Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP! Computer infected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HELP! Computer infected

Unread postby kiyt13 » November 16th, 2008, 1:51 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:03 AM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SmFyZXR0\command.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\emMON.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\prun.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\Program Files\GetPack\GetPack24.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\mkrnl.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\msupdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\Jarett\LOCALS~1\Temp\csrssc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061127
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061127
O2 - BHO: (no name) - {327686df-09de-4d57-87a5-3c7c46e139b5} - C:\WINDOWS\system32\tinuhagu.dll
O2 - BHO: C:\WINDOWS\system32\jsne87fidgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [emMON] emMON.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [lubajiruja] Rundll32.exe "C:\WINDOWS\system32\zedokupa.dll",s
O4 - HKLM\..\Run: [bc1083ba] rundll32.exe "C:\WINDOWS\system32\zuragiwu.dll",b
O4 - HKLM\..\Run: [CPMbf23b026] Rundll32.exe "C:\WINDOWS\system32\rubuvefu.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKCU\..\Run: [msupdate.exe] C:\WINDOWS\system32\msupdate.exe -check
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Jarett\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Jarett\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Jarett\Application Data\Microsoft\Windows\aomqmbda.exe
O4 - HKCU\..\Run: [GetPack24] "C:\Program Files\GetPack\GetPack24.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4992825140
O20 - AppInit_DLLs: karna.dat C:\WINDOWS\system32\sonosuje.dll c:\windows\system32\rubuvefu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rubuvefu.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rubuvefu.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFyZXR0\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7068 bytes
kiyt13
Active Member
 
Posts: 10
Joined: November 16th, 2008, 1:44 am
Advertisement
Register to Remove

Re: HELP! Computer infected

Unread postby Axephilic » November 16th, 2008, 1:45 pm

Hello kiyt13,

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to expain or go more into depth for you. :)
  2. I am still in training, so my responses may take more time than usual because all of my posts must be checked by an expert or teacher.
    Also, please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replys in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

Make an Uninstall List

Next, please make an uninstall list using HijackThis.
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Please also include a new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HELP! Computer infected

Unread postby kiyt13 » November 16th, 2008, 8:12 pm

Here is what you asked for:
Adobe Flash Player 9 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player
Advertisement Service
AIM 6
AMD Processor Driver
ATI Catalyst Control Center
ATI Display Driver
Broadcom Management Programs
Cisco Clean Access Agent
Cisco Clean Access Agent
Command
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Corel Snapfire Plus
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
Games, Music, & Photos Launcher
Google Earth
Google Updater
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 8.0
HP Deskjet 8.0 Software
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Smart Web Printing 1.0
HP Solution Center 8.0
HP Update
HPSSupply
Internet Speed Monitor
J2SE Runtime Environment 5.0 Update 6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Network Monitor
New.net Domains 8.0 build 844
OIN Analytics
PowerDVD 5.7
QuickSet
Rhapsody
Rhapsody Player Engine
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sierra Utilities
Sony Picture Utility
Sony USB Driver
Synaptics Pointing Device Driver
TomTom HOME
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VC_MergeModuleToMSI
Viewpoint Media Player
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver

Here is the New Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:36 PM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SmFyZXR0\command.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\emMON.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\prun.exe
C:\WINDOWS\system32\msupdate.exe
C:\Program Files\GetPack\GetPack24.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\mkrnl.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Jarett\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061127
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061127
O2 - BHO: (no name) - {327686df-09de-4d57-87a5-3c7c46e139b5} - C:\WINDOWS\system32\tinuhagu.dll
O2 - BHO: C:\WINDOWS\system32\jsne87fidgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [emMON] emMON.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [lubajiruja] Rundll32.exe "C:\WINDOWS\system32\zedokupa.dll",s
O4 - HKLM\..\Run: [bc1083ba] rundll32.exe "C:\WINDOWS\system32\ronilipi.dll",b
O4 - HKLM\..\Run: [CPMbf23b026] Rundll32.exe "c:\windows\system32\muwevola.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKCU\..\Run: [msupdate.exe] C:\WINDOWS\system32\msupdate.exe -check
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Jarett\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Jarett\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Jarett\Application Data\Microsoft\Windows\aomqmbda.exe
O4 - HKCU\..\Run: [GetPack24] "C:\Program Files\GetPack\GetPack24.exe"
O4 - HKUS\S-1-5-19\..\Run: [lubajiruja] Rundll32.exe "C:\WINDOWS\system32\zedokupa.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [lubajiruja] Rundll32.exe "C:\WINDOWS\system32\zedokupa.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4992825140
O20 - AppInit_DLLs: karna.dat C:\WINDOWS\system32\sonosuje.dll c:\windows\system32\muwevola.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\muwevola.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\muwevola.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFyZXR0\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7371 bytes
I hope you can help me, I can't even go on-line with triilions of pop-ups from "internet Explorer which I don't use to log on. I use firefox.
kiyt13
Active Member
 
Posts: 10
Joined: November 16th, 2008, 1:44 am

Re: HELP! Computer infected

Unread postby Axephilic » November 18th, 2008, 1:13 pm

Hello,

Did you disable registry editing? If you are unsure what that means, then please let me know that.


Next, we will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.


In your next reply, please include:
  1. ComboFix log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HELP! Computer infected

Unread postby kiyt13 » November 18th, 2008, 7:16 pm

NOt to sure i know what "registry editing" is, SORRY! So don't think its been disabled.
kiyt13
Active Member
 
Posts: 10
Joined: November 16th, 2008, 1:44 am

Re: HELP! Computer infected

Unread postby Axephilic » November 18th, 2008, 11:34 pm

Ok, thank you. You can continue with the rest of the instructions. :)

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HELP! Computer infected

Unread postby kiyt13 » November 19th, 2008, 7:40 pm

i tried to follow your directions to a "T" and a combofix bar comes on the desktop, but once it goes left to right, it then does nothing
I don't know what to do. HELP!
kiyt13
Active Member
 
Posts: 10
Joined: November 16th, 2008, 1:44 am

Re: HELP! Computer infected

Unread postby kiyt13 » November 19th, 2008, 8:31 pm

OK! All I had to do was restart the computer and then Combofix started. here is the Combofix log:

ComboFix 08-11-18.A2 - Jarett 2008-11-19 18:57:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.493 [GMT -5:00]
Running from: c:\documents and settings\Jarett\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jarett\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Jarett\LOCALS~1\Temp\prun.exe
c:\docume~1\Jarett\LOCALS~1\Temp\snapsnet.exe
c:\documents and settings\Jarett\Application Data\DOBE~1
c:\documents and settings\Jarett\Application Data\gadcom
c:\documents and settings\Jarett\Application Data\Gool
c:\documents and settings\Jarett\Cookies\bozizepydi.db
c:\documents and settings\Jarett\Cookies\xamenojo.lib
c:\documents and settings\Jarett\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Jarett\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Jarett\Local Settings\Temporary Internet Files\ekivo._dl
c:\documents and settings\Jarett\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Jarett\Local Settings\Temporary Internet Files\gewahugete._dl
c:\documents and settings\Jarett\Local Settings\Temporary Internet Files\ogysaboj.sys
c:\documents and settings\Jarett\Local Settings\Temporary Internet Files\tajanizimy.exe
c:\documents and settings\Jarett\Start Menu\Antivirus 2009
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack24.exe
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\inetget2
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\network monitor
c:\program files\network monitor\netmon.exe
c:\program files\newdotnet
c:\program files\newdotnet\nncore.dll
c:\program files\newdotnet\nnrun.exe
c:\program files\newdotnet\readme.html
c:\program files\newdotnet\uninstall.exe
c:\windows\IE4 Error Log.txt
c:\windows\NDNuninstall6_38.exe
c:\windows\SmFyZXR0\
c:\windows\SmFyZXR0\\asappsrv.dll
c:\windows\SmFyZXR0\\command.exe
c:\windows\SmFyZXR0\\mAIVtrlX.vbs
c:\windows\SmFyZXR0\command.exe
c:\windows\system32\~.exe
c:\windows\system32\anobahab.ini
c:\windows\system32\atmtd.dll
c:\windows\system32\atmtd.dll._
c:\windows\system32\bahabona.dll
c:\windows\system32\DelSelf.bat
c:\windows\system32\dipakule.dll
c:\windows\system32\drivers\tdssserv.sys
c:\windows\system32\hejivego.dll
c:\windows\system32\ipilinor.ini
c:\windows\system32\itafakuf.ini2
c:\windows\system32\itafakuf.tmp
c:\windows\system32\jsne87fidgf.dll
c:\windows\system32\MSINET.oca
c:\windows\system32\msupdate.exe
c:\windows\system32\muwevola.dll
c:\windows\system32\ogevijeh.ini
c:\windows\system32\pac.txt
c:\windows\system32\ronilipi.dll
c:\windows\system32\rubuvefu.dll
c:\windows\system32\sidikeyu.dll
c:\windows\system32\sonosuje.dll
c:\windows\system32\tinuhagu.dll
c:\windows\system32\uwigaruz.ini
c:\windows\system32\zedokupa.dll
c:\windows\system32\zesifimi.dll
c:\windows\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NNSERV
-------\Legacy_tdssserv.sys
-------\Service_cmdService
-------\Service_Network Monitor
-------\Service_NNServ
-------\Service_tdssserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-19 17:08 . 2008-11-19 17:08 465,920 --a------ c:\windows\system32\iesvcmon.exe
2008-11-19 17:08 . 2008-11-19 17:09 77,897 --a------ c:\windows\system32\gnqwbysrhk.exe
2008-11-19 17:08 . 2008-11-19 17:08 53,938 --a------ c:\windows\system32\cont_adsoftinc-remove.exe
2008-11-16 00:29 . 2008-11-16 00:29 <DIR> d-------- c:\program files\Trend Micro
2008-11-11 16:56 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 16:55 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 19:58 . 2008-11-09 19:58 9,662 --a------ c:\windows\system32\ZoneAlarmIconUS.ico
2008-11-09 19:22 . 2008-11-09 19:22 <DIR> d-------- c:\program files\Webtools
2008-11-09 19:22 . 2008-11-09 20:11 <DIR> d-------- c:\program files\AV9
2008-11-09 19:22 . 2008-11-19 19:08 58 --a------ c:\windows\system32\winwp.bmp
2008-11-09 19:19 . 2008-11-09 19:19 19,828 --a------ c:\windows\ibopufokut.scr
2008-11-09 19:19 . 2008-11-09 19:19 19,652 --a------ c:\windows\ijite.dat
2008-11-09 19:19 . 2008-11-09 19:19 19,522 --a------ c:\windows\system32\abugydo.db
2008-11-09 19:19 . 2008-11-09 19:19 19,110 --a------ c:\documents and settings\Jarett\Application Data\liko.dll
2008-11-09 19:19 . 2008-11-09 19:19 18,855 --a------ c:\windows\ysonamo.dl
2008-11-09 19:19 . 2008-11-09 19:19 18,562 --a------ c:\windows\system32\qigap.com
2008-11-09 19:19 . 2008-11-09 19:19 18,229 --a------ c:\windows\system32\uqypok.dll
2008-11-09 19:19 . 2008-11-09 19:19 15,961 --a------ c:\documents and settings\All Users\Application Data\ypyxamapo.vbs
2008-11-09 19:19 . 2008-11-09 19:19 14,945 --a------ c:\documents and settings\All Users\Application Data\cixa.reg
2008-11-09 19:19 . 2008-11-09 19:19 13,285 --a------ c:\documents and settings\Jarett\Application Data\tuzihes.reg
2008-11-09 19:19 . 2008-11-09 19:19 12,968 --a------ c:\windows\system32\kymuqefi.bat
2008-11-09 19:19 . 2008-11-09 19:19 11,968 --a------ c:\windows\henyba.lib
2008-11-09 19:19 . 2008-11-09 19:19 10,434 --a------ c:\windows\system32\debytat.com
2008-11-09 14:39 . 2008-11-09 19:07 73,728 --a------ c:\windows\system32\TDSSxfum.dll
2008-11-09 14:39 . 2008-11-09 19:07 35,840 --a------ c:\windows\system32\TDSSoiqh.dll
2008-11-09 14:39 . 2008-11-09 19:14 3,352 --a------ c:\windows\system32\TDSSlxwp.dll
2008-11-09 14:39 . 2008-11-09 19:15 527 --a------ c:\windows\system32\TDSSosvd.dat
2008-11-09 14:39 . 2008-11-09 14:39 2 --a------ C:\-1139768555
2008-11-09 14:38 . 2008-11-09 14:38 <DIR> d-------- c:\windows\system32\sX3i19
2008-11-09 14:38 . 2008-11-09 14:38 <DIR> d-------- c:\temp\PRE45
2008-11-09 14:38 . 2008-11-09 14:38 <DIR> d-------- C:\Temp
2008-11-09 14:38 . 2008-11-09 20:01 <DIR> d-------- c:\documents and settings\Jarett\Application Data\NI.GSCNS
2008-11-09 14:38 . 2008-11-09 14:38 150,528 --a------ c:\windows\system32\mkrnl.exe
2008-11-09 14:38 . 2008-11-09 14:38 34,816 --a------ c:\windows\system32\prun.exe
2008-11-06 22:52 . 2008-11-06 22:52 <DIR> d-------- c:\program files\MSECache
2008-11-06 22:51 . 2008-11-06 22:52 28,868,320 --a------ C:\FileFormatConverters.exe
2008-11-02 14:35 . 2008-11-02 14:35 <DIR> d-------- c:\program files\uTorrent
2008-11-02 14:35 . 2008-11-03 22:09 <DIR> d-------- c:\documents and settings\Jarett\Application Data\uTorrent
2008-11-02 11:09 . 2008-11-02 11:09 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-11-02 11:08 . 2008-11-02 11:09 <DIR> d-------- c:\windows\SHELLNEW
2008-11-02 11:07 . 2008-11-02 11:07 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-02 11:05 . 2008-11-02 11:05 <DIR> dr-h----- C:\MSOCache
2008-10-30 11:24 . 2008-10-30 11:24 190,976 --a------ c:\windows\system32\xqbtwuobfynmqnflm.dll
2008-10-28 11:54 . 2008-10-28 11:54 172,544 --a------ c:\windows\system32\_xqbtwuobfynmqnflm.dll
2008-10-28 10:20 . 2008-10-28 10:20 555,008 --a------ c:\windows\system32\nspF.dll
2008-10-23 20:41 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 18:33 . 2008-11-15 20:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-10-21 18:32 . 2008-10-21 18:34 <DIR> d-------- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 02:22 --------- d-----w c:\documents and settings\Jarett\Application Data\HP
2008-11-10 00:19 15,104 ----a-w c:\program files\Common Files\xytenapeso.db
2008-11-10 00:19 12,338 ----a-w c:\program files\Common Files\rofik.lib
2008-11-10 00:19 12,148 ----a-w c:\program files\Common Files\ybicozykit._sy
2008-11-08 01:47 --------- d-----w c:\documents and settings\Jarett\Application Data\AdobeUM
2008-11-07 03:03 19,460 ----a-w c:\documents and settings\Jarett\Application Data\wklnhst.dat
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-01-08 05:18 439,296 -c--a-w c:\documents and settings\Jarett\GoToAssist_phone__317_en.exe
2008-02-01 16:30 88 --sh--r c:\windows\system32\0DF73F48AE.sys
2008-02-01 16:32 2,516 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C1AA693-0D8B-0199-BDC4-EF0C72CB10FA}]
2008-10-30 11:24 190976 --a------ c:\windows\system32\xqbtwuobfynmqnflm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"prunnet"="c:\windows\system32\prun.exe" [2008-11-09 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"prunnet"="c:\windows\system32\prun.exe" [2008-11-09 34816]
"iesvcmon"="c:\windows\system32\iesvcmon.exe" [2008-11-19 465920]
"zvvaqgioovjiesmyv"="c:\windows\system32\xqbtwuobfynmqnflm.dll" [2008-10-30 190976]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 c:\windows\stsystra.exe]
"emMON"="emMON.exe" [2006-05-30 c:\windows\emMON.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-09-17 2056275]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jarett^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Jarett\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-25 15:21 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-23 17:14 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a--c--- 2004-04-01 16:51 1589248 c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-12-09 21:29 49152 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a--c--- 2006-11-17 12:47 18944 c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2006-12-10 21:52 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a--c--- 2008-02-18 05:58 206184 c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a--c--- 2007-09-28 13:30 936960 c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-13 24652]
S1 10912219;10912219;c:\windows\system32\drivers\10912219.sys []
S3 USB28xxBGA;USB 2820 Device;c:\windows\system32\DRIVERS\emBDA.sys [2006-09-12 292864]
S3 USB28xxOEM;USB 28xx OEM Filter;c:\windows\system32\DRIVERS\emOEM.sys [2006-08-21 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{147b81c0-c30a-11dc-9394-0015c5c37754}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57221c32-d697-11dc-93a8-0015c5c37754}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abbff808-1efa-11dd-93fb-0015c5c37754}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de9ed79e-eb01-11dc-93c1-0015c5c37754}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{327686df-09de-4d57-87a5-3c7c46e139b5} - c:\windows\system32\tinuhagu.dll
HKCU-Run-msupdate.exe - c:\windows\system32\msupdate.exe
HKCU-Run-GetPack24 - c:\program files\GetPack\GetPack24.exe
MSConfigStartUp-ares ultra - c:\program files\Ares Ultra\Ares Ultra.exe
MSConfigStartUp-Blubster - c:\progra~1\Blubster\Blubster.exe
MSConfigStartUp-egui - c:\program files\ESET\ESET Smart Security\egui.exe
MSConfigStartUp-McAfeeUpdaterUI - c:\program files\McAfee\Common Framework\UdaterUI.exe
MSConfigStartUp-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
MSConfigStartUp-ShStatEXE - c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Jarett\Application Data\Mozilla\Firefox\Profiles\5qaqc8v6.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 19:10:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\Jarett\Local Settings\Application Data\AOL OCP\AIM\Storage\data\kiyt13\localStorage\common.cls-journal 512 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\regsvr32.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-11-19 19:15:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 00:15:10

Pre-Run: 38,010,388,480 bytes free
Post-Run: 37,971,644,416 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

304 --- E O F --- 2008-11-12 02:08:48


HERE IS A NEW HIGHJACK LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:12 PM, on 11/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\emMON.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\iesvcmon.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061127
O2 - BHO: adsoftinc browser enhancer - {4C1AA693-0D8B-0199-BDC4-EF0C72CB10FA} - C:\WINDOWS\system32\xqbtwuobfynmqnflm.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [emMON] emMON.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [iesvcmon] "C:\WINDOWS\system32\iesvcmon.exe"
O4 - HKLM\..\Run: [zvvaqgioovjiesmyv] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\xqbtwuobfynmqnflm.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4992825140
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5262 bytes
kiyt13
Active Member
 
Posts: 10
Joined: November 16th, 2008, 1:44 am

Re: HELP! Computer infected

Unread postby kiyt13 » November 19th, 2008, 10:09 pm

OK, when I switch on the computer and it goes through the motion of booting up. I get to the user window to click on user and enter password, a gray box appears and states the following:
VIEWPOINT SERVICE.EXE-APPLICATION ERROR
"The exception breakpoint
A breakpoint has been reached
(0x80000003) occurred in the application at location 0x00402250
Click on ok to terminate the program
Click on Cancel to debug the program".

I tried both and it didn't matter. I was able to to the desk top, but almost immediately I get thrown off and a blue screen appears and states:

"A problem has been detected and windows has been shut down to prevent damage to your computer".
TECHNICAL INFORMATION:
Stop:0XEB9D37E8(0x0000005, 0xEE8F5B75,0xEB9D37E8,0x00000000)

Beginning dump of physical memory
Physical memory dump complete

I hope you can help me, I'm ready to poke my eyes out over this.. Thanks so much for all your help so far.. :D
kiyt13
Active Member
 
Posts: 10
Joined: November 16th, 2008, 1:44 am

Re: HELP! Computer infected

Unread postby Axephilic » November 20th, 2008, 4:48 pm

Hello,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\system32\gnqwbysrhk.exe
c:\windows\system32\cont_adsoftinc-remove.exe
c:\windows\system32\winwp.bmp
c:\windows\ibopufokut.scr
c:\windows\ijite.dat
c:\windows\system32\abugydo.db
c:\documents and settings\Jarett\Application Data\liko.dll
c:\windows\ysonamo.dl
c:\windows\system32\qigap.com
c:\windows\system32\uqypok.dll
c:\documents and settings\All Users\Application Data\ypyxamapo.vbs
c:\documents and settings\All Users\Application Data\cixa.reg
c:\documents and settings\Jarett\Application Data\tuzihes.reg
c:\windows\system32\kymuqefi.bat
c:\windows\henyba.lib
c:\windows\system32\debytat.com
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\mkrnl.exe
c:\windows\system32\prun.exe
c:\windows\system32\xqbtwuobfynmqnflm.dll
c:\windows\system32\_xqbtwuobfynmqnflm.dll
c:\windows\system32\nspF.dll
c:\program files\Common Files\xytenapeso.db
c:\program files\Common Files\rofik.lib
c:\program files\Common Files\ybicozykit._sy

Folder::
C:\-1139768555
c:\windows\system32\sX3i19
c:\temp\PRE45
c:\documents and settings\Jarett\Application Data\NI.GSCNS
c:\program files\Webtools
c:\program files\AV9

Registry::
O2 - BHO: adsoftinc browser enhancer - {4C1AA693-0D8B-0199-BDC4-EF0C72CB10FA} - C:\WINDOWS\system32\xqbtwuobfynmqnflm.dll
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [zvvaqgioovjiesmyv] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\xqbtwuobfynmqnflm.dll"
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"

Driver::
10912219



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include:
  1. ComboFix log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HELP! Computer infected

Unread postby kiyt13 » November 20th, 2008, 10:02 pm

Will that work in "Safe Mode"? remember the computer is shutting down and giving me a blue screen. Please refer to the past reply. Thanks so much for all the help you are giving me. :D
kiyt13
Active Member
 
Posts: 10
Joined: November 16th, 2008, 1:44 am

Re: HELP! Computer infected

Unread postby Axephilic » November 21st, 2008, 8:08 pm

As per your PM:

How far back did you restore your computer. Was it before or after we had run ComboFix?

Please post a new HijackThis log as well.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HELP! Computer infected

Unread postby kiyt13 » November 21st, 2008, 8:29 pm

It restore back to working order. I have "highjack" on the desktop but it doesn't want to work. I click on it and nothing happens,so i can't give you a report. any suggestions? should i uninstall it and reinstall it and start from the beginning? sorry about the "PM" i thought we would be able to chat live..
kiyt13
Active Member
 
Posts: 10
Joined: November 16th, 2008, 1:44 am

Re: HELP! Computer infected

Unread postby Axephilic » November 21st, 2008, 8:47 pm

Rename HijackThis
  1. Please go to C:\Program Files\Trend Micro\HijackThis and right click on HijackThis.exe. Select Rename.
  2. Type in scanner.exe and press Enter.
  3. Double click on scanner to run it.
  4. Select Do a system scan and save a logfile. Please post back this log in your next reply.

Also please let me know when you restored your computer to. Was it before or after we ran ComboFix?


Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HELP! Computer infected

Unread postby kiyt13 » November 21st, 2008, 8:59 pm

I did as you said about the highjack and it didn't work at all.. I believe i ran combofix and then the computer won't work. so i had to go to restore, which restored back to when it did work. I hope that is a help to you.
kiyt13
Active Member
 
Posts: 10
Joined: November 16th, 2008, 1:44 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware