Jump to content

Malwarebytes

HELP Massive malware problem

- - - - -
Started by Evanf, Oct 22 2009 05:25 PM

4 replies to this topic

#1
Evanf
Posted 22 October 2009 - 05:25 PM

    New Member

  • Members
  • Pip
  • 1 posts
Guys, Long time viewer and first time poster. I've been infected with some variant of a windows police that is killing my system. Initially I tried using Spybot to no avail. next I tried installing Malwarebytes which will download and install but will not run. I un-installed malwarebytes, re-downloaded it after changing the name and re-installed the program. I then went to the mbam.exe file and changed the name and tried to run again to no avail. I downloaded Hijack, ran it and pulled a log which I will post. I also used Combo fix to pull another log which will also be posted. Help, I'm not sure what to do after this.

Thanks,



ComboFix 09-10-21.01 - Evan.Friday 10/22/2009 9:35.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.352 [GMT -7:00]
Running from: c:\documents and settings\evan.morris\My Documents\Downloads\ComboFix.exe
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {690739D6-1790-4515-8370-555E1E312245}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {690739D6-1790-4515-8370-555E1E312245}
* Resident AV is active

.
The following files were disabled during the run:
c:\windows\system32\bohilizo.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\install.exe
C:\LOGEB.tmp
c:\windows\Downloaded Program Files\x64
c:\windows\Downloaded Program Files\x64\racodec.ax
c:\windows\Downloaded Program Files\x86
c:\windows\Downloaded Program Files\x86\racodec.ax
c:\windows\system32\bincd32.dat
c:\windows\system32\jejefaji.exe
c:\windows\system32\lehazapi.exe
c:\windows\system32\lujodubu.dll
c:\windows\system32\mukineva.exe
c:\windows\system32\nitalopo.dll
c:\windows\system32\sakiduru.dll
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\skynet.dat
c:\windows\system32\woyuluga.exe
c:\windows\system32\yewurado.dll

----- BITS: Possible infected sites -----

hxxp://sp-05.internal.screenplayinc.com:8530
.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-21 18:43 . 2009-10-21 18:46 10752 ----a-w- c:\windows\DCEBoot.exe
2009-10-21 18:15 . 2009-10-21 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-21 18:15 . 2009-10-21 18:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-20 18:44 . 2009-10-21 16:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-20 18:44 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-20 18:44 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-20 18:44 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-20 18:44 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-10-20 18:44 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-20 18:44 . 2009-10-20 18:44 -------- d-----w- c:\program files\Trojan Remover
2009-10-20 18:44 . 2009-10-20 18:44 -------- d-----w- c:\documents and settings\evan.morris\Application Data\Simply Super Software
2009-10-20 18:44 . 2009-10-20 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-20 16:17 . 2009-10-20 16:17 -------- d-----w- c:\documents and settings\evan.morris\Application Data\Malwarebytes
2009-10-19 23:46 . 2009-10-19 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-19 23:36 . 2009-10-19 23:45 58 ----a-w- c:\windows\wp4.dat
2009-10-19 23:36 . 2009-10-19 23:45 1 ----a-w- c:\windows\wp3.dat
2009-10-16 18:24 . 2009-10-16 18:24 -------- d-----w- c:\program files\PCM
2009-10-16 18:16 . 2009-10-16 18:16 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-07 20:32 . 2009-03-27 04:20 200704 ----a-w- c:\windows\system32\ssleay32.dll
2009-10-07 20:32 . 2009-03-27 04:20 200704 ----a-w- c:\windows\system32\libssl32.dll
2009-10-07 20:32 . 2009-03-27 04:20 1017344 ----a-w- c:\windows\system32\libeay32.dll
2009-10-07 20:32 . 2009-10-07 20:32 -------- d-----w- C:\OpenSSL
2009-09-24 16:28 . 2009-09-24 16:28 -------- d-----w- c:\program files\iPod
2009-09-24 16:28 . 2009-09-24 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-24 16:28 . 2009-09-24 16:29 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 16:46 . 2005-03-29 18:42 -------- d-----w- c:\program files\Trend Micro
2009-10-22 16:34 . 2009-06-22 20:58 -------- d-----w- c:\program files\LogMeIn
2009-10-20 19:08 . 2009-09-10 22:30 -------- d-----w- c:\documents and settings\evan.morris\Application Data\vlc
2009-10-20 17:28 . 2009-07-15 20:49 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-15 20:02 . 2008-08-12 21:02 -------- d-----w- c:\documents and settings\evan.morris\Application Data\FileZilla
2009-09-28 16:02 . 2009-08-17 17:32 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-24 17:02 . 2006-11-07 20:38 -------- d-----w- c:\documents and settings\evan.morris\Application Data\Apple Computer
2009-09-24 16:28 . 2007-09-04 18:04 -------- d-----w- c:\program files\Common Files\Apple
2009-09-24 16:26 . 2009-06-03 18:58 -------- d-----w- c:\program files\QuickTime
2009-09-10 22:54 . 2009-09-10 22:54 -------- d-----w- c:\program files\AVIcodec
2009-09-10 22:29 . 2009-09-10 22:29 -------- d-----w- c:\program files\VideoLAN
2009-09-09 19:24 . 2009-09-09 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Smart Soft
2009-09-09 19:24 . 2009-09-09 19:24 -------- d-----w- c:\program files\Free PDF to Word Converter
2009-09-09 19:20 . 2009-03-11 17:32 -------- d-----w- c:\documents and settings\evan.morris\Application Data\Azureus
2009-09-04 17:52 . 2009-09-04 17:52 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-09-04 17:52 . 2009-09-04 17:52 -------- d-----w- c:\program files\TechSmith
2009-08-29 02:42 . 2009-03-24 16:35 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-01-30 17:31 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-19 12:18 . 2009-09-04 17:53 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-08-10 20:35 . 2009-08-07 18:58 25 ----a-w- c:\windows\popcinfot.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-08-18 307200]
"Google Update"="c:\documents and settings\evan.morris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-11 133104]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\320\g2mstart.exe" [2008-12-12 31552]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\pccntmon.exe" [2007-03-29 394952]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]
"kirehutuj"="c:\windows\system32\bohilizo.dll" [2009-07-21 89600]

c:\documents and settings\juston\Start Menu\Programs\Startup\
Date-Time Stamper.lnk - g:\datetime\DATE_TIME.exe [2005-6-27 552448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{3c85ab8e-0c7a-4878-b11d-ac0376a8d639}"= "c:\windows\system32\bohilizo.dll" [2009-07-21 89600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mizogudif"= {3c85ab8e-0c7a-4878-b11d-ac0376a8d639} - c:\windows\system32\bohilizo.dll [2009-07-21 89600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 03:35 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1993962763-1383384898-842925246-1192\Scripts\Logon\0\0]
"Script"=\\sp-dc1\NETLOGON\MapHomeDir.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1993962763-1383384898-842925246-1317\Scripts\Logon\0\0]
"Script"=\\sp-dc1\NETLOGON\MapHomeDir.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1993962763-1383384898-842925246-500\Scripts\Logon\0\0]
"Script"=\\sp-dc1\NETLOGON\autopcc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1993962763-1383384898-842925246-5270\Scripts\Logon\0\0]
"Script"=\\sp-dc1\NETLOGON\MapHomeDir.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Canon PC1200 iC D600 iR1200G Status Window.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Canon PC1200 iC D600 iR1200G Status Window.LNK
backup=c:\windows\pss\Canon PC1200 iC D600 iR1200G Status Window.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\evan.morris\\My Documents\\Mozilla Firefox\\firefox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [6/22/2009 1:59 PM 47640]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\tmxpflt.sys [3/30/2004 6:35 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\tmpreflt.sys [3/30/2004 6:35 PM 36368]
S2 BroadSign Player Upgrade Monitor;BroadSign Player Upgrade Monitor;c:\program files\BroadSign\bsp\bin\bsum.exe [11/28/2007 7:35 PM 139264]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [10/1/2006 5:37 AM 26624]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [3/11/2009 10:32 AM 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [3/11/2009 10:32 AM 234888]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1383384898-842925246-5270Core.job
- c:\documents and settings\evan.morris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-11 21:09]

2009-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1383384898-842925246-5270UA.job
- c:\documents and settings\evan.morris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-11 21:09]

2009-10-22 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-05-26 14:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://screenplaycentral
uInternet Connection Wizard,ShellNext = hxxp://screenplaycentral/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {B5A40155-56F9-42E5-B6B2-F817FB9254C3} = 192.168.1.10
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
ShellExecuteHooks-{764F9487-9298-4E9E-940F-520A12DDB41D} - c:\program files\Trend Micro\tmasea\sshooke.dll
SSODL-wosokinih-{1f1b6b63-ee25-41d0-8169-c539f24ab1ea} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 09:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\bohilizo.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(592)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\bohilizo.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\ntrtscan.exe
c:\program files\Trend Micro\tmlisten.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Trend Micro\OfcPfwSvc.exe
c:\windows\TEMP\UBBFF4.EXE
c:\combofix\CF7354.exe
c:\program files\Trend Micro\pccntupd.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Citrix\GoToMeeting\320\g2mcomm.exe
c:\program files\Citrix\GoToMeeting\320\g2mlauncher.exe
c:\program files\iPod\bin\iPodService.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-22 9:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-22 16:57

Pre-Run: 43,768,717,312 bytes free
Post-Run: 44,168,888,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0925D43AE3936C46E8813A5BCE501A58


Hi Jack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:14 AM, on 10/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BroadSign\bsp\bin\bsum.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\tmlisten.exe
C:\Program Files\Trend Micro\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\pccntmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\evan.morris\My Documents\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\SI9F59.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://screenplaycentral
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://screenplaycentral
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://screenplaycentral
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://screenplaycentral/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Screenplay Inc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [kirehutuj] Rundll32.exe "c:\windows\system32\bohilizo.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [TSC] "C:\Program Files\Trend Micro\tsc.exe" /HD
O4 - HKLM\..\RunOnce: [SpybotDeletingA7497] command.com /c del "C:\WINDOWS\SYSTEM32\rupohaze.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4493] cmd.exe /c del "C:\WINDOWS\SYSTEM32\rupohaze.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4198] command.com /c del "C:\WINDOWS\SYSTEM32\sejelafo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1314] cmd.exe /c del "C:\WINDOWS\SYSTEM32\sejelafo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA403] command.com /c del "C:\WINDOWS\SYSTEM32\bipibunu.dll.tmp_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3239] cmd.exe /c del "C:\WINDOWS\SYSTEM32\bipibunu.dll.tmp_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1622] command.com /c del "C:\WINDOWS\SYSTEM32\pegigage.dll.tmp_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1518] cmd.exe /c del "C:\WINDOWS\SYSTEM32\pegigage.dll.tmp_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8180] command.com /c del "C:\WINDOWS\SYSTEM32\nuar.old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5419] cmd.exe /c del "C:\WINDOWS\SYSTEM32\nuar.old"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\evan.morris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5118] command.com /c del "C:\WINDOWS\SYSTEM32\rupohaze.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4897] command.com /c del "C:\WINDOWS\SYSTEM32\sejelafo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8685] cmd.exe /c del "C:\WINDOWS\SYSTEM32\sejelafo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2401] command.com /c del "C:\WINDOWS\SYSTEM32\bipibunu.dll.tmp_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD299] cmd.exe /c del "C:\WINDOWS\SYSTEM32\bipibunu.dll.tmp_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7353] command.com /c del "C:\WINDOWS\SYSTEM32\pegigage.dll.tmp_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3017] cmd.exe /c del "C:\WINDOWS\SYSTEM32\pegigage.dll.tmp_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3276] command.com /c del "C:\WINDOWS\SYSTEM32\nuar.old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7062] cmd.exe /c del "C:\WINDOWS\SYSTEM32\nuar.old"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://screenplaycentral
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119981636184
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.screenplayinc.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.screenplayinc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5A40155-56F9-42E5-B6B2-F817FB9254C3}: Domain = internal.screenplayinc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5A40155-56F9-42E5-B6B2-F817FB9254C3}: NameServer = 192.168.1.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.screenplayinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = internal.screenplayinc.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{B5A40155-56F9-42E5-B6B2-F817FB9254C3}: Domain = internal.screenplayinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.screenplayinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = internal.screenplayinc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = internal.screenplayinc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = internal.screenplayinc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = internal.screenplayinc.com
O20 - AppInit_DLLs: sejelafo.dll c:\windows\system32\bohilizo.dll
O21 - SSODL: wosokinih - {1f1b6b63-ee25-41d0-8169-c539f24ab1ea} - (no file)
O21 - SSODL: mizogudif - {3c85ab8e-0c7a-4878-b11d-ac0376a8d639} - c:\windows\system32\bohilizo.dll
O22 - SharedTaskScheduler: gahurihor - {3c85ab8e-0c7a-4878-b11d-ac0376a8d639} - c:\windows\system32\bohilizo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BroadSign Player Upgrade Monitor - Unknown owner - C:\Program Files\BroadSign\bsp\bin\bsum.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfcPfwSvc.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\tmlisten.exe

--
End of file - 12471 bytes

#2
AdvancedSetup
Posted 26 October 2009 - 06:31 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Well first and foremost before we go any further you MUST disable TeaTimer - that actually prevents and / or puts back the data the other tools are removing.


Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

[indent]Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
[/indent]


Once you've done that then delete your current copy of Combofix and download and run a NEW fresh copy and post back that log and we'll go from there.

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#3
AdvancedSetup
Posted 27 October 2009 - 01:22 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Please post an update on this. Thanks.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#4
AdvancedSetup
Posted 28 October 2009 - 01:37 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Please post an update or I'll be closing your post soon.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#5
AdvancedSetup
Posted 30 October 2009 - 07:06 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us