10 replies to this topic

[shiki-fuujin]

So it stared about a week ago,my comp started slowing down,i didnt know why.Anyways for the past two days i have been trying to get rid of this thing i have literally spent more than 6 hours today alone!!! trying to fix my computer.My Avast,malwarebyte wont work i even tryed dowmloading superantisypware!!! and to no avail.!!! please help!!!!
.I'll be on till about 12
ps...HI

[shiki-fuujin]

Anyone?? please I'm seriously contemplating formatting the whole thing.

[screen317]

Hi and welcome to Malwarebytes.


Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

[shiki-fuujin]

screen317, on Oct 4 2009, 12:16 AM, said:

Hi and welcome to Malwarebytes.


Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

ok ill have the logs by 2

[shiki-fuujin]

screen317, on Oct 4 2009, 12:16 AM, said:

Hi and welcome to Malwarebytes.


Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

ok here is the combo fix log.

ComboFix 09-10-04.01 - Marrero 09/04/2009 17:32.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.639 [GMT -4:00]
Running from: c:\documents and settings\Marrero\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aIx2F.tmp
c:\documents and settings\All Users\Application Data\aryqek.bat
c:\documents and settings\All Users\Application Data\azysyz.ban
c:\documents and settings\All Users\Application Data\equw.ban
c:\documents and settings\All Users\Application Data\faci.lib
c:\documents and settings\All Users\Application Data\guwymu._dl
c:\documents and settings\All Users\Application Data\hunilezugu._sy
c:\documents and settings\All Users\Application Data\jubiqyw.com
c:\documents and settings\All Users\Application Data\kawefywan.dl
c:\documents and settings\All Users\Application Data\lanagy.scr
c:\documents and settings\All Users\Application Data\nybityhu.dl
c:\documents and settings\All Users\Application Data\xoxos.lib
c:\documents and settings\All Users\Application Data\ynir._dl
c:\documents and settings\All Users\Application Data\ypoferavur.sys
c:\documents and settings\All Users\Application Data\yrytozegef.reg
c:\documents and settings\All Users\Application Data\ytegapan.pif
c:\documents and settings\All Users\Documents\bipoji.com
c:\documents and settings\All Users\Documents\gegisyg.inf
c:\documents and settings\All Users\Documents\ijava.inf
c:\documents and settings\All Users\Documents\inyne._dl
c:\documents and settings\All Users\Documents\izopimuv.dll
c:\documents and settings\All Users\Documents\nago.bin
c:\documents and settings\All Users\Documents\ocyk.scr
c:\documents and settings\All Users\Documents\ojesy.pif
c:\documents and settings\All Users\Documents\qyfevi._dl
c:\documents and settings\All Users\Documents\sovivyhub.pif
c:\documents and settings\All Users\Documents\ubec._dl
c:\documents and settings\All Users\Documents\udokoqiv.exe
c:\documents and settings\All Users\Documents\ukuzi.dl
c:\documents and settings\All Users\Documents\ykuxyme.bat
c:\documents and settings\Guest User\Application Data\axypigop.inf
c:\documents and settings\Guest User\Application Data\elep.scr
c:\documents and settings\Guest User\Application Data\lizkavd.exe
c:\documents and settings\Guest User\Application Data\megy.pif
c:\documents and settings\Guest User\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Guest User\Application Data\seres.exe
c:\documents and settings\Guest User\Application Data\sodyjik.com
c:\documents and settings\Guest User\Application Data\svcst.exe
c:\documents and settings\Guest User\Application Data\time.vbs
c:\documents and settings\Guest User\Application Data\ukakywosaj._dl
c:\documents and settings\Guest User\Application Data\xojoxyjy.lib
c:\documents and settings\Guest User\Application Data\yjaxovok.dll
c:\documents and settings\Guest User\Application Data\yrybe.vbs
c:\documents and settings\Guest User\Application Data\zyheg.lib
c:\documents and settings\Guest User\Application Data\zytiqumuja._dl
c:\documents and settings\Guest User\Cookies\duwybyjod.ban
c:\documents and settings\Guest User\Cookies\egazyzo.sys
c:\documents and settings\Guest User\Cookies\ohyr.pif
c:\documents and settings\Guest User\Cookies\otonasu.reg
c:\documents and settings\Guest User\Cookies\ukaw.lib
c:\documents and settings\Guest User\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Guest User\Local Settings\Application Data\aqusa._dl
c:\documents and settings\Guest User\Local Settings\Application Data\aratary.bat
c:\documents and settings\Guest User\Local Settings\Application Data\avuxi.reg
c:\documents and settings\Guest User\Local Settings\Application Data\cavyfehygu.pif
c:\documents and settings\Guest User\Local Settings\Application Data\cibezanutu.vbs
c:\documents and settings\Guest User\Local Settings\Application Data\igomen.vbs
c:\documents and settings\Guest User\Local Settings\Application Data\ilepigy.bin
c:\documents and settings\Guest User\Local Settings\Application Data\jejapajasu.pif
c:\documents and settings\Guest User\Local Settings\Application Data\yfuk.pif
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\bipaxovevi.db
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\colize.com
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\fozod.exe
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\huda.ban
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\iqakutuxa.exe
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\jilyxo.lib
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\kinib.dl
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\myxe.lib
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\nikez.inf
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\qelacupis.bat
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\sifu.sys
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\uzolarig._dl
c:\documents and settings\Guest User\Local Settings\Temporary Internet Files\ykofuvanu.bat
c:\documents and settings\Guest User\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Guest User\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Guest User\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Marrero\Application Data\adyn.bin
c:\documents and settings\Marrero\Application Data\atyzonyk._dl
c:\documents and settings\Marrero\Application Data\gogo.lib
c:\documents and settings\Marrero\Application Data\pewijari.ban
c:\documents and settings\Marrero\Application Data\umoles.pif
c:\documents and settings\Marrero\Application Data\zopacule.lib
c:\documents and settings\Marrero\Cookies\cavafovugo.ban
c:\documents and settings\Marrero\Cookies\hanubon.ban
c:\documents and settings\Marrero\Cookies\imohykexan.inf
c:\documents and settings\Marrero\Cookies\nequkocu._dl
c:\documents and settings\Marrero\Cookies\rojenu.ban
c:\documents and settings\Marrero\Cookies\sumace.ban
c:\documents and settings\Marrero\Cookies\zujivos.sys
c:\documents and settings\Marrero\Local Settings\Application Data\wyvimefac.scr
c:\documents and settings\Marrero\Local Settings\Application Data\yqycubema.sys
c:\documents and settings\Marrero\Local Settings\Temporary Internet Files\udan.db
c:\documents and settings\Marrero\Local Settings\Temporary Internet Files\vikihibo._dl
C:\p2hhr.bat
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\axexos.inf
c:\program files\Common Files\bobofamimu.com
c:\program files\Common Files\efyreh.exe
c:\program files\Common Files\esepokecih.reg
c:\program files\Common Files\evowedekat.pif
c:\program files\Common Files\hipinu.bin
c:\program files\Common Files\ikecynypo.bin
c:\program files\Common Files\ilequzew.reg
c:\program files\Common Files\naxaxa.exe
c:\program files\Common Files\ocojuw._dl
c:\program files\Common Files\pijyzy.dl
c:\program files\Common Files\tolixuwo.reg
c:\program files\Common Files\ubycisazuv.com
c:\program files\Common Files\uqyr.scr
c:\program files\Common Files\uwewewyx.ban
c:\program files\Common Files\xybufuf.reg
c:\program files\Common Files\xyze.ban
c:\program files\Common Files\ycibu.sys
c:\windows\ahyzafuxy.inf
c:\windows\alowadiv.pif
c:\windows\avucedafef.bat
c:\windows\bevokawisu.reg
c:\windows\boryvovaco.pif
c:\windows\bujuxyd.pif
c:\windows\davij.bin
c:\windows\desktop
c:\windows\dymybydo.dll
c:\windows\ebijyjap.dl
c:\windows\edavumamyn.bat
c:\windows\exabatace.exe
c:\windows\giwerydy.dll
c:\windows\hevuhazuc.sys
c:\windows\hicuma.scr
c:\windows\ivenog.dll
c:\windows\iweg.dl
c:\windows\kb913800.exe
c:\windows\lyhi.dll
c:\windows\nesi.dl
c:\windows\susir.scr
c:\windows\svchast.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\41.exe
c:\windows\system32\anilala.bat
c:\windows\system32\AVR09.exe
c:\windows\system32\bincd32.dat
c:\windows\system32\bujokatu.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\harizepu.dll
c:\windows\system32\ijalipogi._dl
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\kedohugu.dll
c:\windows\system32\lslvcpyi.ini
c:\windows\system32\mehe.inf
c:\windows\system32\muzupera.dll
c:\windows\system32\natosykipu.dl
c:\windows\system32\nezogeju.dll
c:\windows\system32\niwaluyu.dll
c:\windows\system32\nobajanu.dll
c:\windows\system32\nupyt.sys
c:\windows\system32\okad.sys
c:\windows\system32\plUGie.dll
c:\windows\system32\pojuno.bin
c:\windows\system32\satevowa.dll
c:\windows\system32\seyohale.dll
c:\windows\system32\sonumiwo.dll
c:\windows\system32\t88u30ar.dll
c:\windows\system32\tDdMnnmp.ini
c:\windows\system32\tDdMnnmp.ini2
c:\windows\system32\tejekuru.dll
c:\windows\system32\tubakile.dll
c:\windows\system32\ucybyres.bin
c:\windows\system32\ulew.pif
c:\windows\system32\vebuwazany.vbs
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wepanibe.dll
c:\windows\system32\wimaxobor.pif
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wispex.html
c:\windows\system32\yhyr.ban
c:\windows\system32\ysoma.reg
c:\windows\system32\zabunego.dll
c:\windows\system32\zipavagi.dll
c:\windows\tekymadi.dl
c:\windows\ukatamory.ban
c:\windows\uwiqyk.scr
c:\windows\uxag.vbs
c:\windows\wiaserviv.log
c:\windows\xapopos.vbs
c:\windows\yxefybynyl.scr
c:\windows\zefivicy.bin
c:\windows\zivo._dl
C:\xcrashdump.dat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_AntiPol
-------\Service_AntiPol


((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-10-04 05:39 . 2009-10-04 05:39 -------- d-----w- c:\documents and settings\Marrero\Application Data\4950769446
2009-10-03 19:30 . 2009-10-03 19:30 -------- d-----w- c:\documents and settings\Marrero\Application Data\SUPERAntiSpyware.com
2009-10-01 21:19 . 2009-10-01 21:19 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\8904351066
2009-10-01 02:38 . 2009-10-01 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\xv11070624
2009-09-30 21:59 . 2009-09-30 21:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2009-09-28 15:16 . 2009-09-28 15:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-04 20:50 . 2009-09-04 20:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Viewpoint
2009-09-04 20:50 . 2009-09-04 20:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-08-25 21:58 . 2009-08-25 21:58 -------- d-----w- c:\documents and settings\Marrero\Application Data\TuneUp Software
2009-08-20 23:17 . 2009-08-20 23:17 -------- d-----w- c:\documents and settings\Guest User\Application Data\Malwarebytes
2009-08-20 22:17 . 2009-08-20 22:17 -------- d-----w- c:\documents and settings\Marrero\Application Data\Malwarebytes
2009-08-20 22:17 . 2009-08-20 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 17:30 . 2006-10-25 23:31 -------- d-----w- c:\program files\Dl_cats
2009-10-04 17:22 . 2009-10-01 02:38 0 ----a-r- c:\windows\win32k.sys
2009-10-04 05:39 . 2009-10-04 05:39 -------- d-----w- c:\documents and settings\Marrero\Application Data\4950769446
2009-10-04 05:39 . 2009-07-04 05:38 1048099 --sha-w- c:\windows\system32\tikiyabu.exe
2009-10-04 01:39 . 2009-10-04 01:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwarebb
2009-10-03 20:19 . 2009-10-03 20:19 16892 ----a-w- c:\windows\dygivogohy.com
2009-10-03 20:19 . 2009-10-03 20:19 12179 ----a-w- c:\program files\Common Files\temipaw._sy
2009-10-03 20:19 . 2009-10-03 20:19 11804 ----a-w- c:\program files\Common Files\xubuhanum._sy
2009-10-03 20:19 . 2009-10-03 20:19 11341 ----a-w- c:\documents and settings\Guest User\Application Data\omovo.dat
2009-10-03 20:06 . 2009-10-03 20:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-03 19:30 . 2009-10-03 19:30 -------- d-----w- c:\documents and settings\Marrero\Application Data\SUPERAntiSpyware.com
2009-10-03 18:57 . 2006-11-04 02:04 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-03 18:57 . 2006-11-04 02:04 88 --sh--r- c:\windows\system32\69ED63905D.sys
2009-10-03 03:28 . 2009-10-03 03:28 19443 ----a-w- c:\windows\dozanafato.dat
2009-10-03 03:28 . 2009-10-03 03:28 14298 ----a-w- c:\windows\lavy.dat
2009-10-03 03:19 . 2009-10-03 03:19 17030 ----a-w- c:\windows\dydap.dat
2009-10-03 01:28 . 2009-10-03 01:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Macromedia
2009-10-03 01:28 . 2009-10-03 01:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Adobe
2009-10-03 01:25 . 2009-10-02 15:38 58 ----a-w- c:\windows\wf4.dat
2009-10-03 01:25 . 2009-10-02 15:38 3 ----a-w- c:\windows\wf3.dat
2009-10-03 01:19 . 2009-10-02 15:46 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-10-03 00:34 . 2009-10-03 00:34 95856 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-03 00:16 . 2009-10-03 00:16 18756 ----a-w- c:\windows\jisynuheko.dat
2009-10-03 00:16 . 2009-10-03 00:16 16637 ----a-w- c:\program files\Common Files\acuh.lib
2009-10-03 00:16 . 2009-10-03 00:16 15780 ----a-w- c:\documents and settings\All Users\Application Data\ceresa.dat
2009-10-03 00:16 . 2009-10-03 00:16 15133 ----a-w- c:\program files\Common Files\adumyfykib.lib
2009-10-02 15:42 . 2009-10-02 15:38 545792 ----a-w- c:\windows\system32\pump.exe
2009-10-02 15:38 . 2009-10-02 15:38 36 ----a-w- c:\windows\system32\skynet.dat
2009-10-02 00:27 . 2009-10-02 00:27 17592 ----a-w- c:\windows\ubukijobiq.com
2009-10-02 00:27 . 2009-10-02 00:27 16700 ----a-w- c:\windows\system32\hakypago.dat
2009-10-02 00:27 . 2009-10-02 00:27 14415 ----a-w- c:\program files\Common Files\obig.dat
2009-10-01 21:19 . 2009-07-01 21:19 51200 --sha-w- c:\windows\system32\defupabo.dll
2009-10-01 21:19 . 2009-10-01 21:19 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\8904351066
2009-10-01 21:19 . 2009-07-01 21:19 1048100 --sha-w- c:\windows\system32\hujepaka.exe
2009-10-01 02:38 . 2009-10-01 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\xv11070624
2009-10-01 02:38 . 2009-10-01 02:38 496164 ----a-w- C:\aIx2F.tmp.exe
2009-10-01 02:38 . 2009-10-01 02:38 52736 ----a-w- C:\afuqr.exe
2009-10-01 02:38 . 2009-10-01 02:38 19456 ----a-w- C:\ekffax.exe
2009-10-01 02:38 . 2009-10-01 02:38 17920 ----a-w- C:\qgferewy.exe
2009-10-01 02:38 . 2009-10-01 02:38 57856 ----a-w- C:\vklebc.exe
2009-10-01 02:38 . 2009-10-01 02:38 46592 ----a-w- C:\hrngen.exe
2009-10-01 02:38 . 2009-10-01 02:38 12288 ----a-w- C:\qtpjjuur.exe
2009-10-01 02:38 . 2009-10-01 02:38 6144 ----a-w- C:\avjelge.exe
2009-09-30 21:59 . 2009-09-30 21:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2009-09-30 20:17 . 2005-08-16 08:50 -------- d-s---w- c:\documents and settings\Administrator\Application Data\Microsoft
2009-09-28 15:16 . 2009-09-28 15:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-28 01:40 . 2009-09-28 01:40 5632 ----a-w- C:\rlswn.exe
2009-09-10 18:54 . 2009-10-03 20:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-10-03 20:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 00:59 . 2009-04-16 20:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:36 . 2009-10-03 19:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-04 21:36 . 2009-08-20 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-04 20:50 . 2009-09-04 20:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Viewpoint
2009-09-04 20:50 . 2009-09-04 20:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-09-04 20:30 . 2009-09-04 20:30 17614 ----a-w- c:\windows\ubik.com
2009-09-04 20:29 . 2009-01-31 16:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 04:33 . 2006-10-19 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-08-27 15:44 . 2009-05-28 22:44 -------- d-----w- c:\documents and settings\Guest User\Application Data\uTorrent
2009-08-25 21:58 . 2009-08-25 21:58 -------- d-----w- c:\documents and settings\Marrero\Application Data\TuneUp Software
2009-08-20 23:17 . 2009-08-20 23:17 -------- d-----w- c:\documents and settings\Guest User\Application Data\Malwarebytes
2009-08-20 22:17 . 2009-08-20 22:17 -------- d-----w- c:\documents and settings\Marrero\Application Data\Malwarebytes
2009-08-20 22:17 . 2009-08-20 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-20 19:50 . 2009-08-20 19:50 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-20 19:50 . 2009-08-20 19:50 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-20 19:49 . 2009-06-04 21:38 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-20 16:35 . 2009-08-20 16:35 18203 ----a-w- c:\windows\yrolyv.dat
2009-08-20 16:35 . 2009-08-20 16:35 18083 ----a-w- c:\documents and settings\Marrero\Local Settings\Application Data\xihemeq.dat
2009-08-19 21:15 . 2006-12-25 03:31 -------- d-----w- c:\program files\Morpheus
2009-08-05 09:01 . 2005-08-16 08:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 01:28 . 2006-10-26 21:14 -------- d-s---w- c:\documents and settings\Guest User\Application Data\Microsoft
2009-07-17 19:01 . 2005-08-16 08:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 09:48 . 2009-08-20 19:50 29000 ----a-w- c:\windows\system32\uxtuneup.dll
2009-07-13 14:08 . 2005-08-16 08:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 18:18 . 2006-10-25 23:20 -------- d-s---w- c:\documents and settings\Marrero\Application Data\Microsoft
2009-07-08 20:14 . 2006-10-26 21:14 133 ----a-w- c:\documents and settings\Guest User\Local Settings\Application Data\fusioncache.dat
2009-07-06 22:54 . 2006-10-29 14:18 95856 ----a-w- c:\documents and settings\Marrero\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 17:40 . 2009-07-04 17:40 1048099 --sha-w- c:\windows\system32\hetuyevo.exe
2009-07-03 17:09 . 2005-08-16 08:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-08-16 08:18 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 08:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 08:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 08:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 08:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 08:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-08-16 08:18 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2005-08-16 08:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 08:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-08-16 08:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 08:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 08:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-08-16 08:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 08:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-20 430080]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager"="c:\program files\Common Files\AOL\1169773129\ee\AOLSoftware.exe" [2008-06-24 41824]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-13 73728]
"4950769446"="c:\documents and settings\Marrero\Application Data\4950769446\4950769446.exe" [2009-10-04 1048099]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-23 1617920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"c0d1d4a2"=rundll32.exe "c:\windows\system32\iypcvlsl.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\AOL\\RC\\regClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169773129\\ee\\aolsoftware.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\WINDOWS\\system32\\TUProgSt.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"=

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [8/20/2009 3:50 PM 604488]
S2 iaufo4ohg7ai;Creative ALchemy AL1 Licensing Service;c:\windows\system32\soucyzyssar.exe --> c:\windows\system32\soucyzyssar.exe [?]
S2 vberabertsog;vberabertsog;\??\c:\windows\system32\drivers\yladd.sys --> c:\windows\system32\drivers\yladd.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 08:54]

2009-10-04 c:\windows\Tasks\User_Feed_Synchronization-{EEDEE9C1-E241-40A9-9134-C869CB7EEF11}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.aol.com/aolcom/search?query={searchTerms}&invocationType=msie70a
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-roromeney - c:\windows\system32\wepanibe.dll
HKLM-Run-miledufoka - kedohugu.dll
SharedTaskScheduler-{b1db276b-5679-4510-bbe6-f5ca89b1f203} - (no file)
SharedTaskScheduler-{fde09a82-3c95-4ad8-8c84-fc70a7064d50} - (no file)
SharedTaskScheduler-{6216e49e-5856-44df-96cd-03cd481564c9} - (no file)
SharedTaskScheduler-{bebf7048-82ef-400d-bd11-7ebb238e491d} - (no file)
SharedTaskScheduler-{49a2fc7b-17be-4ea8-99da-2a504a6ba3e5} - (no file)
SharedTaskScheduler-{dc6f7cf8-9d32-49f3-ab70-5dd45fea139b} - (no file)
SharedTaskScheduler-{e0e4a128-e93e-4974-8e1f-1ef70e9a3702} - (no file)
SharedTaskScheduler-{f20cd60d-f789-43a4-9e37-f404e5d42bfe} - (no file)
SharedTaskScheduler-{0f8d9d63-c1fc-4680-b7ab-05b0bfa63a06} - c:\windows\system32\wepanibe.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 17:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\fxssvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\rundll32.exe
c:\combofix\hidec.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dlcccoms.exe
c:\program files\Dell Support\DSAgnt.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-09-04 17:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-04 21:43

Pre-Run: 57,965,928,448 bytes free
Post-Run: 58,714,570,752 bytes free

494 --- E O F --- 2009-09-09 18:52

[screen317]

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=26686
Collect::
c:\windows\system32\tikiyabu.exe
c:\windows\dygivogohy.com
c:\program files\Common Files\temipaw._sy
c:\program files\Common Files\xubuhanum._sy
c:\documents and settings\Guest User\Application Data\omovo.dat
c:\windows\wf4.dat
c:\windows\wf3.dat
c:\windows\system32\dbsinit.exe
c:\windows\dozanafato.dat
c:\windows\lavy.dat
c:\windows\dydap.dat
c:\windows\jisynuheko.dat
c:\program files\Common Files\acuh.lib
c:\documents and settings\All Users\Application Data\ceresa.dat
c:\program files\Common Files\adumyfykib.lib
c:\windows\system32\pump.exe
c:\windows\system32\skynet.dat
c:\windows\ubukijobiq.com
c:\windows\system32\hakypago.dat
c:\program files\Common Files\obig.dat
c:\windows\system32\defupabo.dll
c:\windows\system32\hujepaka.exe
c:\windows\system32\iypcvlsl.dll
C:\aIx2F.tmp.exe
C:\afuqr.exe
C:\ekffax.exe
C:\qgferewy.exe
C:\vklebc.exe
C:\hrngen.exe
C:\qtpjjuur.exe
C:\avjelge.exe
C:\rlswn.exe
c:\windows\ubik.com
c:\windows\yrolyv.dat
c:\documents and settings\Marrero\Application Data\4950769446\4950769446.exe
c:\documents and settings\Marrero\Local Settings\Application Data\xihemeq.dat
c:\windows\system32\drivers\yladd.sys
Folder::
c:\documents and settings\Marrero\Application Data\4950769446
c:\windows\system32\config\systemprofile\Application Data\8904351066
c:\documents and settings\All Users\Application Data\xv11070624
KILLALL::
REGISTRY::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4950769446"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"=-
"c0d1d4a2"=-
DRIVER::
vberabertsog

Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

-screen317

[shiki-fuujin]

screen317, on Oct 6 2009, 04:52 AM, said:

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=26686
Collect::
c:\windows\system32\tikiyabu.exe
c:\windows\dygivogohy.com
c:\program files\Common Files\temipaw._sy
c:\program files\Common Files\xubuhanum._sy
c:\documents and settings\Guest User\Application Data\omovo.dat
c:\windows\wf4.dat
c:\windows\wf3.dat
c:\windows\system32\dbsinit.exe
c:\windows\dozanafato.dat
c:\windows\lavy.dat
c:\windows\dydap.dat
c:\windows\jisynuheko.dat
c:\program files\Common Files\acuh.lib
c:\documents and settings\All Users\Application Data\ceresa.dat
c:\program files\Common Files\adumyfykib.lib
c:\windows\system32\pump.exe
c:\windows\system32\skynet.dat
c:\windows\ubukijobiq.com
c:\windows\system32\hakypago.dat
c:\program files\Common Files\obig.dat
c:\windows\system32\defupabo.dll
c:\windows\system32\hujepaka.exe
c:\windows\system32\iypcvlsl.dll
C:\aIx2F.tmp.exe
C:\afuqr.exe
C:\ekffax.exe
C:\qgferewy.exe
C:\vklebc.exe
C:\hrngen.exe
C:\qtpjjuur.exe
C:\avjelge.exe
C:\rlswn.exe
c:\windows\ubik.com
c:\windows\yrolyv.dat
c:\documents and settings\Marrero\Application Data\4950769446\4950769446.exe
c:\documents and settings\Marrero\Local Settings\Application Data\xihemeq.dat
c:\windows\system32\drivers\yladd.sys
Folder::
c:\documents and settings\Marrero\Application Data\4950769446
c:\windows\system32\config\systemprofile\Application Data\8904351066
c:\documents and settings\All Users\Application Data\xv11070624
KILLALL::
REGISTRY::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4950769446"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"=-
"c0d1d4a2"=-
DRIVER::
vberabertsog

Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

-screen317

Thanks for the help but i think,No I'm sure i got rid of it 2 days ago.The security tool logo is gone.my avast and malwarebyte are working i scanned and everything came up clean.so again thank you for the help.

[screen317]

I just listed 20 malware files that are still on your system.


Regardless of what lack of symptoms you're experiencing, you're still infected.


I implore you to run the script-- otherwise I wasted 5 minutes, which I could have devoted to someone else, writing it.

[shiki-fuujin]

screen317, on Oct 6 2009, 08:30 PM, said:

I just listed 20 malware files that are still on your system.


Regardless of what lack of symptoms you're experiencing, you're still infected.


I implore you to run the script-- otherwise I wasted 5 minutes, which I could have devoted to someone else, writing it.

The Log that i had posted was before,i had resolved the problem,but now i have another one i cannot change my wallpaper,I mean the "your system is infected" file is gone <but the wallpaper options is still gray.

[screen317]

Hi,

Quote

but now i have another one i cannot change my wallpaper,I mean the "your system is infected" file is gone <but the wallpaper options is still gray.

Confirm that this is one of your computers that is infected.

On that computer, please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!