This is a fun one...

[asheatl26]

I have had alot of fun tonight trying to fix my PC. MY fiance was on thesuperficialdotcom website and was prompted to scan the pc by a scamprog, etc. and closed it, well something managed to download b/c it completely locked me down on my PC once I tried to get on. I couldn't open taskman, regedit, msconfig, I cant even open a folder options window to reenable view of hidden files/folders (which normally I can always see) I can't run hijackthis, it says I dont have access as I am not the administrator, which I am, and I cant run spybot either... I fixed 2 of the issues. To get Taskmanager to work I did both of these: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
and
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

I then closed out some weird programs (something with antivirus system pro) and sysguard... I was then able to delete the folders from ProgFiles and a few from sys32. I then fixed the registry issue by doing this so I could access it:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

I went to HKLM\Soft\Micro\Win\CurVer\Run and deleted some of the weird startup processes that I had just killed via Taskman. I did the same under HKCU.

I still get redirected to weird sites though when browsing and I am still getting popups, but at least it isnt naked people like it was earlier... I think it has something to do with the HOST stuff but I cant get Hijackthis to work to be sure. I tried renaming it, downloading the exe (3 times) each time it opens, runs, and disappears, no log file to be seen anywhere. I was able to get to my temp to check there by typing in the location (I cant see my "hidden files/folders" currently) and there wasnt a log in there either. Once it shuts the prog down, I have no access to it "You may not have the appropriate permissions to access the item" it says upon trying to reopen it.

I need help guys. I need to be able to run these programs, I need to be able to see folder options, I need to submit my eCore assignment for school and I cant b/c I keep getting redirected to sites that arent the same links I am clicking on...

Please let me know what I should do.
Thanks in advance!
Ashley

I tried doing a bit of research myself. I can't get rsit.exe to do anything other than a quick flicker of the black dos screen. No EULA or anything. Also, no matter how many times I delete a few of the malicious startup entrys in the registry, once I click off the folder and go back, they are there again. C:/Win/Sys32/zevububu.dll and C:/Win/ecigihaj.dll and C:/Win/Sys32/calc.dll I know these are contributing to the issues but I cant delete them under HKLM..Run or HKCU...run. Also, everytime I boot in safe mode I get the blue screen of death. Something is blocking me from running in safe mode and that is a first for me.

Any ideas are appreciated on what I can do...

Thanks again,
ashe

PS: I will update this is I get anything resolved.

 

[ken545]

Hello ashe

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

First thing I am going to ask you to do is not to make any more changes to your system.


Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here

• Open
  
  on your desktop.
• Click the
  
  tab.
• Click the
  
  button.
• Check just these boxes:
• 
• Push Ok
• Check the box for your main system drive (Usually C:, and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the
  
  button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

 

[asheatl26]

RootRepeal must be blocked as well...

I downloaded RootRepeal, opened it, and all I got was the quick flash of the cmd prompt and then nothing. I tried to rename it as well and it did the same thing. Any other ideas?

Other things I tried before I got your post was to change the startup stuff in msconfig, wouldnt let me as it says I dont have access. I tried to delete them in registry, HKLM/.../Run but once I click off and then go back they are there again. So it must be some permissions thing as well.

I also tried booting in safe mode 3 times to see if I could kill it that way but each time I got the blue screen of death and had to do a hard boot... Odd.

Any other help y'all can provide is appreciated!
Thanks,
Ashley

 

[ken545]

Hi Ashley,

Lets try GMER if it works post the log. If it does not than run this program.

Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries







Download and run Win32kDiag:

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   • Download Win32kDiag (Win32kDiag.exe) - #1
   • Download Win32kDiag (Win32kDiag.exe) - #2
   • Download Win32kDiag (Win32kDiag.exe) - #3
2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

 

[asheatl26]

Grrrrrrrr!

This is ridiculous! So I tried the first program. Was able to save the zip to my desktop. However now my zip program is no where to be found?? So I try to download WinZip. (Which I had at one point in time) Can't run the install... That black cmd box pops up for a seconds and then go away. I tried it again... same thing. Which leads me to believe something is preventing me from installing any programs on my PC. How, I don't know... But it is. Is there anything in the registry that could have been modified? That I can go in and change? I already ran those 2 commands to give me access to regedit and taskman, and changed the Hiddenfiles value to 1 from 0 so I could view those as well... So I would be willing to manually change something in the registry if anyone knows where I should look to see what is preventing me from installing programs.

So then I tried the second suggestion. The first link let me download the program. I go to run it and I get a box that says:
C:\[FileLocation on desktop]
The NTVDM CPU has encountered an illegal instruction.
CS:0d0 IP:0111 OP:63 72 69 70 74 Choose 'Close' to terminate the application.
Then my choices are Close and Ignore... and ignores closes it as well.

The other 2 links didn't work either. They pulled up a bunch of binary? data on a web page.

Any other suggestions? I am beyond lost, and I have never been one to format a PC for a virus as I have always gotten it fixed until now... Format is not really an option either. I use to use Radmin and PCAnywhere at my last job and would not have an issue with someone dialing in to my PC if anyone is willing... I don't know if I still have Radmin on my box though and I don't think I would be able to install it at this point. But in any case, if anyone knows of a way I would be willing.

Thanks in advance for any suggestions!
Ashley

 

[ken545]

You can try running those programs in Safemode.

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode


You have done so much fiddling with the registry , not sure what you have done. I think at this point doing a system repair would be an option and then we can check for viruses when your done.

 

[asheatl26]

Getting better!

OK, so why I did this I don't know but I'm glad I did. (Typically I hate anti-virus progs like AVG or Norton as they are resource hogs) but... as a last ditch effort I created a new user, test with admin rights. Upon first logon, I went to my install folder and found an old install file for avg from like 2 years ago. I installed it and obviously it forced me to update. Upon update it auto downloaded the new versions install file and ran that. After installation I ran the update... and rebooted. After logging in again it was popping up virus warnings left and right. SHeur2.BMZG and Win32/Cryptor were the repeat offenders.

It found and fixed all the .dll issues thank god so I am now able to run some fix programs. I was able to run rootrepeal and Win32Diag although the later didn't provide much info in the txt file on the desktop. Below are the logs... I redownloaded gmer and Winzip, Winzip is working and associating properly but gmer is giving an invalid archive error.

So, I still can't run Hijackthis, nor can I delete the old icons off the desktop (Access denied). I would love to be able to run this as I use HJ all the time. Another biggy is that I still can't boot in safe mode. After all this I tried and I am still getting the blue screen so something has messed with safe mode settings as well. Something is still screwy with my permissions as well. A small issue--no folder options under tools... not super important, but I think it has something to do with not being able to run some programs. When AVG was running after reboot I got several popup stating things couldnt be loaded.

A few that might have caused the permissions issues:
rundll32.exe Bad Image
The app or DLL C:\Doc*\Networ*\ntuser.dll is not a valid win image.

The rest of these are error loading...access denied.
C:\Win*\kbcstwz1.dll
C:\Win*\Doc\Network*\ntuser.dll %1 not a valid Win32 app.
C:\Win*\Sys32\calc.dll
C:\Win*\ecigihaj.dll
C:\Win*\Sys32\jeberuhe.dll

Any other ideas? I remember a long time ago, (the last time Rod broke the PC) I had to get some help and did something with ComboFix and/or DDS? I think? Anyhow, I won't do anything else until I hear from someone on here. I promise. Logs below, sorry for the delay.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/26 03:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9EB1B000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9DF14000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0x9F085000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA56AD000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86651da

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86657ae

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86671ea

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8666b9c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664950

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668b7c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86655ae

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664d92

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664f92

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8666eac

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8669084

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86650a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8665110

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8666d5e

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668620

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86669f8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664ab2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86653b2

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668ba6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86652fe

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8665178

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664e7c

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664c5a

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668888

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86645d2

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8667a74

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664734

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668f56

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86643d0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866708c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86656ac

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866871a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668bd0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664b08

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668cb4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668de0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866854c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866547e

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86654f0

==EOF==


Running from: C:\Documents and Settings\ashe\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\ashe\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...


This is all the log had on the Win32 prog... I waited until it said Finished hit any key so do I do it again for good measure? I dunno. Again, I will just wait to see what you say. Thanks for your help so far!! ~ ashe

 

[asheatl26]

Sorry!

I just saw your previous post. I didn't see it while I was typing mine obviously. I will say that I cannot boot in safe mode. I get the blue screen of death everytime. I have not done anything with the registry that I haven't done before and the few things I have done I have told you about. But as far as a restore goes, I also cant do that. I tried that before contacting y'all and that is something else this virus disabled. It says it has been turned off for group policy and to contact my administrator. The only group on my PC is administrator and I haven't dealt with any user groups in a long time, plus that was on NT servers (LOOOOONG time ago) Also I am running XP Home and I may be wrong in saying this, but I don't have group policies on here as far as I know...

Thanks again!
ashe

 

[ken545]

Good Morning Ashley,

RootRepeal ran just fine and gave us all the info we needed, your infected with the Max++ rootkit thats preventing you from running any security scans.

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0x9F085000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA56AD000 Size: 61440 File Visible: No Signed: -


Make sure Win32kdiag.exe is still on your desktop

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

 

[asheatl26]

Weird

Win32kDiag.exe is clearly visible on my desktop... But when I paste that into Start-Run I get an error:

Windows cannot find '*"C:\Documents and Settings\ashe\desktop\win32kdiag.exe"'. Make sure you typed the name correctly, and then try again.


It is definitely there so I don't know what the deal with this is...

Thanks again!
I'm glad you know what I am infected with!
ashe

 

[asheatl26]

Ignore the last post - Here is the log

I was copying/pasting from the email notification I was sent. Once I copied it from the actual post it started to run it. Here is the log:

Running from: C:\Documents and Settings\ashe\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\ashe\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

 

[ken545]

Win32kdiag.exe <--Drag it to the trash and download and run it again.

Download and run Win32kDiag:

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   • Download Win32kDiag (Win32kDiag.exe) - #1
   • Download Win32kDiag (Win32kDiag.exe) - #2
   • Download Win32kDiag (Win32kDiag.exe) - #3
2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

 

[asheatl26]

New Win32 log

Thanks again for all your help with this! Below is the log... Alot smaller than the first...


Running from: C:\Documents and Settings\ashe\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\ashe\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)





Finished!

 

[ken545]

I think we are crossing with our posts. Now we have to do this.


Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).





Open notepad and copy/paste the text in the quotebox below into it:

@SC CONFIG EVENTLOG START= DISABLED

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run.




If the above two programs run successfully then you should be able to run Combofix that will remove this infection




Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

 

[asheatl26]

error

I was not able to get past the first part of your instructions, so I won't run combofix until you tell me to. I downloaded exehelper.com to my desktop, once I ran it, the black box popped up and then disappeared very quickly. Didn't ask me to hit a button or anything... SO I ran it again and nothing. It didn't do anything as there is no log.txt on my desktop. Please advise as to what I should do next... Continue with your instructions or do something else...

Thanks!
Ashley

 

[ken545]

Go ahead and run the Eventlog script and then try running Combofix. Eventlog is a windows application but the one you have is infected and will prevent CF from running. Combofix will restore a clean copy of it.

 

[asheatl26]

Things are looking up!

Open so ran the event fix.bat, then Combofix. CF immediately found rootkit activity and rebooted my machine. It started back up and was running the program. I then logged back in and it keep doing stuff, then I got the blue screen of death. mbr.sys was the only file name I saw aside from all the numbers and letters. Once I rebooted and logged in I went to C:\ComboFix and got the log. Then I downloaded HijackThis and installed it and FINALLY was able to run it. Both logs are below.

ComboFix 09-10-26.01 - ashe 2009-10-26 19:07:08.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.619 [GMT -5:00]
Running from: C:\Documents and Settings\ashe\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\93747030
C:\Documents and Settings\All Users\Application Data\93747030\93747030.exe
C:\Documents and Settings\All Users\Application Data\98892496.ini
C:\Documents and Settings\All Users\Documents\behole.bat
C:\Documents and Settings\All Users\Documents\nywawipisy.reg
C:\Documents and Settings\ashe\Application Data\imesedu.inf
C:\Documents and Settings\ashe\Application Data\qogizyv.inf
C:\Documents and Settings\ashe\Local Settings\Application Data\bolagodov.vbs
C:\Documents and Settings\NetworkService\ntuser.dll
C:\WINDOWS\system32\bodonope.exe
C:\WINDOWS\system32\config\systemprofile\ntuser.dll
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
C:\WINDOWS\system32\habowumu.dll.tmp
C:\WINDOWS\system32\jaditibi.exe
C:\WINDOWS\system32\jahotuwi.dll.tmp
C:\WINDOWS\system32\pisutine.exe
c:\windows\system32\rakoyopo.dll
C:\WINDOWS\system32\rasipiyu.dll.tmp
C:\WINDOWS\system32\ropenoya.exe
C:\WINDOWS\system32\rulufutu.dll
C:\WINDOWS\system32\sedimuna.dll
C:\WINDOWS\system32\tinomodu.exe
C:\WINDOWS\system32\tufemivu.exe
C:\WINDOWS\system32\verabamu.dll
C:\WINDOWS\system32\wafatoto.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
Infected copy of C:\WINDOWS\system32\eventlog.dll was found and disinfected
Restored copy from - C:\I386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-26 15:03:20 . 2009-10-26 15:03:20 0 d-----w- C:\Program Files\Trend Micro1
2009-10-26 09:04:00 . 2009-10-26 09:04:30 0 d-----w- C:\Documents and Settings\All Users\Application Data\WinZip
2009-10-26 08:46:37 . 2009-10-26 08:46:37 0 d-----w- C:\Documents and Settings\ashe\Local Settings\Application Data\AVG Security Toolbar
2009-10-26 07:00:08 . 2009-10-26 07:00:08 335240 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys
2009-10-26 07:00:08 . 2009-10-26 07:00:08 11952 ----a-w- C:\WINDOWS\system32\avgrsstx.dll
2009-10-26 07:00:08 . 2009-10-26 07:00:08 108552 ----a-w- C:\WINDOWS\system32\drivers\avgtdix.sys
2009-10-26 07:00:01 . 2009-10-26 07:08:14 0 d-----w- C:\WINDOWS\system32\drivers\Avg
2009-10-26 07:00:00 . 2009-10-26 07:00:00 0 d-----w- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2009-10-26 06:59:50 . 2009-10-26 06:59:50 0 d-----w- C:\Program Files\AVG
2009-10-26 04:52:27 . 2009-10-26 07:00:07 27784 ----a-w- C:\WINDOWS\system32\drivers\avgmfx86.sys
2009-10-26 04:47:43 . 2009-10-26 04:47:43 0 d-----w- C:\Documents and Settings\Big Rod\Local Settings\Application Data\{82B01A4F-E032-42F6-9821-9E948F677E85}
2009-10-22 16:16:39 . 2009-10-26 07:01:50 120 ----a-w- C:\WINDOWS\Obibuqoboxebodam.dat
2009-10-22 16:16:39 . 2009-10-25 21:36:58 0 ----a-w- C:\WINDOWS\Dbagalosupuk.bin
2009-10-22 16:16:38 . 2009-10-22 16:16:38 0 d-----w- C:\Documents and Settings\ashe\Local Settings\Application Data\{94610016-D53E-4AA1-909E-F11F1211B625}
2009-10-22 16:12:36 . 2009-10-26 14:13:11 0 ----a-r- C:\WINDOWS\win32k.sys
2009-10-21 17:17:11 . 2009-10-21 17:17:12 0 d-----w- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-10-21 17:17:11 . 2009-10-21 17:17:11 0 d-----w- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2009-10-21 17:17:11 . 2009-10-21 17:17:11 0 d-----w- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2009-10-21 17:17:10 . 2009-10-21 17:17:10 0 d-----w- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2009-10-21 17:15:12 . 2009-10-26 14:13:07 0 d-----w- C:\Program Files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 14:34:53 . 2009-05-28 05:39:05 0 d-----w- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-10-26 08:45:15 . 2007-12-09 18:48:24 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-26 07:46:48 . 2009-05-27 16:28:19 0 d-----w- C:\Documents and Settings\All Users\Application Data\avg8
2009-10-26 07:00:10 . 2008-01-05 21:17:19 0 d-----w- C:\Documents and Settings\All Users\Application Data\Grisoft
2009-10-03 01:26:48 . 2009-06-18 20:36:29 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-09-07 03:39:03 . 2007-05-18 00:54:07 77280 ----a-w- C:\Documents and Settings\ashe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-24 04:18:17 . 2009-07-24 04:18:17 91648 --sha-w- C:\WINDOWS\system32\defekeme.dll
2009-07-23 04:17:52 . 2009-07-23 04:17:52 53760 --sha-w- C:\WINDOWS\system32\dezudesu.dll
2009-07-26 21:21:31 . 2009-07-26 21:21:31 53760 --sha-w- C:\WINDOWS\system32\gugasara.dll
2009-07-24 04:18:17 . 2009-07-24 04:18:17 39424 --sha-w- C:\WINDOWS\system32\hozegupo.dll
2009-07-26 04:20:24 . 2009-07-26 04:20:24 1051682 --sha-w- C:\WINDOWS\system32\hunayeko.exe
2009-07-23 04:17:51 . 2009-07-23 04:17:51 91648 --sha-w- C:\WINDOWS\system32\jiyayuda.dll
2009-07-22 16:17:50 . 2009-07-22 16:17:50 39424 --sha-w- C:\WINDOWS\system32\rikajobe.dll
2009-07-22 16:17:50 . 2009-07-22 16:17:50 91648 --sha-w- C:\WINDOWS\system32\velurike.dll
2009-07-23 16:18:09 . 2009-07-23 16:18:09 39424 --sha-w- C:\WINDOWS\system32\wefakupa.dll
2009-07-26 21:21:30 . 2009-07-26 21:21:30 39424 --sha-w- C:\WINDOWS\system32\ziluyuda.dll
2009-07-26 04:20:24 . 2009-07-26 04:20:24 39424 --sha-w- C:\WINDOWS\system32\zinubiji.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 21:47:00 81920]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 14:34:55 291504]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 00:15:00 101136]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 21:48:02 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 21:50:10 86016]
"GrooveMonitor"="C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe" [2006-10-27 05:47:42 31016]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 10:20:00 122940]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-10-26 06:59:50 2025752]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-05-28 05:47:50 206088]
"SigmatelSysTrayApp"="stsystra.exe" - C:\WINDOWS\stsystra.exe [2006-07-24 15:20:00 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - C:\WINDOWS\KHALMNPR.Exe [2007-01-12 00:15:00 101136]

---------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 19:40, on 2009-10-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI69DF~1\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7d3b641d-290a-4dae-a65b-f428e54e400a} - verabamu.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [93747030] C:\DOCUME~1\ALLUSE~1\APPLIC~1\93747030\93747030.exe
O4 - HKLM\..\Run: [vanekonap] Rundll32.exe "c:\windows\system32\rakoyopo.dll",a
O4 - HKLM\..\Run: [samovekiyo] Rundll32.exe "sedimuna.dll",s
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI69DF~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/53.13/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI69DF~1\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: demonogej - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O21 - SSODL: tudiyagok - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

Let me know what I need to do next....
Thanks again!
Ashley

 

[ken545]

Ashley,

You still have a bunch of nasty files that need to be deleted. Before we proceed I need you to post the entire Combofix log.

C:\ComboFix.txt <--Can be found here.



Your also using a very outdated version of HJT
C:\Program Files\HijackThis <--Delete this folder



Download Trendmicros Hijackthis to your desktop.

• Double click it to install
• Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
• Open HJT Scan and Save a Log File, it will open in Notepad
• Go to Format and make sure Wordwrap is Unchecked
• Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.



Before we start deleting files, lets see what Malwarebytes finds and removes.


Please download Malwarebytes' Anti-Malware from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please



This is what I need to see. Do it this way. Post the entire CF log, run Malwarebytes and post the log, then run the new version of HJT and post the log.

1. Entire Combofix log
2. Malwarebytes Log
3. Hijackthis log

 

[asheatl26]

That was the entire ComboFix log. It errored out (blue screen while running) maybe that is why it isn't complete? I can run it again if need be. Also note that there is no CFlog in my root drive. It's in C:\ComboFix\Combofix.txt (That is the only place I could find it on my whole PC and that is what I gave you)

I can't install Malwarebytes. It gave me2 errors: a runtime error '0' and runtime error '440' automation error when it was almost complete with its installation. When I hit OK and tried to used the program, I got the same 2 popup errors.

Here is the HJlog.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02, on 2009-10-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI69DF~1\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7d3b641d-290a-4dae-a65b-f428e54e400a} - verabamu.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [93747030] C:\DOCUME~1\ALLUSE~1\APPLIC~1\93747030\93747030.exe
O4 - HKLM\..\Run: [vanekonap] Rundll32.exe "c:\windows\system32\rakoyopo.dll",a
O4 - HKLM\..\Run: [samovekiyo] Rundll32.exe "sedimuna.dll",s
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI69DF~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/53.13/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI69DF~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: demonogej - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O21 - SSODL: tudiyagok - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 8835 bytes

Let me know what else I need to do.
Thanks again!
Ashley

 

[ken545]

Good Morning Ashley,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.


O2 - BHO: (no name) - {7d3b641d-290a-4dae-a65b-f428e54e400a} - verabamu.dll (file missing)

O4 - HKLM\..\Run: [93747030] C:\DOCUME~1\ALLUSE~1\APPLIC~1\93747030\93747030.exe
O4 - HKLM\..\Run: [vanekonap] Rundll32.exe "c:\windows\system32\rakoyopo.dll",a
O4 - HKLM\..\Run: [samovekiyo] Rundll32.exe "sedimuna.dll",s

O21 - SSODL: demonogej - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O21 - SSODL: tudiyagok - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)






Download DDS by sUBs from one of the following links. Save it to your desktop.

• DDS.com
• DDS.scr
• DDS.pif
  
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results, click no to the Optional_Scan
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here



You can download this program to your desktop and if DDS or Malwarebytes wont run you can drop the exe file into it. For Malwarebytes , go to C: Program Files\Malwarebytes and look for MBAM.exe, minimize the window and drag and drop it into Inherit. You can also try running Malwarebytes in Safemode.

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode


Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"