Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Bogus "Security Tool" hijacked my PC

  1. #11
    Junior Member
    Join Date
    Oct 2009
    Posts
    13

    Default

    Sorry, still no luck. I cant really tell if the malware is blocking inherit from working or if inherit worked but ComboFix is still blocked.

    A reminder anything you tell me to do on my desktop, I am actually doing in my desktop folder, as the malware has made my desktop unaccessable.

  2. #12
    Junior Member
    Join Date
    Oct 2009
    Posts
    13

    Default

    Hmm I thought I replied to this earlier, oops.

    Anyway. still no luck. No change, Combofix still dosent run after dropping it on Inherit. It still behaves the same, I think inherit is being blocked in the same way.

    I should also mention that when your instructions say to do something on my desktop.... I am actually working within my desktop folder, as the malware has made my desktop unreachable.

  3. #13
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi TimAndrews

    Whats happening here

    Please download exeHelper (Please save the file directly to your C:\ drive, then navigate to your C:\ drive and locate the program and run it)
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  4. #14
    Junior Member
    Join Date
    Oct 2009
    Posts
    13

    Default

    I can try exehelper when I get home tonight, however that was one of the things I tried before contacting you. Mabey I will have better luck this time.

    So far the only thing I can get to run is Firefox, and that is slow. (IE might work also, just havent tried it) Sofar the malware has blocked every text editor, media player, my antivirus, spybot, HJT, and everything else you suggested. The only time I have been able to run anything was after a "warm boot" caused by an error which I have not been able to repeat.

    Thanks for the help so far.

  5. #15
    Junior Member
    Join Date
    Oct 2009
    Posts
    13

    Default Some success.

    Ok Seems like just doing a "restart" instead of a cold boot defeats some of the malwares functions. When my PC started up after a "restart" with the "security tool" crap out of the way I decided to back up a step and run ComboFix instead of exehelper. IT RAN! the log it produced follows:

    **************************************************

    ComboFix 09-10-12.02 - user 10/12/2009 22:12.1.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.495 [GMT -4:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    AV: avast! antivirus 4.8.1351 [VPS 091012-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\32449628
    c:\documents and settings\All Users\Application Data\32449628\32449628.exe
    c:\documents and settings\All Users\Application Data\82142320
    c:\documents and settings\All Users\Application Data\82142320\82142320.bat
    c:\documents and settings\All Users\Application Data\82142320\82142320.exe
    c:\documents and settings\All Users\Application Data\86767943
    c:\documents and settings\All Users\Application Data\86767943\86767943.bat
    c:\documents and settings\All Users\Application Data\86767943\86767943.exe
    c:\documents and settings\All Users\Application Data\99587745
    c:\documents and settings\All Users\Application Data\99587745\99587745.exe
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\user\Desktop\Security Tool.lnk
    c:\documents and settings\user\Start Menu\Programs\Security Tool.lnk
    c:\program files\Common
    c:\program files\Common\helper.sig
    c:\recycler\NPROTECT
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\Installer\1ccff.msp
    c:\windows\Installer\WMEncoder.msi
    c:\windows\system32\furihepi.dll
    c:\windows\system32\nudeleze.dll
    c:\windows\system32\rolesavi.dll
    c:\windows\system32\wapiit.exe
    c:\windows\system32\yaponema.dll
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

    ----- BITS: Possible infected sites -----

    hxxp://82.98.231.100
    .
    ((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
    .

    2009-10-11 00:12 . 2009-10-11 00:12 38400 ----a-w- c:\windows\system32\jorujedi.dll
    2009-10-10 17:48 . 2009-10-10 17:48 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2009-10-10 17:44 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-10-10 17:44 . 2009-10-10 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-10-10 17:44 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-10-10 17:44 . 2009-10-10 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-10-10 11:57 . 2009-10-10 11:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-10-07 20:39 . 2009-10-07 20:42 -------- d-----w- C:\stuff
    2009-10-03 05:57 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-26 03:03 . 2006-10-30 01:36 -------- d-----w- c:\program files\World of Warcraft
    2009-09-11 02:40 . 2009-09-11 02:39 -------- d-----w- c:\program files\iTunes
    2009-09-11 02:40 . 2009-09-11 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-09-11 02:39 . 2009-09-11 02:39 -------- d-----w- c:\program files\iPod
    2009-09-11 02:39 . 2007-07-27 00:18 -------- d-----w- c:\program files\Common Files\Apple
    2009-09-11 02:37 . 2009-09-11 02:36 -------- d-----w- c:\program files\QuickTime
    2009-08-20 03:15 . 2009-08-20 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    2009-08-17 16:10 . 2006-09-02 13:59 1279456 ----a-w- c:\windows\system32\aswBoot.exe
    2009-08-17 16:06 . 2006-09-02 13:59 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2009-08-17 16:06 . 2006-09-02 13:59 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2009-08-17 16:05 . 2008-04-12 01:58 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2009-08-17 16:05 . 2008-04-12 01:58 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2009-08-17 16:04 . 2006-09-02 13:59 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2009-08-17 16:04 . 2006-09-02 13:59 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2009-08-17 16:03 . 2006-09-02 13:59 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2009-08-17 16:02 . 2006-09-02 13:59 97480 ----a-w- c:\windows\system32\AVASTSS.scr
    2009-08-05 09:01 . 2004-08-05 03:29 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-07-25 09:23 . 2009-01-06 23:57 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-10 11:57 . 2009-07-10 11:57 37376 --sha-w- c:\windows\system32\depopuho.dll
    2009-07-10 23:57 . 2009-07-10 23:57 38400 --sha-w- c:\windows\system32\dijineho.dll
    2009-07-07 14:29 . 2009-07-07 14:29 53760 --sha-w- c:\windows\system32\dolaribe.dll.tmp
    2009-07-10 11:57 . 2009-07-10 11:57 1011429 --sha-w- c:\windows\system32\dubuwemo.exe
    2009-07-07 16:12 . 2009-07-07 16:12 37888 --sha-w- c:\windows\system32\fikitiku.dll
    2009-07-07 14:34 . 2009-07-07 14:34 1050147 --sha-w- c:\windows\system32\ganafihe.exe
    2009-07-09 23:57 . 2009-07-09 23:57 51712 --sha-w- c:\windows\system32\gasesila.dll
    2009-07-09 23:57 . 2009-07-09 23:57 27136 --sha-w- c:\windows\system32\gasowihu.dll
    2009-07-12 15:31 . 2009-07-12 15:31 50688 --sha-w- c:\windows\system32\gesopepo.dll
    2009-07-09 23:57 . 2009-07-09 23:57 1011269 --sha-w- c:\windows\system32\gukowema.exe
    2009-07-11 15:32 . 2009-07-11 15:32 88064 --sha-w- c:\windows\system32\lahesumo.dll
    2009-07-11 15:32 . 2009-07-11 15:32 37888 --sha-w- c:\windows\system32\lesugeti.dll
    2009-07-10 23:57 . 2009-07-10 23:57 1011386 --sha-w- c:\windows\system32\litikene.exe
    2009-07-07 17:10 . 2009-07-07 17:10 37888 --sha-w- c:\windows\system32\majudusu.dll
    2009-07-11 15:32 . 2009-07-11 15:32 1011429 --sha-w- c:\windows\system32\miliyepa.exe
    2009-07-07 17:10 . 2009-07-07 17:10 89088 --sha-w- c:\windows\system32\molugivu.dll
    2009-07-12 15:31 . 2009-07-12 15:31 38400 --sha-w- c:\windows\system32\molukoza.dll
    2009-07-07 14:34 . 2009-07-07 14:34 26624 --sha-w- c:\windows\system32\rahuziti.dll
    2009-07-07 16:12 . 2009-07-07 16:12 1050147 --sha-w- c:\windows\system32\rovudoku.exe
    2009-07-12 15:32 . 2009-07-12 15:32 50688 --sha-w- c:\windows\system32\sujiyopo.dll
    2009-07-12 03:31 . 2009-07-12 03:31 1011282 --sha-w- c:\windows\system32\susidike.exe
    2009-07-12 15:31 . 2009-07-12 15:31 88064 --sha-w- c:\windows\system32\zidejuya.dll
    2009-07-12 03:31 . 2009-07-12 03:31 38400 --sha-w- c:\windows\system32\zuwonowo.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cbd55d83-a001-4e8a-b093-34a14e83cadd}]
    2009-07-12 15:32 50688 --sha-w- c:\windows\system32\sujiyopo.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-23 68856]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-10-06 866584]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-11 339968]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    c:\documents and settings\user\Start Menu\Programs\Startup\
    Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-8-6 45056]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-1 176128]
    Kodak EasyShare software.lnk.disabled [2005-1-5 1807]
    Kodak software updater.lnk.disabled [2005-2-3 1996]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-1-17 438272]
    VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2004-7-8 565248]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
    "Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
    "ATI Launchpad"=
    "ATI Remote Control"=c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    "Explorer"=c:\program files\Internet Explorer\iexplore.exe
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "ATI DeviceDetect"=c:\program files\ATI Multimedia\main\ATIDtct.EXE
    "ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\logon.scr"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

