data\degejiba
c:\documents and settings\All Users\Application Data\lolanayo
c:\documents and settings\All Users\Application Data\jobagiyu
c:\documents and settings\All Users\Application Data\suzeyiji
c:\documents and settings\All Users\Application Data\fewohite
c:\documents and settings\All Users\Application Data\mubakopu
c:\documents and settings\All Users\Application Data\guyubaha
c:\documents and settings\All Users\Application Data\junehoda
c:\documents and settings\All Users\Application Data\giveyaha
c:\documents and settings\All Users\Application Data\jukajeyi
c:\documents and settings\All Users\Application Data\guzazuwo
c:\documents and settings\All Users\Application Data\nazehogi
c:\documents and settings\All Users\Application Data\merisemo
c:\documents and settings\All Users\Application Data\verahuna
c:\documents and settings\All Users\Application Data\kupirire
c:\documents and settings\All Users\Application Data\yeyanido
c:\documents and settings\All Users\Application Data\nojepake
c:\documents and settings\All Users\Application Data\lokubaja
c:\documents and settings\All Users\Application Data\jijejamu
c:\documents and settings\All Users\Application Data\piyadayi
c:\documents and settings\All Users\Application Data\dehehoji
c:\documents and settings\All Users\Application Data\vinelewe
c:\documents and settings\All Users\Application Data\dazetaha
c:\documents and settings\All Users\Application Data\zuhuyaba
c:\documents and settings\All Users\Application Data\hijagolu
c:\documents and settings\All Users\Application Data\danipowu
c:\documents and settings\All Users\Application Data\wuzijopu
c:\documents and settings\All Users\Application Data\visoziyo
c:\documents and settings\All Users\Application Data\zodabuma
c:\documents and settings\All Users\Application Data\wonutego
c:\documents and settings\All Users\Application Data\putabiwo
c:\documents and settings\All Users\Application Data\sufojeni
c:\documents and settings\All Users\Application Data\kiwayoro
c:\documents and settings\All Users\Application Data\yegusaso
c:\documents and settings\All Users\Application Data\luribepo
c:\documents and settings\All Users\Application Data\jasutudo
c:\documents and settings\All Users\Application Data\yagehusi
c:\documents and settings\All Users\Application Data\wifenoho
c:\documents and settings\All Users\Application Data\mofawulo
c:\documents and settings\All Users\Application Data\tiwurufe
c:\documents and settings\All Users\Application Data\niyihifi
c:\documents and settings\All Users\Application Data\dobokehi
c:\documents and settings\All Users\Application Data\zuyijuli
c:\documents and settings\All Users\Application Data\pejejuwu
c:\documents and settings\All Users\Application Data\domohodu
c:\documents and settings\All Users\Application Data\jovulide
c:\documents and settings\All Users\Application Data\jilubeju
c:\documents and settings\All Users\Application Data\jeteroje
c:\documents and settings\All Users\Application Data\pakiyavo
c:\documents and settings\All Users\Application Data\januzeko
c:\documents and settings\All Users\Application Data\sufokiyu
c:\documents and settings\All Users\Application Data\sovetayu
c:\documents and settings\All Users\Application Data\mavasoze
c:\documents and settings\All Users\Application Data\sokogufe
c:\documents and settings\All Users\Application Data\nifayoga
c:\documents and settings\All Users\Application Data\movulohu
c:\documents and settings\All Users\Application Data\fofugapi
c:\documents and settings\All Users\Application Data\rejanote
c:\documents and settings\All Users\Application Data\loyejosu
c:\documents and settings\All Users\Application Data\hiniripa
c:\documents and settings\All Users\Application Data\kohuhoro
c:\documents and settings\All Users\Application Data\fuhaleke
c:\documents and settings\All Users\Application Data\navifaya
c:\documents and settings\All Users\Application Data\fegenope
c:\documents and settings\All Users\Application Data\piyudijo
c:\documents and settings\All Users\Application Data\monekuho
c:\documents and settings\All Users\Application Data\ladobenu
c:\documents and settings\All Users\Application Data\hurunika
c:\documents and settings\All Users\Application Data\wugitude
c:\documents and settings\All Users\Application Data\vejoroki
c:\documents and settings\All Users\Application Data\zudotumo
c:\documents and settings\All Users\Application Data\zilozama
c:\documents and settings\All Users\Application Data\susalade
