4 replies to this topic

[jojo3]

system security not allowing to install mbam
i have tried to rename MBAM
i have renamed system secrity
nothin sees to work please
please help........
thnx in advance


hijack this -log



***** THE SYSTEM HAS BEEN RESTARTED *****
10/21/2009 4:41:06 PM: Trojan Remover has been restarted
The AppInitDLLs Registry entry has been reset
=======================================================
Removing the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\c4fa04fd651 - already removed (or did not exist)
HKCR\CLSID\{08b5dbfb-abaf-40d1-9bb2-d09b76ef7a12} - already removed (or did not exist)
HKCR\CLSID\{3e059860-3c11-4a95-a2b3-b8e4edab79a6} - already removed (or did not exist)
HKCR\CLSID\{a0c10d81-950c-4444-9b42-32f988fad408} - removed
=======================================================
=======================================================
Deleting the following registry value(s):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[katabozed] - deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\[AvgUninstallURL] - already deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\[pohaluyih] - already deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\[nozagobeh] - already deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\[dizudesip] - deleted
=======================================================
10/21/2009 4:41:06 PM: Trojan Remover closed
************************************************************


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.1.2591. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 4:28:08 PM 21 Oct 2009
Using Database v7411
Operating System: Windows XP Professional (SP2) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\user\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\user\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************

************************************************************
4:28:08 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
4:28:10 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033216 bytes
Created: 8/29/2002 7:00 AM
Modified: 6/13/2007 5:23 AM
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
24576 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: ANIWZCS2Service
Value Data: C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
49152 bytes
Created: 7/30/2009 9:24 AM
Modified: 1/19/2007 11:49 AM
Company: Wireless Service
--------------------
Value Name: D-Link D-Link RangeBooster N DWA-140
Value Data: C:\Program Files\D-Link\D-Link RangeBooster N DWA-140\AirNCFG.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-140\AirNCFG.exe
1671168 bytes
Created: 7/30/2009 9:23 AM
Modified: 8/20/2007 2:05 PM
Company: D-Link
--------------------
Value Name: SunJavaUpdateSched
Value Data: "C:\Program Files\Java\jre6\bin\jusched.exe"
C:\Program Files\Java\jre6\bin\jusched.exe
136600 bytes
Created: 7/30/2009 10:54 AM
Modified: 7/30/2009 10:54 AM
Company: Sun Microsystems, Inc.
--------------------
Value Name: QuickTime Task
Value Data: "C:\Program Files\QuickTime\qttask.exe" -atboottime
C:\Program Files\QuickTime\qttask.exe
417792 bytes
Created: 9/5/2009 1:54 AM
Modified: 9/5/2009 1:54 AM
Company: Apple Inc.
--------------------
Value Name: AppleSyncNotifier
Value Data: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
177440 bytes
Created: 8/13/2009 3:51 PM
Modified: 8/13/2009 3:51 PM
Company: Apple Inc.
--------------------
Value Name: iTunesHelper
Value Data: "C:\Program Files\iTunes\iTunesHelper.exe"
C:\Program Files\iTunes\iTunesHelper.exe
305440 bytes
Created: 9/21/2009 4:36 PM
Modified: 9/21/2009 4:36 PM
Company: Apple Inc.
--------------------
Value Name: MSConfig
Value Data: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
158208 bytes
Created: 10/19/2004 3:50 PM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
--------------------
Value Name: SNM
Value Data: C:\Program Files\SpyNoMore\SNM.exe /startup
C:\Program Files\SpyNoMore\SNM.exe - [file not found to scan]
--------------------
Value Name: 92044726
Value Data: C:\DOCUME~1\ALLUSE~1\APPLIC~1\92044726\92044726.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\92044726\92044726.exe - [file not found to scan]
--------------------
Value Name: 53519023
Value Data: C:\DOCUME~1\ALLUSE~1\APPLIC~1\53519023\53519023.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\53519023\53519023.exe - [file not found to scan]
--------------------
Value Name: katabozed
Value Data: Rundll32.exe "c:\windows\system32\mubodigi.dll",a
c:\windows\system32\mubodigi.dll
-HS- 88576 bytes
Created: 7/15/2009 3:57 PM
Modified: 7/15/2009 3:57 PM
Company: [no info]
c:\windows\system32\mubodigi.dll appears to contain: TROJAN.VIRTUMONDE (HEURISTIC DETECTION)
c:\windows\system32\mubodigi.dll - HIDDEN and SYSTEM file attributes removed
c:\windows\system32\mubodigi.dll - file renamed to: c:\windows\system32\mubodigi.dll.vir
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1070984 bytes
Created: 10/21/2009 4:23 PM
Modified: 10/17/2009 8:35 PM
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: AvgUninstallURL
Value Data: cmd.exe /c start http://www.avg.com/ww.special-uninstallati...uot;ver=9.0.686
cmd.exe /c start http://www.avg.com/ww.special-uninstallati...uot;ver=9.0.686 - this registry value has been removed [file not found to scan]
--------------------
Value Name: Malwarebytes' Anti-Malware
Value Data: C:\Program Files\ao\mbamgui.exe /install /silent
C:\Program Files\ao\mbamgui.exe - [file not found to scan]
--------------------
Value Name: InnoSetupRegFile.0000000001
Value Data: "C:\WINDOWS\is-VOH5F.exe" /REG
C:\WINDOWS\is-VOH5F.exe
693760 bytes
Created: 10/21/2009 3:25 PM
Modified: 10/21/2009 3:25 PM
Company:
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

************************************************************
4:29:15 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

************************************************************
4:29:15 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
4:29:16 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\System32\ss3dfo.scr
C:\WINDOWS\System32\ss3dfo.scr
704512 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
--------------------

************************************************************
4:29:16 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************************
4:29:16 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----

************************************************************
4:29:17 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: ANIWZCSdService
ImagePath: C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
49152 bytes
Created: 7/30/2009 9:24 AM
Modified: 1/19/2007 11:49 AM
Company: Wireless Service
----------
Key: ati2mtaa
ImagePath: System32\DRIVERS\ati2mtaa.sys
C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
327040 bytes
Created: 10/19/2004 10:40 AM
Modified: 8/3/2004 10:29 PM
Company: ATI Technologies Inc.
----------
Key: AvgTdiX
ImagePath: \SystemRoot\System32\Drivers\avgtdix.sys
C:\WINDOWS\System32\Drivers\avgtdix.sys - [file not found to scan]
----------
Key: GT72NDISIPXP
ImagePath: system32\DRIVERS\Gt51Ip.sys
C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys
106624 bytes
Created: 2/18/2008 5:14 PM
Modified: 2/18/2008 5:14 PM
Company: Option N.V.
----------
Key: GT72UBUS
ImagePath: system32\DRIVERS\gt72ubus.sys
C:\WINDOWS\system32\DRIVERS\gt72ubus.sys
59648 bytes
Created: 2/8/2008 1:00 PM
Modified: 2/8/2008 1:00 PM
Company: Option N.V.
----------
Key: GTPTSER
ImagePath: system32\DRIVERS\gtptser.sys
C:\WINDOWS\system32\DRIVERS\gtptser.sys
8064 bytes
Created: 3/30/2007 1:38 PM
Modified: 3/30/2007 1:38 PM
Company: Option N.V.
----------
Key: rt2870
ImagePath: system32\DRIVERS\rt2870.sys
C:\WINDOWS\system32\DRIVERS\rt2870.sys
517632 bytes
Created: 7/30/2009 9:22 AM
Modified: 7/28/2007 2:50 PM
Company: Ralink Technology, Corp.
----------
Key: Secdrv
ImagePath: System32\DRIVERS\secdrv.sys
C:\WINDOWS\System32\DRIVERS\secdrv.sys
27440 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/29/2002 7:00 AM
Company: [no info]
----------
Key: sr
ImagePath: \SystemRoot\System32\DRIVERS\sr.sys
C:\WINDOWS\System32\DRIVERS\sr.sys
73472 bytes
Created: 10/19/2004 3:50 PM
Modified: 8/3/2004 11:06 PM
Company: Microsoft Corporation
----------
Key: SwPrv
ImagePath: C:\WINDOWS\System32\dllhost.exe /Processid:{AE5F0C09-7C88-4BCA-B8EC-795CA9F0F95D}
C:\WINDOWS\System32\dllhost.exe
5120 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
----------

************************************************************
4:29:22 PM: Scanning -----VXD ENTRIES-----
Checking the following VxD entries:
C:\WINDOWS\system32\JAVASUP.VXD
7315 bytes
Created: 10/19/2004 4:38 PM
Modified: 2/28/2003 4:54 PM
Company: [no info]
VxD Key = JAVASUP
----------
----------

************************************************************
4:29:23 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----
Key : c4fa04fd651
DLLName: C:\WINDOWS\System32\d3d8thk32.dll
C:\WINDOWS\System32\d3d8thk32.dll - this reference has been removed [file not found to scan]
----------

************************************************************
4:29:33 PM: Scanning ----- CONTEXTMENUHANDLERS -----

************************************************************
4:29:33 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----

************************************************************
4:29:33 PM: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
BHO: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
54248 bytes
Created: 11/3/2003 2:17 PM
Modified: 11/3/2003 2:17 PM
Company: Adobe Systems Incorporated
----------
Key: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
BHO: C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
160496 bytes
Created: 7/28/2008 5:47 AM
Modified: 7/28/2008 5:47 AM
Company: Yahoo! Inc
----------

************************************************************
4:29:34 PM: Scanning ----- SHELLSERVICEOBJECTS -----
Key: pohaluyih
CLSID: {08b5dbfb-abaf-40d1-9bb2-d09b76ef7a12}
Path: c:\windows\system32\mubodigi.dll
c:\windows\system32\mubodigi.dll - this ShellServiceObject was being loaded by the following key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"pohaluyih" - this registry entry has been removed [file already renamed]
c:\windows\system32\mubodigi.dll - this ShellServiceObject was referenced by the following key:
HKEY_CLASSES_ROOT\CLSID\{08b5dbfb-abaf-40d1-9bb2-d09b76ef7a12} - this key has been removed
----------
Key: nozagobeh
CLSID: {3e059860-3c11-4a95-a2b3-b8e4edab79a6}
Path: c:\windows\system32\sujatena.dll
c:\windows\system32\sujatena.dll
-HS- 89088 bytes
Created: 7/18/2009 3:08 PM
Modified: 7/18/2009 3:08 PM
Company: [no info]
c:\windows\system32\sujatena.dll - this ShellServiceObject was being loaded by the following key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"nozagobeh" - this key has been removed
c:\windows\system32\sujatena.dll - this ShellServiceObject was referenced by the following key:
HKEY_CLASSES_ROOT\CLSID\{3e059860-3c11-4a95-a2b3-b8e4edab79a6} - this key has been removed
c:\windows\system32\sujatena.dll - HIDDEN and SYSTEM file attributes removed
c:\windows\system32\sujatena.dll - file renamed to: c:\windows\system32\sujatena.dll.vir
----------
Key: dizudesip
CLSID: {a0c10d81-950c-4444-9b42-32f988fad408}
Path: c:\windows\system32\mubodigi.dll
c:\windows\system32\mubodigi.dll - this ShellServiceObject was being loaded by the following key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"dizudesip" - this registry entry has been removed [file already renamed]
c:\windows\system32\mubodigi.dll - this ShellServiceObject was referenced by the following key:
HKEY_CLASSES_ROOT\CLSID\{a0c10d81-950c-4444-9b42-32f988fad408} - this key has been removed
----------

************************************************************
4:29:41 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----
Value: {c337de3e-d9d2-41d8-b418-19cd701ec924}
Comment: kupuhivus
This SharedTaskScheduler entry has been left in place [does not appear to load anything]
----------
Value: {4a10bfde-56f3-49ae-b0f3-bd784ad3031a}
Comment: kupuhivus
This SharedTaskScheduler entry has been left in place [does not appear to load anything]
----------
Value: {08b5dbfb-abaf-40d1-9bb2-d09b76ef7a12}
Comment: jugezatag
This SharedTaskScheduler entry has been left in place [does not appear to load anything]
----------
Value: {3e059860-3c11-4a95-a2b3-b8e4edab79a6}
Comment: jugezatag
This SharedTaskScheduler entry has been left in place [does not appear to load anything]
----------
Value: {a0c10d81-950c-4444-9b42-32f988fad408}
Comment: gahurihor
This SharedTaskScheduler entry has been left in place [does not appear to load anything]
----------

************************************************************
4:29:42 PM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
4:29:42 PM: Scanning ----- APPINIT_DLLS -----
AppInitDLLs entry = [C:\WINDOWS\System32\d3d8thk32.dll c:\windows\system32\garowori.dll c:\windows\system32\yetevato.dll c:\windows\system32\butabefu.dll c:\windows\system32\mubodigi.dll,yivoboki.dll]
C:\WINDOWS\System32\d3d8thk32.dll - this reference will be removed [file not found to scan]
----------
c:\windows\system32\garowori.dll - this reference will be removed [file not found to scan]
----------
c:\windows\system32\yetevato.dll - this reference will be removed [file not found to scan]
----------
File: c:\windows\system32\butabefu.dll
c:\windows\system32\butabefu.dll
-HS- 90112 bytes
Created: 7/21/2009 3:01 PM
Modified: 7/21/2009 3:01 PM
Company: [no info]
c:\windows\system32\butabefu.dll - this reference will be removed
c:\windows\system32\butabefu.dll - HIDDEN and SYSTEM file attributes removed
c:\windows\system32\butabefu.dll - file renamed to: c:\windows\system32\butabefu.dll.vir
----------
c:\windows\system32\mubodigi.dll - this reference will be removed [file not found to scan]
----------
File: yivoboki.dll
C:\WINDOWS\system32\yivoboki.dll
-HS- 51200 bytes
Created: 7/21/2009 3:03 PM
Modified: 7/21/2009 3:03 PM
Company: [no info]
C:\WINDOWS\system32\yivoboki.dll - this reference will be removed
C:\WINDOWS\system32\yivoboki.dll - HIDDEN and SYSTEM file attributes removed
yivoboki.dll - file renamed to: yivoboki.dll.vir
----------

************************************************************
4:29:49 PM: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
4:29:49 PM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created: 10/19/2004 10:36 AM
Modified: 10/19/2004 3:58 PM
Company: [no info]
--------------------
Microsoft Office.lnk - links to C:\PROGRA~1\MICROS~2\Office10\OSA.EXE
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE
83360 bytes
Created: 2/13/2001 1:01 AM
Modified: 2/13/2001 1:01 AM
Company: Microsoft Corporation
--------------------

************************************************************
4:29:50 PM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Administrator
[C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP]
The Startup Group for Administrator attempts to load the following file(s):
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 8/12/2009 11:52 PM
Modified: 10/19/2004 3:58 PM
Company: [no info]
----------
--------------------
Checking Startup Group for: Guest
[C:\Documents and Settings\Guest\START MENU\PROGRAMS\STARTUP]
The Startup Group for Guest attempts to load the following file(s):
C:\Documents and Settings\Guest\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 10/19/2004 4:44 PM
Modified: 10/19/2004 3:58 PM
Company: [no info]
----------
--------------------
Checking Startup Group for: user
[C:\Documents and Settings\user\START MENU\PROGRAMS\STARTUP]
The Startup Group for user attempts to load the following file(s):
C:\Documents and Settings\user\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 10/19/2004 4:06 PM
Modified: 10/19/2004 3:58 PM
Company: [no info]
----------

************************************************************
4:29:51 PM: Scanning ----- SCHEDULED TASKS -----
Taskname: AppleSoftwareUpdate
File: C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
566592 bytes
Created: 7/30/2008 12:34 PM
Modified: 7/30/2008 12:34 PM
Company: Apple Inc.
Parameters: -task
Schedule: At 7:40 PM every Fri of every week, starting 8/13/2009
Next Run Time: 10/23/2009 7:40:00 PM
Status: Has not run
Status: SYSTEM
Comments:
----------

************************************************************
4:29:51 PM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----

************************************************************
4:29:52 PM: Scanning ----- DEVICE DRIVER ENTRIES -----

************************************************************
4:29:52 PM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper entry is blank
----------
Web Desktop Wallpaper: %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
17842230 bytes
Created: 9/26/2009 11:47 PM
Modified: 9/26/2009 11:48 PM
Company: [no info]
----------
Checks for rogue DNS NameServers completed
----------
The Windows Update service is disabled
%s - Service has been set to DISABLED
User requested no action taken
Additional checks completed

************************************************************
4:30:15 PM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
50688 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
[1 loaded module]
--------------------
C:\WINDOWS\system32\csrss.exe
6144 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
[13 loaded modules in total]
--------------------
C:\WINDOWS\system32\winlogon.exe
502272 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
[89 loaded modules in total]
--------------------
C:\WINDOWS\system32\services.exe
110592 bytes
Created: 8/29/2002 7:00 AM
Modified: 2/6/2009 12:14 PM
Company: Microsoft Corporation
[42 loaded modules in total]
--------------------
C:\WINDOWS\system32\lsass.exe
13312 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
[60 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
14336 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
[48 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[41 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[147 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[35 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[38 loaded modules in total]
--------------------
C:\WINDOWS\system32\spoolsv.exe
57856 bytes
Created: 8/29/2002 7:00 AM
Modified: 6/10/2005 6:53 PM
Company: Microsoft Corporation
[57 loaded modules in total]
--------------------
C:\WINDOWS\Explorer.EXE - file already scanned
[112 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[34 loaded modules in total]
--------------------
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
144712 bytes
Created: 7/9/2009 12:22 PM
Modified: 7/9/2009 12:22 PM
Company: Apple Inc.
[37 loaded modules in total]
--------------------
C:\Program Files\Bonjour\mDNSResponder.exe
238888 bytes
Created: 12/12/2008 11:17 AM
Modified: 12/12/2008 11:17 AM
Company: Apple Inc.
[36 loaded modules in total]
--------------------
C:\Program Files\Java\jre6\bin\jqs.exe
152984 bytes
Created: 7/30/2009 10:54 AM
Modified: 7/30/2009 10:54 AM
Company: Sun Microsystems, Inc.
[37 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[44 loaded modules in total]
--------------------
C:\WINDOWS\System32\alg.exe
44544 bytes
Created: 8/29/2002 7:00 AM
Modified: 8/4/2004 12:56 AM
Company: Microsoft Corporation
[37 loaded modules in total]
--------------------
C:\WINDOWS\system32\ctfmon.exe - file already scanned
[38 loaded modules in total]
--------------------
C:\Program Files\iPod\bin\iPodService.exe
545568 bytes
Created: 9/21/2009 4:36 PM
Modified: 9/21/2009 4:36 PM
Company: Apple Inc.
[33 loaded modules in total]
--------------------
C:\Program Files\Internet Explorer\iexplore.exe
638816 bytes
Created: 10/19/2004 3:50 PM
Modified: 3/8/2009 2:09 PM
Company: Microsoft Corporation
[73 loaded modules in total]
--------------------
C:\Program Files\Internet Explorer\iexplore.exe - file already scanned
[114 loaded modules in total]
--------------------
C:\WINDOWS\system32\devldr32.exe
24064 bytes
Created: 10/19/2004 10:41 AM
Modified: 8/17/2001 10:36 PM
Company: Creative Technology Ltd.
[37 loaded modules in total]
--------------------
C:\Documents and Settings\user\Application Data\Simply Super Software\Trojan Remover\hts2B.exe
FileSize: 3101560
[This is a Trojan Remover component]
[67 loaded modules in total]
--------------------

************************************************************
4:31:54 PM: Checking HOSTS file
No malicious entries were found in the HOSTS file
************************************************************
4:31:54 PM: started scan of Windows\System32 DLLs
Deleting the following DLLs associated with Trojan.VirtuMonde:
C:\WINDOWS\system32\zekuboli.dll - HIDDEN and SYSTEM file attributes removed
zekuboli.dll
1244 DLL files scanned, 1 malicious DLL deleted (or marked for deletion)
4:34:48 PM: completed scan of Windows\System32 DLLS
************************************************************
4:34:48 PM: started scan of C:\WINDOWS\system32\ Directory DLL.TMPs
3 DLL.TMP files scanned, 0 malicious DLL.TMP files deleted (or marked for deletion)
4:34:48 PM: completed scan of C:\WINDOWS\system32\ Directory DLL.TMPs
************************************************************
4:34:48 PM: started scan of EXE files in C:\WINDOWS\system32
345 EXE files scanned in C:\WINDOWS\system32
0 malicious EXE files deleted (or marked for deletion)
************************************************************
4:34:54 PM: Removing the following Trojan.VirtuMonde config file(s):
esentprf.ini
1 Trojan.VirtuMonde config file deleted

************************************************************
4:34:54 PM: Scanning ------ %TEMP% DIRECTORY ------
C:\DOCUME~1\user\LOCALS~1\Temp\~DF5615.tmp appears to be in-use/locked
C:\DOCUME~1\user\LOCALS~1\Temp\~DF5CE3.tmp appears to be in-use/locked
C:\DOCUME~1\user\LOCALS~1\Temp\~DF841B.tmp appears to be in-use/locked
C:\DOCUME~1\user\LOCALS~1\Temp\~DF8DA2.tmp appears to be in-use/locked
C:\DOCUME~1\user\LOCALS~1\Temp\~DFE6C1.tmp appears to be in-use/locked
C:\DOCUME~1\user\LOCALS~1\Temp\~DFE6C8.tmp appears to be in-use/locked
C:\DOCUME~1\user\LOCALS~1\Temp\~DFE71A.tmp appears to be in-use/locked
C:\DOCUME~1\user\LOCALS~1\Temp\~DFE722.tmp appears to be in-use/locked
C:\DOCUME~1\user\LOCALS~1\Temp\~DFE7D6.tmp appears to be in-use/locked
C:\DOCUME~1\user\LOCALS~1\Temp\~DFE8AA.tmp appears to be in-use/locked
************************************************************
4:35:19 PM: Scanning ------ C:\WINDOWS\Temp DIRECTORY ------
************************************************************
4:35:19 PM: Scanning ------ ROOT DIRECTORY ------

************************************************************
4:35:19 PM: ------ Scan for other files to remove ------
No malware-related files found to remove

************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://go.microsoft....k/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://go.microsoft....k/?LinkId=54896
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://go.microsoft....k/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://go.microsoft....k/?LinkId=54896
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
http://ie.search.msn...st/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
This value is blank
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://search.conduit.com/?SearchSource=10...;ctid=CT2014090
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
This value is blank

************************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
=== ONE OR MORE FILES WERE RENAMED OR REMOVED ===
Scan completed at: 4:35:20 PM 21 Oct 2009
Total Scan time: 00:07:11
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
10/21/2009 4:35:26 PM: restart commenced
************************************************************

[AdvancedSetup]

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

• rkill.exe
  
• rkill.com
  
• rkill.scr
  
• rkill.pif

Once you've gotten one of them to run then try to immediately run the following.


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[AdvancedSetup]

Please post an update on this. Thanks.

[AdvancedSetup]

Are you still with us?

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.