    R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [7/8/2004 2:04 PM 77312]
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/11/2008 9:58 PM 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/11/2008 9:58 PM 20560]
    R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
    R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [8/1/2004 11:17 PM 34916]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/5/2009 10:12 PM 24652]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [10/5/2006 10:11 PM 13592]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    Contents of the 'Scheduled Tasks' folder

    2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2009-10-13 c:\windows\Tasks\User_Feed_Synchronization-{53604805-9690-4303-BC48-004F7783918C}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
    Trusted Zone: turbotax.com
    DPF: ppctlcab - hxxp://69.44.122.156/scanner/ppctlcab.cab
    DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - hxxp://download.35mb.com/images/downloadapplet.cab
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\vhxlsyc9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Aim6 - (no file)
    HKLM-Run-86767943 - c:\documents and settings\All Users\Application Data\86767943\86767943.exe
    HKLM-Run-82142320 - c:\documents and settings\All Users\Application Data\82142320\82142320.exe
    HKLM-Run-99587745 - c:\docume~1\ALLUSE~1\APPLIC~1\99587745\99587745.exe
    HKLM-Run-32449628 - c:\docume~1\ALLUSE~1\APPLIC~1\32449628\32449628.exe
    HKLM-Run-zudikotar - c:\windows\system32\furihepi.dll
    HKLM-Run-lositejila - rolesavi.dll
    SharedTaskScheduler-{d4106c51-1f5e-4c3b-a494-423458e4843e} - c:\windows\system32\furihepi.dll
    SSODL-hajozurul-{d4106c51-1f5e-4c3b-a494-423458e4843e} - c:\windows\system32\furihepi.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-10-12 22:24
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(644)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(2648)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\ZoneLabs\vsmon.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\HP\hpcoretech\comp\hpdarc.exe
    .
    **************************************************************************
    .
    Completion time: 2009-10-13 22:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-10-13 02:34

    Pre-Run: 59,561,385,984 bytes free
    Post-Run: 60,766,285,824 bytes free

    278 --- E O F --- 2009-10-06 00:03

  6. #16
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi TimAndrews

    1 - Run CFScript

    Open Notepad and copy/paste the text in the box into the window:

    Code:
    File::
    c:\windows\system32\jorujedi.dll
    c:\windows\system32\depopuho.dll
    c:\windows\system32\dijineho.dll
    c:\windows\system32\dolaribe.dll.tmp
    c:\windows\system32\dubuwemo.exe
    c:\windows\system32\fikitiku.dll
    c:\windows\system32\ganafihe.exe
    c:\windows\system32\gasesila.dll
    c:\windows\system32\gasowihu.dll
    c:\windows\system32\gesopepo.dll
    c:\windows\system32\gukowema.exe
    c:\windows\system32\lahesumo.dll
    c:\windows\system32\lesugeti.dll
    c:\windows\system32\litikene.exe
    c:\windows\system32\majudusu.dll
    c:\windows\system32\miliyepa.exe
    c:\windows\system32\molugivu.dll
    c:\windows\system32\molukoza.dll
    c:\windows\system32\rahuziti.dll
    c:\windows\system32\rovudoku.exe
    c:\windows\system32\sujiyopo.dll
    c:\windows\system32\susidike.exe
    c:\windows\system32\zidejuya.dll
    c:\windows\system32\zuwonowo.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cbd55d83-a001-4e8a-b093-34a14e83cadd}]
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    2 - Run Malwarebytes' Anti-Malware