c:\documents and settings\All Users\Application Data\ruginefo
c:\documents and settings\All Users\Application Data\reguligu
c:\documents and settings\All Users\Application Data\varofeje
c:\documents and settings\All Users\Application Data\pihuzura
c:\documents and settings\All Users\Application Data\bisevona
c:\documents and settings\All Users\Application Data\kamujibi
c:\documents and settings\All Users\Application Data\jaduguyu
c:\documents and settings\All Users\Application Data\bilayuje
c:\documents and settings\All Users\Application Data\besenije
c:\documents and settings\All Users\Application Data\wumoyuvo
c:\documents and settings\All Users\Application Data\warewabe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
chrisbattista03
2010-01-23, 02:43
again, CF had to be run from the administrator account I setup earlier. from the guest account i still got the same error "cfscript spelled incorrectly"
ComboFix 10-01-21.08 - Fixxer 01/22/2010 11:45:37.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1621 [GMT -5:00]
Running from: c:\documents and settings\Fixxer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Fixxer\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\besenije
c:\documents and settings\All Users\Application Data\besenije\besenije.dll
c:\documents and settings\All Users\Application Data\bikusono
c:\documents and settings\All Users\Application Data\bikusono\bikusono.dll
c:\documents and settings\All Users\Application Data\bilayuje
c:\documents and settings\All Users\Application Data\bilayuje\bilayuje.dll
c:\documents and settings\All Users\Application Data\bisevona
c:\documents and settings\All Users\Application Data\bisevona\bisevona.dll.tmp
c:\documents and settings\All Users\Application Data\bubeguto
c:\documents and settings\All Users\Application Data\bubeguto\bubeguto.dll
c:\documents and settings\All Users\Application Data\danipowu
c:\documents and settings\All Users\Application Data\danipowu\danipowu.dll
c:\documents and settings\All Users\Application Data\dazetaha
c:\documents and settings\All Users\Application Data\dazetaha\dazetaha.dll
c:\documents and settings\All Users\Application Data\degejiba
c:\documents and settings\All Users\Application Data\degejiba\degejiba.dll
c:\documents and settings\All Users\Application Data\dehehoji
c:\documents and settings\All Users\Application Data\dehehoji\dehehoji.dll
c:\documents and settings\All Users\Application Data\dikemude
c:\documents and settings\All Users\Application Data\dikemude\dikemude.dll
c:\documents and settings\All Users\Application Data\dobokehi
c:\documents and settings\All Users\Application Data\dobokehi\dobokehi.dll
c:\documents and settings\All Users\Application Data\domohodu
c:\documents and settings\All Users\Application Data\domohodu\domohodu.dll
c:\documents and settings\All Users\Application Data\fafaropu
c:\documents and settings\All Users\Application Data\fafaropu\fafaropu.dll.vir
c:\documents and settings\All Users\Application Data\fegenope
c:\documents and settings\All Users\Application Data\fegenope\fegenope.dll
c:\documents and settings\All Users\Application Data\fenofaki
c:\documents and settings\All Users\Application Data\fenofaki\fenofaki.dll
c:\documents and settings\All Users\Application Data\fewohite
c:\documents and settings\All Users\Application Data\fewohite\fewohite.dll
c:\documents and settings\All Users\Application Data\fofugapi
c:\documents and settings\All Users\Application Data\fofugapi\fofugapi.dll
c:\documents and settings\All Users\Application Data\folelali
c:\documents and settings\All Users\Application Data\folelali\folelali.dll
c:\documents and settings\All Users\Application Data\fuhaleke
c:\documents and settings\All Users\Application Data\fuhaleke\fuhaleke.dll
c:\documents and settings\All Users\Application Data\gatinuro
c:\documents and settings\All Users\Application Data\gatinuro\gatinuro.dll
c:\documents and settings\All Users\Application Data\giveyaha
c:\documents and settings\All Users\Application Data\giveyaha\giveyaha.dll
c:\documents and settings\All Users\Application Data\guyubaha
c:\documents and settings\All Users\Application Data\guyubaha\guyubaha.dll
c:\documents and settings\All Users\Application Data\guzazuwo
c:\documents and settings\All Users\Application Data\guzazuwo\guzazuwo.dll
c:\documents and settings\All Users\Application Data\hapoyuho
c:\documents and settings\All Users\Application Data\hapoyuho\hapoyuho.dll
