19 replies to this topic

[heisiam1513]

Hi all...I have something called 'Registry Defender' that keeps popping up. I can't install Mbam, can't run Norton, automatic updates are turned off...etc. Here is my HJT log.

Thanks in advance for any help provided!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:06 AM, on 10/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon...ortal/main.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {955efbf4-884f-4aea-9436-cefac07635b4} - silugihi.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [matideyap] Rundll32.exe "c:\windows\system32\zadiyoju.dll",a
O4 - HKLM\..\Run: [padivuvobi] Rundll32.exe "hevolofo.dll",s
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZCYYYYYYYYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - AppInit_DLLs: perutigu.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: (no name) - http://store.surflin...lg876739279.jpg

--
End of file - 8587 bytes

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[heisiam1513]

ComboFix 09-10-14.06 - Jeremy 10/14/2009 19:02.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.201 [GMT -7:00]
Running from: c:\documents and settings\Jeremy\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\begovatu.dll
c:\windows\system32\bokuwavi.dll
c:\windows\system32\delekuwu.dll
c:\windows\system32\jefaduku.dll
c:\windows\system32\lopibeki.dll
c:\windows\system32\pigopimu.dll
c:\windows\system32\ririzaki.dll
c:\windows\system32\tayijobu.dll
c:\windows\system32\yeruduki.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-14 13:48 . 2009-10-14 13:48 -------- d-----w- c:\program files\Trend Micro
2009-10-14 13:03 . 2009-10-14 13:03 51712 --sh--w- c:\windows\system32\himepuka.dll
2009-10-14 06:12 . 2009-10-14 06:12 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\Mozilla
2009-10-14 05:51 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-14 05:51 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-14 05:07 . 2009-10-14 05:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-14 04:50 . 2009-10-14 04:50 -------- d-----w- C:\Combo-Fix
2009-10-14 00:36 . 2006-10-05 02:42 2560 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-10-14 00:36 . 2006-10-05 02:42 2432 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-10-14 00:35 . 2009-10-14 00:36 -------- d-----w- c:\program files\Picasa2
2009-10-14 00:31 . 2009-10-14 00:31 -------- d-----w- c:\program files\Western Digital
2009-10-14 00:31 . 2009-10-14 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-14 00:29 . 2009-10-14 00:29 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-14 00:28 . 2009-10-14 00:28 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\{4F717BFB-FF31-477F-85D1-7BABC44363EC}
2009-10-14 00:26 . 2009-10-14 00:29 -------- d-----w- c:\program files\Memeo
2009-10-14 00:26 . 2009-10-14 00:29 -------- d-s---w- c:\documents and settings\Jeremy\Local Settings\Application Data\Memeo
2009-10-14 00:26 . 2009-10-14 00:29 -------- d-s---w- c:\documents and settings\All Users\Application Data\Memeo
2009-10-14 00:25 . 2009-10-14 00:25 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\{73DF8C24-FEEC-41AF-B020-3FABC7890954}
2009-10-14 00:09 . 2009-10-14 00:09 -------- d-----w- c:\program files\Western Digital Technologies
2009-10-13 23:15 . 2009-10-13 23:15 -------- d-----w- C:\ProgramData
2009-10-13 23:15 . 2009-10-13 23:15 -------- d-----w- c:\program files\Angle Interactive
2009-10-13 21:01 . 2009-10-13 21:01 91648 --sh--w- c:\windows\system32\pimenuda.dll
2009-10-09 15:33 . 2009-10-09 15:33 172544 ----a-w- c:\windows\system32\tafiwizo.dll
2009-10-09 15:31 . 2009-10-09 15:31 17632 ----a-w- c:\windows\system32\suxalawi.dat
2009-10-09 15:31 . 2009-10-09 15:31 19674 ----a-w- c:\windows\cyzisor.dat
2009-10-09 15:31 . 2009-10-09 15:31 15224 ----a-w- c:\windows\system32\xaniguf.dat
2009-10-09 03:26 . 2009-10-09 03:26 -------- d-----w- c:\program files\CS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 12:54 . 2009-10-14 12:54 1113885 ---ha-w- c:\windows\system32\BITC.tmp
2009-10-14 04:48 . 2009-10-14 04:42 79632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-14 04:37 . 2004-08-24 02:52 79632 -c--a-w- c:\documents and settings\Jeremy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-14 01:56 . 2006-11-14 03:07 -------- d-----w- c:\program files\Google
2009-10-14 00:31 . 2004-08-10 13:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-13 22:38 . 2004-07-03 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-13 22:30 . 2004-08-31 03:38 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-07 02:20 . 2004-08-10 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-09 16:42 . 2009-09-09 16:42 -------- d-----w- c:\program files\Dell 720
2009-09-02 17:22 . 2009-04-26 06:57 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-09-02 17:20 . 2009-04-26 06:57 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-09-02 17:20 . 2009-04-26 06:57 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-02 17:12 . 2004-07-03 13:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 00:24 . 2004-08-31 04:53 -------- d-----w- c:\program files\DiMAGE Viewer
2009-07-24 23:28 . 2009-07-24 23:27 705 ----a-w- C:\bdluh.exe
2009-07-24 23:27 . 2009-07-24 23:27 215378 ----a-w- C:\mjxrscq.exe
2003-08-27 21:19 . 2004-08-31 03:58 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
2009-07-08 23:10 . 2009-07-08 23:10 169472 --sha-w- c:\windows\SYSTEM32\bizivata.dll
2009-07-08 23:11 . 2009-07-08 23:11 1011755 --sha-w- c:\windows\SYSTEM32\nosamoti.exe
2009-07-14 13:03 . 2009-07-14 13:03 51712 --sha-w- c:\windows\SYSTEM32\silugihi.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_05.56.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-03 07:08 . 2009-10-14 13:02 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 07:08 . 2009-10-14 05:12 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955efbf4-884f-4aea-9436-cefac07635b4}]
2009-07-14 13:03 51712 --sha-w- c:\windows\SYSTEM32\silugihi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2009-10-14 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-29 107112]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]
"matideyap"="c:\windows\system32\tayijobu.dll" [BU]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]
"padivuvobi"="hevolofo.dll" [BU]

c:\documents and settings\Michelle\Start Menu\Programs\Startup\
mhbupd32.exe [2004-8-4 29184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 20:17 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]
path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk
backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk]
path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\Memeo AutoSync Launcher.lnk
backup=c:\windows\pss\Memeo AutoSync Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^RD2010.lnk]
path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\RD2010.lnk
backup=c:\windows\pss\RD2010.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nevo\\NevoMedia Server\\NevoMediaServer.exe"=
"c:\\Program Files\\Nevo\\NevoMedia Player\\NevoMediaPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 4:30 PM 101936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2005-09-27 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2200 seriesF56855811176EC24C9B302F94878AD886AF77CFF111767218.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 09:46]

2004-08-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 07:56]

2009-07-18 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Jeremy.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 06:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.verizon.net/vznisp/portal/main.aspx
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://bar.mywebsear...?p=ZCYYYYYYYYUS
FF - ProfilePath - c:\documents and settings\Jeremy\Application Data\Mozilla\Firefox\Profiles\7gj66b6m.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{3b1a5fb3-0bbb-416b-ab17-2608b0e0cc53} - c:\windows\system32\tayijobu.dll
SSODL-jetafijar-{3b1a5fb3-0bbb-416b-ab17-2608b0e0cc53} - c:\windows\system32\tayijobu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 19:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\scardsvr.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\SYSTEM32\RegSrvc.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\ZCfgSvc.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\1XConfig.exe
.
**************************************************************************
.
Completion time: 2009-10-15 19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-15 02:49
ComboFix2.txt 2009-10-14 13:41
ComboFix3.txt 2009-10-14 06:48
ComboFix4.txt 2009-10-14 06:02

Pre-Run: 17,925,386,240 bytes free
Post-Run: 18,138,005,504 bytes free

202 --- E O F --- 2009-07-15 16:01


Thanks!