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates
    • After the update have been completed, Select the Scanner tab.
    • On the Scanner tab:
      • Make sure the "Perform Full Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    3 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    4 - Status Check
    Please reply with

    1. the ComboFix log(C:\ComboFix.txt)
    2. the Malwarebytes' Anti-Malware Log
    3. a fresh HijackThis log

    description of any problems you are having with your PC

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  7. #17
    Junior Member
    Join Date
    Oct 2009
    Posts
    13

    Default

    Sorry for the false celebration. I am not sure what shut the malware down long enough for me to run combofix yesterday, but it is more than a restart. Right now I am back to my previous state, where I can nothing will run except my browser. I could not start notepad, I could not run combofix, I could not run the taskmanager, nothing.

    It is frustrating to know that there is some error state that exists that will allow me to run what you suggest and clean my pc, but I have been unable to reproduce that state, at least not intentionally. very frustrating.

    Any ideas would be appreciated. In the meantime if that condition repeats itself I will execute your previous instructions.

    One side note, I did find a file C:\Documents and Settings\All Users\Application Data\48547331\48547331.exe which is currently running and similar to several of the files deleted by combofix last night. Do you think if I could kill that process from the command line and delete the file, I might be able to run combofix again? If so, how.

  8. #18
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi TimAndrews

    Cleaning the machines is not always easy, that's why I love it

    Please run ComboFix with that CFScript in safe mode.
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  9. #19
    Junior Member
    Join Date
    Oct 2009
    Posts
    13

    Default Success....mabey?

    I was able to run all 3 steps above, logs follow, let me know what you think:

    ComboFix.txt
    *****************************************
    ComboFix 09-10-12.02 - user 10/14/2009 21:46.2.1 - NTFSx86 NETWORK
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.759 [GMT -4:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
    FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    FILE ::
    "c:\windows\system32\depopuho.dll"
    "c:\windows\system32\dijineho.dll"
    "c:\windows\system32\dolaribe.dll.tmp"
    "c:\windows\system32\dubuwemo.exe"
    "c:\windows\system32\fikitiku.dll"
    "c:\windows\system32\ganafihe.exe"
    "c:\windows\system32\gasesila.dll"
    "c:\windows\system32\gasowihu.dll"
    "c:\windows\system32\gesopepo.dll"
    "c:\windows\system32\gukowema.exe"
    "c:\windows\system32\jorujedi.dll"
    "c:\windows\system32\lahesumo.dll"
    "c:\windows\system32\lesugeti.dll"
    "c:\windows\system32\litikene.exe"
    "c:\windows\system32\majudusu.dll"
    "c:\windows\system32\miliyepa.exe"
    "c:\windows\system32\molugivu.dll"
    "c:\windows\system32\molukoza.dll"
    "c:\windows\system32\rahuziti.dll"
    "c:\windows\system32\rovudoku.exe"
    "c:\windows\system32\sujiyopo.dll"
    "c:\windows\system32\susidike.exe"
    "c:\windows\system32\zidejuya.dll"
    "c:\windows\system32\zuwonowo.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\48547331
    c:\documents and settings\All Users\Application Data\48547331\48547331.exe
    c:\documents and settings\user\Desktop\Security Tool.lnk
    c:\documents and settings\user\Start Menu\Programs\Security Tool.lnk
    c:\windows\system32\depopuho.dll
    c:\windows\system32\dijineho.dll
    c:\windows\system32\dolaribe.dll.tmp
    c:\windows\system32\dubuwemo.exe
    c:\windows\system32\fikitiku.dll
    c:\windows\system32\ganafihe.exe
    c:\windows\system32\gasesila.dll
    c:\windows\system32\gasowihu.dll
    c:\windows\system32\gesopepo.dll
    c:\windows\system32\gufulise.dll
    c:\windows\system32\gukowema.exe
    c:\windows\system32\jorujedi.dll
    c:\windows\system32\kuwakepe.dll
    c:\windows\system32\lahesumo.dll
    c:\windows\system32\lesugeti.dll
    c:\windows\system32\litikene.exe
    c:\windows\system32\lokubaja.dll
    c:\windows\system32\majudusu.dll
    c:\windows\system32\miliyepa.exe
    c:\windows\system32\molugivu.dll
    c:\windows\system32\molukoza.dll
    c:\windows\system32\rahuziti.dll
    c:\windows\system32\rovudoku.exe
    c:\windows\system32\susidike.exe
    c:\windows\system32\zidejuya.dll
    c:\windows\system32\zuwonowo.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
    .