c:\documents and settings\All Users\Application Data\hijagolu
c:\documents and settings\All Users\Application Data\hijagolu\hijagolu.dll
c:\documents and settings\All Users\Application Data\hiniripa
c:\documents and settings\All Users\Application Data\hiniripa\hiniripa.dll
c:\documents and settings\All Users\Application Data\hizupoye
c:\documents and settings\All Users\Application Data\hizupoye\hizupoye.dll
c:\documents and settings\All Users\Application Data\hozekopo
c:\documents and settings\All Users\Application Data\hozekopo\hozekopo.dll
c:\documents and settings\All Users\Application Data\hurunika
c:\documents and settings\All Users\Application Data\hurunika\hurunika.dll
c:\documents and settings\All Users\Application Data\jaduguyu
c:\documents and settings\All Users\Application Data\jaduguyu\jaduguyu.dll
c:\documents and settings\All Users\Application Data\januzeko
c:\documents and settings\All Users\Application Data\januzeko\januzeko.dll
c:\documents and settings\All Users\Application Data\jasutudo
c:\documents and settings\All Users\Application Data\jasutudo\jasutudo.dll
c:\documents and settings\All Users\Application Data\jebufijo
c:\documents and settings\All Users\Application Data\jebufijo\jebufijo.dll
c:\documents and settings\All Users\Application Data\jesonowe
c:\documents and settings\All Users\Application Data\jesonowe\jesonowe.dll
c:\documents and settings\All Users\Application Data\jeteroje
c:\documents and settings\All Users\Application Data\jeteroje\jeteroje.dll
c:\documents and settings\All Users\Application Data\jijejamu
c:\documents and settings\All Users\Application Data\jijejamu\jijejamu.dll
c:\documents and settings\All Users\Application Data\jilubeju
c:\documents and settings\All Users\Application Data\jilubeju\jilubeju.dll
c:\documents and settings\All Users\Application Data\jobagiyu
c:\documents and settings\All Users\Application Data\jobagiyu\jobagiyu.dll
c:\documents and settings\All Users\Application Data\jogejase
c:\documents and settings\All Users\Application Data\jogejase\jogejase.dll
c:\documents and settings\All Users\Application Data\jovulide
c:\documents and settings\All Users\Application Data\jovulide\jovulide.dll
c:\documents and settings\All Users\Application Data\jukajeyi
c:\documents and settings\All Users\Application Data\jukajeyi\jukajeyi.dll
c:\documents and settings\All Users\Application Data\junehoda
c:\documents and settings\All Users\Application Data\junehoda\junehoda.dll
c:\documents and settings\All Users\Application Data\kamujibi
c:\documents and settings\All Users\Application Data\kamujibi\kamujibi.dll
c:\documents and settings\All Users\Application Data\kiwayoro
c:\documents and settings\All Users\Application Data\kohirovu
c:\documents and settings\All Users\Application Data\kohirovu\kohirovu.dll
c:\documents and settings\All Users\Application Data\kohuhoro
c:\documents and settings\All Users\Application Data\kohuhoro\kohuhoro.dll
c:\documents and settings\All Users\Application Data\kolojebe
c:\documents and settings\All Users\Application Data\kolojebe\kolojebe.dll
c:\documents and settings\All Users\Application Data\kupirire
c:\documents and settings\All Users\Application Data\kupirire\kupirire.dll
c:\documents and settings\All Users\Application Data\ladakaku
c:\documents and settings\All Users\Application Data\ladakaku\ladakaku.dll
c:\documents and settings\All Users\Application Data\ladobenu
c:\documents and settings\All Users\Application Data\ladobenu\ladobenu.dll
c:\documents and settings\All Users\Application Data\linoseku
c:\documents and settings\All Users\Application Data\linoseku\linoseku.dll
c:\documents and settings\All Users\Application Data\logibeja
c:\documents and settings\All Users\Application Data\logibeja\logibeja.dll
c:\documents and settings\All Users\Application Data\lokubaja
c:\documents and settings\All Users\Application Data\lokubaja\lokubaja.dll
c:\documents and settings\All Users\Application Data\lolanayo
c:\documents and settings\All Users\Application Data\lolanayo\lolanayo.dll
c:\documents and settings\All Users\Application Data\loyejosu
c:\documents and settings\All Users\Application Data\loyejosu\loyejosu.dll
c:\documents and settings\All Users\Application Data\luribepo
c:\documents and settings\All Users\Application Data\luribepo\luribepo.dll
c:\documents and settings\All Users\Application Data\mavasoze
c:\documents and settings\All Users\Application Data\mavasoze\mavasoze.dll.tmp
c:\documents and settings\All Users\Application Data\merisemo
c:\documents and settings\All Users\Application Data\merisemo\merisemo.dll
c:\documents and settings\All Users\Application Data\mesekaho
c:\documents and settings\All Users\Application Data\mesekaho\mesekaho.dll
c:\documents and settings\All Users\Application Data\miyahewe
c:\documents and settings\All Users\Application Data\miyahewe\miyahewe.dll
c:\documents and settings\All Users\Application Data\mofawulo
c:\documents and settings\All Users\Application Data\mofawulo\mofawulo.dll
c:\documents and settings\All Users\Application Data\monekuho
c:\documents and settings\All Users\Application Data\monekuho\monekuho.dll
c:\documents and settings\All Users\Application Data\movulohu
c:\documents and settings\All Users\Application Data\movulohu\movulohu.dll
c:\documents and settings\All Users\Application Data\mubakopu
c:\documents and settings\All Users\Application Data\mubakopu\mubakopu.dll
c:\documents and settings\All Users\Application Data\navifaya
c:\documents and settings\All Users\Application Data\navifaya\navifaya.dll
c:\documents and settings\All Users\Application Data\nayazika
c:\documents and settings\All Users\Application Data\nayazika\nayazika.dll
c:\documents and settings\All Users\Application Data\nazehogi
c:\documents and settings\All Users\Application Data\nazehogi\nazehogi.dll
c:\documents and settings\All Users\Application Data\nedoyita
c:\documents and settings\All Users\Application Data\nedoyita\nedoyita.dll
c:\documents and settings\All Users\Application Data\neduwozi
c:\documents and settings\All Users\Application Data\neduwozi\neduwozi.dll
c:\documents and settings\All Users\Application Data\neremije
c:\documents and settings\All Users\Application Data\neremije\neremije.dll
c:\documents and settings\All Users\Application Data\nifayoga
c:\documents and settings\All Users\Application Data\nifayoga\nifayoga.dll
c:\documents and settings\All Users\Application Data\niyihifi
c:\documents and settings\All Users\Application Data\niyihifi\niyihifi.dll
c:\documents and settings\All Users\Application Data\nojepake
c:\documents and settings\All Users\Application Data\nojepake\nojepake.dll
c:\documents and settings\All Users\Application Data\pakiyavo
c:\documents and settings\All Users\Application Data\pakiyavo\pakiyavo.dll
c:\documents and settings\All Users\Application Data\pasaruwe
c:\documents and settings\All Users\Application Data\pasaruwe\pasaruwe.dll
c:\documents and settings\All Users\Application Data\pejejuwu
c:\documents and settings\All Users\Application Data\pejejuwu\pejejuwu.dll
c:\documents and settings\All Users\Application Data\pihuzura
c:\documents and settings\All Users\Application Data\pihuzura\pihuzura.dll.tmp
c:\documents and settings\All Users\Application Data\piyadayi
c:\documents and settings\All Users\Application Data\piyadayi\piyadayi.dll
c:\documents and settings\All Users\Application Data\piyudijo
c:\documents and settings\All Users\Application Data\piyudijo\piyudijo.dll
c:\documents and settings\All Users\Application Data\putabiwo
c:\documents and settings\All Users\Application Data\putabiwo\putabiwo.dll
c:\documents and settings\All Users\Application Data\refurepo
c:\documents and settings\All Users\Application Data\refurepo\refurepo.dll
c:\documents and settings\All Users\Application Data\reguligu
c:\documents and settings\All Users\Application Data\reguligu\reguligu.dll
c:\documents and settings\All Users\Application Data\rejanote
c:\documents and settings\All Users\Application Data\rejanote\rejanote.dll
c:\documents and settings\All Users\Application Data\rinewiyi
c:\documents and settings\All Users\Application Data\rinewiyi\rinewiyi.dll
c:\documents and settings\All Users\Application Data\ruginefo
c:\documents and settings\All Users\Application Data\ruginefo\ruginefo.dll
c:\documents and settings\All Users\Application Data\sokogufe
c:\documents and settings\All Users\Application Data\sokogufe\sokogufe.dll
c:\documents and settings\All Users\Application Data\sovetayu
c:\documents and settings\All Users\Application Data\sovetayu\sovetayu.dll.tmp
c:\documents and settings\All Users\Application Data\subabala
c:\documents and settings\All Users\Application Data\subabala\subabala.dll
c:\documents and settings\All Users\Application Data\sufojeni
c:\documents and settings\All Users\Application Data\sufojeni\sufojeni.dll
c:\documents and settings\All Users\Application Data\sufokiyu
c:\documents and settings\All Users\Application Data\sufokiyu\sufokiyu.dll.tmp
c:\documents and settings\All Users\Application Data\susalade
c:\documents and settings\All Users\Application Data\susalade\susalade.dll
c:\documents and settings\All Users\Application Data\suzeyiji
c:\documents and settings\All Users\Application Data\suzeyiji\suzeyiji.dll
c:\documents and settings\All Users\Application Data\tapubanu
c:\documents and settings\All Users\Application Data\tapubanu\tapubanu.dll
c:\documents and settings\All Users\Application Data\tiwurufe
c:\documents and settings\All Users\Application Data\tiwurufe\tiwurufe.dll
c:\documents and settings\All Users\Application Data\vajozesi
c:\documents and settings\All Users\Application Data\vajozesi\vajozesi.dll
c:\documents and settings\All Users\Application Data\varofeje
c:\documents and settings\All Users\Application Data\varofeje\varofeje.dll.tmp
c:\documents and settings\All Users\Application Data\vejoroki
c:\documents and settings\All Users\Application Data\vejoroki\vejoroki.dll
c:\documents and settings\All Users\Application Data\verahuna
c:\documents and settings\All Users\Application Data\verahuna\verahuna.dll
c:\documents and settings\All Users\Application Data\vinelewe
c:\documents and settings\All Users\Application Data\vinelewe\vinelewe.dll
c:\documents and settings\All Users\Application Data\visoziyo
c:\documents and settings\All Users\Application Data\visoziyo\visoziyo.dll
c:\documents and settings\All Users\Application Data\vuwilamu
c:\documents and settings\All Users\Application Data\vuwilamu\vuwilamu.dll
c:\documents and settings\All Users\Application Data\warewabe
c:\documents and settings\All Users\Application Data\warewabe\warewabe.dll
c:\documents and settings\All Users\Application Data\weziyolo
c:\documents and settings\All Users\Application Data\weziyolo\weziyolo.dll
c:\documents and settings\All Users\Application Data\wifenoho
c:\documents and settings\All Users\Application Data\wifenoho\wifenoho.dll
c:\documents and settings\All Users\Application Data\wifukolu
c:\documents and settings\All Users\Application Data\wifukolu\wifukolu.dll
c:\documents and settings\All Users\Application Data\wonutego
c:\documents and settings\All Users\Application Data\wonutego\wonutego.dll
c:\documents and settings\All Users\Application Data\wugitude
c:\documents and settings\All Users\Application Data\wugitude\wugitude.dll
c:\documents and settings\All Users\Application Data\wumoyuvo
c:\documents and settings\All Users\Application Data\wumoyuvo\wumoyuvo.dll
c:\documents and settings\All Users\Application Data\wuzijopu
c:\documents and settings\All Users\Application Data\wuzijopu\wuzijopu.dll
c:\documents and settings\All Users\Application Data\yagehusi
c:\documents and settings\All Users\Application Data\yagehusi\yagehusi.dll
c:\documents and settings\All Users\Application Data\yavayusa
c:\documents and settings\All Users\Application Data\yavayusa\yavayusa.dll
c:\documents and settings\All Users\Application Data\yegusaso
c:\documents and settings\All Users\Application Data\yegusaso\yegusaso.dll
c:\documents and settings\All Users\Application Data\yesigoju
c:\documents and settings\All Users\Application Data\yesigoju\yesigoju.dll
c:\documents and settings\All Users\Application Data\yeyanido
c:\documents and settings\All Users\Application Data\yeyanido\yeyanido.dll
c:\documents and settings\All Users\Application Data\yirepoje
c:\documents and settings\All Users\Application Data\yirepoje\yirepoje.dll
c:\documents and settings\All Users\Application Data\zarorero
c:\documents and settings\All Users\Application Data\zarorero\zarorero.dll
c:\documents and settings\All Users\Application Data\zilozama
c:\documents and settings\All Users\Application Data\zilozama\zilozama.dll
c:\documents and settings\All Users\Application Data\zodabuma
c:\documents and settings\All Users\Application Data\zodabuma\zodabuma.dll
c:\documents and settings\All Users\Application Data\zudotumo
c:\documents and settings\All Users\Application Data\zudotumo\zudotumo.dll
c:\documents and settings\All Users\Application Data\zuhuyaba
c:\documents and settings\All Users\Application Data\zuhuyaba\zuhuyaba.dll
c:\documents and settings\All Users\Application Data\zumunegi
c:\documents and settings\All Users\Application Data\zumunegi\zumunegi.dll
c:\documents and settings\All Users\Application Data\zuyijuli
c:\documents and settings\All Users\Application Data\zuyijuli\zuyijuli.dll
.
((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.
2010-01-22 01:41 . 2010-01-22 01:41 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
2010-01-22 01:40 . 2010-01-22 01:40 -------- d-----w- c:\documents and settings\Fixxer\Application Data\Malwarebytes
2010-01-22 01:40 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-22 01:40 . 2010-01-22 01:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 01:40 . 2010-01-22 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-22 01:40 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 00:08 . 2010-01-18 00:08 -------- d-----w- c:\documents and settings\Fixxer\Local Settings\Application Data\Mozilla
2010-01-17 23:54 . 2010-01-17 23:54 -------- d-----w- c:\program files\Trend Micro
2010-01-14 23:40 . 2010-01-14 23:40 -------- d-----w- c:\windows\system32\MpEngineStore
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 23:40 . 2007-07-28 20:21 451456 ----a-w- c:\windows\system32\drivers\Dr71WU.sys
2010-01-05 20:04 . 2009-08-14 23:06 1 ----a-w- c:\documents and settings\Guest\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-22 00:20 . 2008-12-07 05:51 1 ----a-w- c:\documents and settings\Heber & Dianne\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-30 02:14 . 2009-11-30 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\jevaziji
2009-11-29 21:12 . 2008-12-12 23:51 -------- d-----w- c:\program files\Quicken
2009-11-29 21:10 . 2009-11-29 21:10 6725632 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll
2009-11-29 21:10 . 2008-12-16 07:11 245760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-11-21 16:36 . 2004-08-04 10:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:46 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-01-22_04.42.04 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
c:\documents and settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
[HKLM\~\startupfolder\C:^Documents and Settings^Heber & Dianne^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Heber & Dianne\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 01:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
2004-09-03 08:58 65536 ------w- c:\program files\Ahead\ODD Toolkit\dvdtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 02:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 02:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 02:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 09:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [12/14/2008 7:06 PM 347648]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Fixxer\Application Data\Mozilla\Firefox\Profiles\y4ihpf58.default\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 11:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\igfxdev.dll
- - - - - - - > 'winlogon.exe'(308)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-01-22 11:49:53
ComboFix-quarantined-files.txt 2010-01-22 16:49
ComboFix2.txt 2010-01-22 04:43
Pre-Run: 67,292,758,016 bytes free
Post-Run: 67,252,334,592 bytes free
- - End Of File - - 81FAEFAB86A90782E29E24CF232A789A
chrisbattista03
2010-01-23, 02:47
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:22 PM, on 1/22/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [dududodin] Rundll32.exe "c:\docume~1\alluse~1\applic~1\fafaropu\fafaropu.dll",a (User 'Guest')
O4 - S-1-5-21-73586283-1592454029-839522115-501 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Guest')
O4 - S-1-5-21-73586283-1592454029-839522115-501 User Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Guest')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 3049 bytes
Looking good. Let me ask you, are you being redirected to other sites with Firefox ?
How are things running now ?
chrisbattista03
2010-01-23, 04:34
computer is running good. there have been no redirection issues with firefox. twice when switching back to the guest account all I got was the background picture. I have to ctrl-alt-del to log off. when i log back in I get a message
"RUNDLL
Error loading c:\docume~1\alluse~1\applic~1\fafaropu\fafaropu.dll
The specified module could not be found "
Good Morning,
That file that wants to load is a bad one we removed but the registry is still trying to run it. Do this, it will fix that
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O4 - HKUS\S-1-5-21-73586283-1592454029-839522115-501\..\Run: [dududodin] Rundll32.exe "c:\docume~1\alluse~1\applic~1\fafaropu\fafaropu.dll",a (User 'Guest')
Reboot and let me know if it went away
chrisbattista03
2010-01-23, 14:58
That seems to have worked!
Great
Everything else ok ?