[sUBs]

Quote

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

This may cause problems. Make sure it's disabled before the next run


---------------


Open NOTEPAD and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=27790&st=0&#entry143395
COLLECT::
c:\windows\system32\himepuka.dll
c:\windows\system32\pimenuda.dll
c:\windows\system32\tafiwizo.dll
c:\documents and settings\Michelle\Start Menu\Programs\Startup\mhbupd32.exe
C:\bdluh.exe
C:\mjxrscq.exe
c:\windows\SYSTEM32\bizivata.dll
c:\windows\SYSTEM32\nosamoti.exe
c:\windows\SYSTEM32\silugihi.dll
FILE::
c:\windows\system32\suxalawi.dat
c:\windows\cyzisor.dat
c:\windows\system32\BITC.tmp
c:\windows\system32\xaniguf.dat
FOLDER::
C:\Program Files\CS
REGISTRY::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955efbf4-884f-4aea-9436-cefac07635b4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"matideyap"=-
"padivuvobi"=-

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingc...e.php?channel=4


---------------


ESET Online Scanner

• Please go to the following link ESET Online Scanner Link
  
• Tick the box YES, I accept the Terms Of Use
  
• Click the Start button
  
• Now click the Install button
  
• Click Start
  
  The scanner engine will initialise and update
  
  
• Do Not tick the box Remove found threats
  
• Click the Scan button
  
  The scan will now run, please be patient
  
  
• When the scan finishes click the Details tab
  
• Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save Report As... button.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include fresh logs from:

• Online scan
  
• ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[heisiam1513]

I'm having trouble disabling Norton. It is not in the system tray, and when I open the program it goes directly into a scan, with no options to enable/disable anything. I followed the link you provided (thanks!), and have had no success. Is my next step to uninstall? I was going to do that, but could only start in safe mode, in which the Norton uninstaller will not run.

[sUBs]

See if this helps

http://service1.symantec.com/SUPPORT/tsgen...v=&osv_lvl=

[heisiam1513]

Thanks, it looks as thought the installer you recommended is working in safe mode. I cannot, however run the computer normal mode. The popups have disabled pretty much anything from running. I can't move programs (such as ComboFix) from my thumbdrive to the desktop. Should I attempt to rename the file and run it, or just run it in safe mode?

[sUBs]

Quote

Running from: c:\documents and settings\Jeremy\Desktop\Combo-Fix.exe

Your previous log shows it as being located on your Desktop. Why do you need to move it from the thumbdrive?

If need be, run it from the thumbdrive OR from safe mode.

[heisiam1513]

Sorry, I should have explained further...In normal mode, the desktop is now blank, no background pic, no icons, and when I try to open task manager, run msconfig or the norton remover (which just finished in safe mode) the attempt is stopped and nothing happens, just more popups. I'll try it in safe mode. Again, thanks so much for your time!

[heisiam1513]

So I ran CF without dropping cfscript onto it first. Not sure if you need this log, too, but here it is:

http://www.malwarebytes.org/forums/index.p...mp;#entry143395
COLLECT::
c:\windows\system32\himepuka.dll
c:\windows\system32\pimenuda.dll
c:\windows\system32\tafiwizo.dll
c:\documents and settings\Michelle\Start Menu\Programs\Startup\mhbupd32.exe
C:\bdluh.exe
C:\mjxrscq.exe
c:\windows\SYSTEM32\bizivata.dll
c:\windows\SYSTEM32\nosamoti.exe
c:\windows\SYSTEM32\silugihi.dll
FILE::
c:\windows\system32\suxalawi.dat
c:\windows\cyzisor.dat
c:\windows\system32\BITC.tmp
c:\windows\system32\xaniguf.dat
FOLDER::
C:\Program Files\CS
REGISTRY::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955efbf4-884f-4aea-9436-cefac07635b4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"matideyap"=-
"padivuvobi"=-

[heisiam1513]

Here is the CF log after dropping CFScript into CF:

ComboFix 09-10-16.02 - Jeremy 10/16/2009 14:27.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.260 [GMT -7:00]
Running from: c:\documents and settings\Jeremy\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Jeremy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\cyzisor.dat"
"c:\windows\system32\BITC.tmp"
"c:\windows\system32\suxalawi.dat"
"c:\windows\system32\xaniguf.dat"

file zipped: C:\bdluh.exe
file zipped: C:\mjxrscq.exe
file zipped: c:\windows\system32\pimenuda.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bdluh.exe
C:\mjxrscq.exe
c:\program files\CS
c:\windows\cyzisor.dat
c:\windows\system32\BITC.tmp
c:\windows\system32\pimenuda.dll
c:\windows\system32\suxalawi.dat
c:\windows\system32\xaniguf.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-16 21:24 . 2009-10-16 21:24 -------- d-----w- c:\windows\LastGood
2009-10-14 13:48 . 2009-10-14 13:48 -------- d-----w- c:\program files\Trend Micro
2009-10-14 06:12 . 2009-10-14 06:12 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\Mozilla
2009-10-14 05:51 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-14 05:51 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-14 05:07 . 2009-10-14 05:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-14 04:50 . 2009-10-14 04:50 -------- d-----w- C:\Combo-Fix
2009-10-14 00:36 . 2006-10-05 02:42 2560 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-10-14 00:36 . 2006-10-05 02:42 2432 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-10-14 00:35 . 2009-10-14 00:36 -------- d-----w- c:\program files\Picasa2
2009-10-14 00:31 . 2009-10-14 00:31 -------- d-----w- c:\program files\Western Digital
2009-10-14 00:31 . 2009-10-14 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-14 00:29 . 2009-10-14 00:29 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-14 00:28 . 2009-10-14 00:28 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\{4F717BFB-FF31-477F-85D1-7BABC44363EC}
2009-10-14 00:26 . 2009-10-14 00:29 -------- d-----w- c:\program files\Memeo
2009-10-14 00:26 . 2009-10-14 00:29 -------- d-s---w- c:\documents and settings\Jeremy\Local Settings\Application Data\Memeo
2009-10-14 00:26 . 2009-10-14 00:29 -------- d-s---w- c:\documents and settings\All Users\Application Data\Memeo
2009-10-14 00:25 . 2009-10-14 00:25 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\{73DF8C24-FEEC-41AF-B020-3FABC7890954}
2009-10-14 00:09 . 2009-10-14 00:09 -------- d-----w- c:\program files\Western Digital Technologies
2009-10-13 23:15 . 2009-10-13 23:15 -------- d-----w- C:\ProgramData
2009-10-13 23:15 . 2009-10-13 23:15 -------- d-----w- c:\program files\Angle Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 20:58 . 2004-08-10 13:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-16 20:56 . 2004-08-10 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-14 04:48 . 2009-10-14 04:42 79632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-14 04:37 . 2004-08-24 02:52 79632 -c--a-w- c:\documents and settings\Jeremy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-14 01:56 . 2006-11-14 03:07 -------- d-----w- c:\program files\Google
2009-10-14 00:31 . 2004-08-10 13:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-13 22:38 . 2004-07-03 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-13 22:30 . 2004-08-31 03:38 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-09 16:42 . 2009-09-09 16:42 -------- d-----w- c:\program files\Dell 720
2009-09-02 17:22 . 2009-04-26 06:57 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-09-02 17:20 . 2009-04-26 06:57 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-09-02 17:20 . 2009-04-26 06:57 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-02 17:12 . 2004-07-03 13:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 00:24 . 2004-08-31 04:53 -------- d-----w- c:\program files\DiMAGE Viewer
2003-08-27 21:19 . 2004-08-31 03:58 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
2009-07-15 20:50 . 2009-07-15 20:50 1115040 --sha-w- c:\windows\SYSTEM32\kewowupa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_05.56.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-03 07:08 . 2009-10-14 13:02 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 07:08 . 2009-10-14 05:12 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2009-10-14 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 20:17 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]
path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk
backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk]
path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\Memeo AutoSync Launcher.lnk
backup=c:\windows\pss\Memeo AutoSync Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^RD2010.lnk]
path=c:\documents and settings\Jeremy\Start Menu\Programs\Startup\RD2010.lnk
backup=c:\windows\pss\RD2010.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nevo\\NevoMedia Server\\NevoMediaServer.exe"=
"c:\\Program Files\\Nevo\\NevoMedia Player\\NevoMediaPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S4 AutoSyncService;Memeo AutoSync ;c:\program files\Memeo\AutoSync\MemeoService.exe [7/6/2007 5:28 PM 31768]
.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2005-09-27 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2200 seriesF56855811176EC24C9B302F94878AD886AF77CFF111767218.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 09:46]

2004-08-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.verizon.net/vznisp/portal/main.aspx
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://bar.mywebsear...?p=ZCYYYYYYYYUS
FF - ProfilePath - c:\documents and settings\Jeremy\Application Data\Mozilla\Firefox\Profiles\7gj66b6m.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-49438230 - c:\docume~1\ALLUSE~1\APPLIC~1\49438230\49438230.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 14:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll
.
Completion time: 2009-10-16 14:38
ComboFix-quarantined-files.txt 2009-10-16 21:38
ComboFix2.txt 2009-10-16 21:21
ComboFix3.txt 2009-10-15 02:49
ComboFix4.txt 2009-10-14 13:41
ComboFix5.txt 2009-10-16 21:25

Pre-Run: 19,712,503,808 bytes free
Post-Run: 19,677,130,752 bytes free

168 --- E O F --- 2009-07-15 16:01
Upload was successful

[heisiam1513]

Also, I sent the zipped file to Bleepingcomputer.etc....

[sUBs]

Are you able to get to Normal mode now?

[heisiam1513]

ESET online scanner log:

C:\Qoobox\Quarantine\[4]-Submit_2009-10-16_14.27.36.zip multiple threats
C:\Qoobox\Quarantine\C\bdluh.exe.vir Win32/Small.NEK trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\49438230\49438230.exe.vir a variant of Win32/Kryptik.AVG trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Michelle\Application Data\lizkavd.exe.vir a variant of Win32/Kryptik.ATV trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Michelle\Application Data\seres.exe.vir a variant of Win32/Kryptik.ASA trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Michelle\Application Data\svcst.exe.vir a variant of Win32/Kryptik.ASA trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Michelle\Start Menu\Programs\Startup\mhbupd32.exe.vir Win32/TrojanDownloader.Bredolab.AA trojan
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir a variant of Win32/Kryptik.ATV trojan
C:\Qoobox\Quarantine\C\Program Files\Shared\lib.dll.vir a variant of Win32/BHO.NMM trojan
C:\Qoobox\Quarantine\C\Program Files\Shared\_lib.dll.vir a variant of Win32/BHO.NMM trojan
C:\Qoobox\Quarantine\C\WINDOWS\mark_32.dll.vir Win32/TrojanDownloader.Agent.PGX trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\apubxncd.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\BITC.tmp.vir a variant of Win32/Kryptik.AVG trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bizivata.dll.vir a variant of Win32/Kryptik.AVG trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bnksblcn.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bokuwavi.dll.vir Win32/KillAV.NFO trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ccixmmyg.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cqbcutjx.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\crpxplyb.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\delekuwu.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dsnowsxn.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hevolofo.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\himepuka.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iemmvkov.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jehsqlav.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kejefuru.dll.vir a variant of Win32/Kryptik.AVG trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lopibeki.dll.vir Win32/KillAV.NFO trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nkvivpsb.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nonomaso.dll.vir a variant of Win32/KillAV.NFZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nosamoti.exe.vir a variant of Win32/Kryptik.ATL trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\npafxpxp.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\perutigu.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pigopimu.dll.vir a variant of Win32/KillAV.NFZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qpoqr.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qpoqr.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rutobuki.exe.vir a variant of Win32/Kryptik.AVG trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\silugihi.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sxtkdgpl.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tafiwizo.dll.vir a variant of Win32/Kryptik.AVG trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tijmijaj.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tknbfxwe.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tnoclvdw.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vjjwvrwi.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wkcfggvo.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wnwelvme.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\woigcmio.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zadiyoju.dll.vir a variant of Win32/Kryptik.AVG trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_sdra64_.exe.zip Win32/Spy.Zbot.UN trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\~.exe.vir a variant of Win32/Kryptik.ASY trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WBEM\proquota.exe.vir a variant of Win32/Kryptik.ABM trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0201704.sys Win32/Rustock trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP581\A0213052.exe a variant of Win32/Kryptik.AHY trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP589\A0220171.dll a variant of Win32/BHO.NMM trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP593\A0221188.exe Win32/TrojanDownloader.Bredolab.AA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP597\A0227243.exe Win32/Spy.Zbot.UN trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP599\A0228263.exe Win32/Spy.Zbot.UN trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP599\A0229276.exe a variant of Win32/Kryptik.AHY trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0230282.exe a variant of Win32/Kryptik.ASA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0230291.exe a variant of Win32/Kryptik.ASA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0230299.exe a variant of Win32/Kryptik.ASA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231298.exe a variant of Win32/Kryptik.ASA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231301.exe a variant of Win32/Kryptik.ASA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231314.exe a variant of Win32/Kryptik.ASA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231324.dll Win32/Adware.Virtumonde.NFU application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP600\A0231333.exe a variant of Win32/Kryptik.ASA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232214.exe a variant of Win32/Kryptik.ATV trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232216.exe a variant of Win32/Kryptik.ASA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232217.exe a variant of Win32/Kryptik.ASA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232225.exe a variant of Win32/Kryptik.ATV trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232227.dll a variant of Win32/BHO.NMM trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232228.dll a variant of Win32/BHO.NMM trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232233.exe a variant of Win32/Kryptik.ASY trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232234.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232235.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232236.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232237.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232238.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232242.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232243.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232244.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232245.dll a variant of Win32/Kryptik.AVG trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232248.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232249.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232250.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232251.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232252.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232253.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232254.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232255.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232256.exe a variant of Win32/Kryptik.ABM trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232257.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232258.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232259.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP604\A0232382.dll Win32/TrojanDownloader.Agent.PGX trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0232595.dll Win32/KillAV.NFO trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0232596.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0232598.dll Win32/KillAV.NFO trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236365.exe a variant of Win32/Kryptik.AVG trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236368.exe Win32/TrojanDownloader.Bredolab.AA trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236369.dll a variant of Win32/Kryptik.AVG trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236370.dll a variant of Win32/Adware.SuperJuan.H application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236372.dll a variant of Win32/KillAV.NFZ trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236373.exe a variant of Win32/Kryptik.ATL trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236374.exe a variant of Win32/Kryptik.AVG trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236375.dll a variant of Win32/Adware.SuperJuan.H application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0236376.dll a variant of Win32/Kryptik.AVG trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP606\A0236538.exe Win32/Small.NEK trojan
C:\WINDOWS\SYSTEM32\kewowupa.exe a variant of Win32/Kryptik.AVG trojan

[heisiam1513]

Also, able to get to normal mode after the CF scan in safe mode.

[heisiam1513]

Looks like the Kapersky scan is not available right now:


Coming soon:
A new, improved version of the
Kaspersky Online Scanner
The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience

The computer seems to be runnign much better now. I am able to use Firefox, and I was able to install and update Malwarebyes. I do however, still have a listing for Registry Defender under start>all programs.

Thanks so much for your help to this point! Any further thoughts?

[sUBs]

ESET alone will do just fine.


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
C:\WINDOWS\SYSTEM32\kewowupa.exe
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[heisiam1513]

It said, "Deleted successfully! Press any key to continue"

I pressed the any key, and it deleted the BAT file.

[sUBs]

Of the stuff found,

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while


----------------------


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

• Uninstall ComboFix ... do not skip this step
  This process will perform some post cleanup measures.
  Do this by going to to Start > Run & typing in ComboFix /U
  
  
  
  
• ANTIVIRUS SOFTWARE
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
  
  
• Microsoft Windows Update → http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
  
• http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
  
• http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywarein...showtopic=60955

After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[heisiam1513]

you are

AMAZING!!

And I cannot thank you enough for your time and efforts!! Malwarebytes shall be installed on my machine thanks to your efforts and help!!