    2009-10-10 17:48 . 2009-10-10 17:48 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2009-10-10 17:44 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-10-10 17:44 . 2009-10-10 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-10-10 17:44 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-10-10 17:44 . 2009-10-10 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-10-10 11:57 . 2009-10-10 11:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-10-07 20:39 . 2009-10-07 20:42 -------- d-----w- C:\stuff
    2009-10-03 05:57 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-26 03:03 . 2006-10-30 01:36 -------- d-----w- c:\program files\World of Warcraft
    2009-09-11 02:40 . 2009-09-11 02:39 -------- d-----w- c:\program files\iTunes
    2009-09-11 02:40 . 2009-09-11 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-09-11 02:39 . 2009-09-11 02:39 -------- d-----w- c:\program files\iPod
    2009-09-11 02:39 . 2007-07-27 00:18 -------- d-----w- c:\program files\Common Files\Apple
    2009-09-11 02:37 . 2009-09-11 02:36 -------- d-----w- c:\program files\QuickTime
    2009-08-20 03:15 . 2009-08-20 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    2009-08-05 09:01 . 2004-08-05 03:29 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-07-25 09:23 . 2009-01-06 23:57 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-13 03:32 . 2009-07-13 03:32 1011805 --sha-w- c:\windows\system32\dobonede.exe
    2009-07-13 03:32 . 2009-07-13 03:32 38400 --sha-w- c:\windows\system32\fefiweta.dll
    2009-07-14 00:29 . 2009-07-14 00:29 1011606 --sha-w- c:\windows\system32\fuwobozu.exe
    2009-07-14 00:29 . 2009-07-14 00:29 37888 --sha-w- c:\windows\system32\loyuvejo.dll
    2009-07-15 00:52 . 2009-07-15 00:52 52224 --sha-w- c:\windows\system32\sopejuwi.dll
    2009-07-15 00:52 . 2009-07-15 00:52 37888 --sha-w- c:\windows\system32\yidusaze.dll
    2009-07-15 00:52 . 2009-07-15 00:52 52224 --sha-w- c:\windows\system32\zayezeru.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-10-13_02.24.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-10-15 01:57 . 2009-10-15 01:57 16384 c:\windows\Temp\Perflib_Perfdata_a08.dat
    + 2009-10-15 01:56 . 2009-10-15 01:56 16384 c:\windows\Temp\Perflib_Perfdata_7cc.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-23 68856]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-10-06 866584]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-11 339968]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
    "zudikotar"="c:\windows\system32\gufulise.dll" [BU]
    "lositejila"="lokubaja.dll" [BU]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    c:\documents and settings\user\Start Menu\Programs\Startup\
    Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-8-6 45056]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-1 176128]
    Kodak EasyShare software.lnk.disabled [2005-1-5 1807]
    Kodak software updater.lnk.disabled [2005-2-3 1996]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-1-17 438272]
    VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2004-7-8 565248]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
    "Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
    "ATI Launchpad"=
    "ATI Remote Control"=c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    "Explorer"=c:\program files\Internet Explorer\iexplore.exe
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "ATI DeviceDetect"=c:\program files\ATI Multimedia\main\ATIDtct.EXE
    "ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\logon.scr"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

    R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [7/8/2004 2:04 PM 77312]
    R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
    R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [8/1/2004 11:17 PM 34916]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/5/2009 10:12 PM 24652]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [10/5/2006 10:11 PM 13592]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    Contents of the 'Scheduled Tasks' folder

    2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2009-10-15 c:\windows\Tasks\User_Feed_Synchronization-{53604805-9690-4303-BC48-004F7783918C}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
    Trusted Zone: turbotax.com
    DPF: ppctlcab - hxxp://69.44.122.156/scanner/ppctlcab.cab
    DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - hxxp://download.35mb.com/images/downloadapplet.cab
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\vhxlsyc9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-48547331 - c:\docume~1\ALLUSE~1\APPLIC~1\48547331\48547331.exe
    SharedTaskScheduler-{f1792174-2054-4c4c-b7e9-c86cc1fbef4d} - c:\windows\system32\gufulise.dll
    SSODL-gilufanaz-{f1792174-2054-4c4c-b7e9-c86cc1fbef4d} - c:\windows\system32\gufulise.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-10-14 21:56
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(640)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(1000)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\ZoneLabs\vsmon.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    c:\progra~1\Webshots\webshots.scr
    c:\program files\HP\hpcoretech\comp\hptskmgr.exe
    c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-10-15 22:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-10-15 02:05
    ComboFix2.txt 2009-10-13 02:34

    Pre-Run: 61,832,364,032 bytes free
    Post-Run: 61,706,801,152 bytes free

    272 --- E O F --- 2009-10-06 00:03

    ********************************************
    mbam-log-2009-10-14 (23-44-30).txt

    Malwarebytes' Anti-Malware 1.41
    Database version: 2964
    Windows 5.1.2600 Service Pack 3

    10/14/2009 11:44:30 PM
    mbam-log-2009-10-14 (23-44-30).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 239214
    Time elapsed: 49 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 21

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zudikotar (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lositejila (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\32449628\32449628.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\48547331\48547331.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\82142320\82142320.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\86767943\86767943.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\99587745\99587745.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.dll.vir (Adware.PopCap) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\dolaribe.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\dubuwemo.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ganafihe.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\gukowema.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{7AABCA1B-0391-45A8-88C4-AC7BC3805418}\RP1\A0001352.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{7AABCA1B-0391-45A8-88C4-AC7BC3805418}\RP1\A0001354.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{7AABCA1B-0391-45A8-88C4-AC7BC3805418}\RP1\A0001356.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{7AABCA1B-0391-45A8-88C4-AC7BC3805418}\RP1\A0001357.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{7AABCA1B-0391-45A8-88C4-AC7BC3805418}\RP2\A0005190.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{7AABCA1B-0391-45A8-88C4-AC7BC3805418}\RP2\A0005195.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{7AABCA1B-0391-45A8-88C4-AC7BC3805418}\RP2\A0005197.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{7AABCA1B-0391-45A8-88C4-AC7BC3805418}\RP2\A0005202.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{7AABCA1B-0391-45A8-88C4-AC7BC3805418}\RP2\A0005214.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\dobonede.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\fuwobozu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

    ***********************************************

    hijackthis.log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:51:31 PM, on 10/14/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak EasyShare software.lnk.disabled
    O4 - Global Startup: Kodak software updater.lnk.disabled
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://amer-ml36.amer.csc.com/iNotes6W.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab
    O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetdbm.webex.com/client/wbs...ex/ieatgpc.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - http://download.35mb.com/images/downloadapplet.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 13457 bytes

  10. #20
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi TimAndrews

    what virus program are you using ?

    1 - Run CFScript

    Open Notepad and copy/paste the text in the box into the window:

    Code:
    File::
    c:\windows\system32\dobonede.exe
    c:\windows\system32\fefiweta.dll
    c:\windows\system32\fuwobozu.exe
    c:\windows\system32\loyuvejo.dll
    c:\windows\system32\sopejuwi.dll
    c:\windows\system32\yidusaze.dll
    c:\windows\system32\zayezeru.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "zudikotar"=-
    "lositejila"=-
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    2 - Status Check
    Please reply with

    the ComboFix log(C:\ComboFix.txt)

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •