Jump to content

Malwarebytes

Need Help with Malware Removal, Halts Malwarebytes

- - - - -
Started by Reaver522, Nov 03 2009 03:19 PM

2 replies to this topic

#1
Reaver522
Posted 03 November 2009 - 03:19 PM

    New Member

  • Members
  • Pip
  • 1 posts
Hi, I've been trying the past few days to get rid of malware off my machine and so far i've been unsuccessful. I tried everything I can think of.

First, It disables Malwarebytes so I can't run it, It just deletes the .exe, I did rename it and it still won't run. I did Spybot scans which comes up with Virtumonde and a few other things. I have my Combofix log which I'll be posting after this. I do have anti-virus, I use AVAST and it does find some stuff but it just won't get it removed completely. Any help would be appreciated.

ComboFix 09-11-02.02 - Administrator 3/2009 Tue 9:05.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.3070.2495 [GMT -6:00]
Running from: C:\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1356 [VPS 091103-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-03 14:57 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 14:57 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 14:14 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-03 14:14 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-03 14:14 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-03 14:14 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-03 14:14 . 2009-11-03 14:14 -------- d-----w- c:\program files\Avira
2009-11-03 14:14 . 2009-11-03 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-03 14:13 . 2009-11-03 14:13 33961728 ----a-w- C:\avira_antivir_personal_en.exe
2009-11-02 21:23 . 2009-11-03 15:03 3533588 ----a-r- C:\ComboFix.exe
2009-11-02 21:15 . 2009-11-02 21:15 -------- d-----w- c:\program files\Trend Micro
2009-11-02 21:15 . 2009-11-02 21:15 812344 ----a-w- C:\HijackThisInstaller.exe
2009-11-02 19:10 . 2009-11-02 19:10 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-02 19:03 . 2009-11-02 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-02 19:02 . 2009-11-02 19:02 77086488 ----a-w- C:\Ad-AwareInstallation.exe
2009-11-02 18:44 . 2009-11-02 18:44 -------- d-----w- C:\VundoFix Backups
2009-11-02 18:44 . 2009-11-02 18:44 119808 ----a-w- C:\VundoFix.exe
2009-11-02 14:25 . 2009-11-02 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-02 14:25 . 2009-11-02 14:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 14:15 . 2009-11-02 14:15 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-02 05:05 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-02 05:05 . 2009-11-02 05:05 -------- d-----w- c:\program files\Panda Security
2009-11-02 05:02 . 2009-11-02 05:02 4045528 ----a-w- C:\KaioKill.exe
2009-11-02 04:23 . 2009-11-02 04:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\DivX
2009-11-01 19:29 . 2009-11-01 19:29 -------- d-----w- C:\Muddy
2009-11-01 06:36 . 2009-11-01 06:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2009-11-01 06:35 . 2009-11-01 06:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-11-01 06:34 . 2009-11-01 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-01 06:34 . 2009-11-02 04:22 -------- d-----w- c:\program files\Yahoo!
2009-11-01 06:34 . 2009-11-02 04:22 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-31 19:57 . 2009-10-31 19:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-10-31 19:17 . 2009-11-01 17:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 18:05 . 2009-11-01 17:41 -------- d-----w- c:\program files\Zuma's Revenge!
2009-10-31 18:05 . 2009-10-31 18:05 -------- d-----w- c:\windows\Zuma's Revenge!
2009-10-31 18:05 . 2009-10-31 18:05 -------- d-----w- c:\program files\Zuma Deluxe
2009-10-31 17:44 . 2009-10-31 17:44 -------- d-----w- c:\program files\DivX
2009-10-31 17:44 . 2009-10-31 17:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-26 12:25 . 2009-10-26 12:25 -------- d-----w- c:\program files\Sengoku Rance English
2009-10-26 12:25 . 2009-10-26 12:25 65316044 ----a-w- C:\Sengoku_Rance_English_v1.0_[Yandere_Translations].exe
2009-10-26 02:11 . 2009-10-26 02:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-26 02:05 . 2009-10-26 02:05 -------- d-----w- c:\windows\Sun
2009-10-25 12:23 . 2009-10-25 12:32 -------- d-----w- C:\JWPCE
2009-10-24 19:34 . 2009-10-24 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Paradox Interactive
2009-10-24 19:29 . 2007-03-05 17:42 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2009-10-24 19:28 . 2009-10-24 19:28 -------- d-----w- c:\program files\Paradox Interactive
2009-10-23 17:23 . 2009-10-23 17:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Fujitsu
2009-10-23 17:23 . 2009-10-23 17:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fujitsu
2009-10-23 17:23 . 2009-10-23 17:23 256 ---ha-w- c:\windows\system32\LTAW14FN.BIN
2009-10-23 17:23 . 2009-10-23 17:23 256 ---ha-w- c:\windows\system32\FJLTAFOU.BIN
2009-10-23 17:22 . 2009-10-23 17:23 -------- d-----w- c:\program files\ATLAS V14
2009-10-23 17:15 . 2009-10-23 17:15 162075896 ----a-w- C:\ATLASV14ETrial.exe
2009-10-23 17:07 . 2009-10-23 17:07 217199 ----a-w- C:\AtlTransText.zip
2009-10-23 17:07 . 2009-10-23 17:07 60299 ----a-w- C:\ATLCHECK.zip
2009-10-23 17:06 . 2009-10-23 17:07 -------- d-----w- C:\AGTH
2009-10-23 17:01 . 2009-10-23 17:01 -------- d-----w- c:\program files\SMEE
2009-10-23 14:25 . 2009-10-26 12:25 -------- d-----w- C:\AliceSoft
2009-10-23 14:20 . 2009-10-23 14:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\BDL+D
2009-10-23 14:10 . 2009-10-23 14:10 0 ----a-w- c:\windows\nsreg.dat
2009-10-23 14:10 . 2009-10-23 14:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-21 00:17 . 2009-10-26 01:35 25 ----a-w- c:\windows\popcinfot.dat
2009-10-20 23:39 . 2009-10-26 01:35 -------- d-----w- C:\Plants vs Zombies
2009-10-20 18:35 . 2009-10-20 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\FreshGames
2009-10-20 18:20 . 2009-10-20 18:21 -------- d-----w- c:\program files\Ranch Rush
2009-10-20 18:20 . 2009-10-20 18:20 -------- d-----w- c:\windows\Ranch Rush
2009-10-20 15:30 . 2009-10-21 16:36 -------- d-----w- c:\program files\maidin
2009-10-20 15:28 . 2009-10-20 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-10-20 15:28 . 2009-10-20 15:28 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-10-20 15:28 . 2009-10-21 15:07 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-10-20 15:25 . 2009-10-20 15:25 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-20 15:25 . 2009-10-20 15:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite
2009-10-19 21:20 . 2009-10-19 21:20 89487540 ----a-w- C:\Qfg2vga11.exe
2009-10-19 09:47 . 2009-10-19 09:47 25 ----a-w- C:\popcinfot.dat
2009-10-19 09:34 . 2009-10-19 09:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-10-19 08:38 . 2009-10-23 14:18 -------- d-----w- c:\program files\VALKYRIA
2009-10-18 18:42 . 2009-10-18 18:42 6688 ----a-w- c:\windows\movexe.exe
2009-10-18 18:42 . 2009-10-18 18:43 -------- d-----w- c:\program files\Tamagotchi Simulator
2009-10-18 18:42 . 2009-10-18 18:49 -------- d-----w- C:\tamagosim
2009-10-18 18:42 . 2009-10-18 18:42 1807167 ----a-w- C:\01tamagosim.zip
2009-10-18 13:54 . 2009-10-18 13:55 -------- d-----w- C:\Fonts
2009-10-18 12:36 . 2009-10-18 12:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterVideo
2009-10-17 03:15 . 2009-10-17 03:15 -------- d-----w- c:\program files\IrfanView
2009-10-15 17:56 . 2009-10-15 17:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-10-15 14:16 . 2007-12-10 13:00 61440 ----a-w- c:\windows\system32\ZIMF.DLL
2009-10-15 14:16 . 2007-12-10 13:00 53248 ----a-w- c:\windows\system32\ZTAG.DLL
2009-10-15 14:16 . 2007-12-10 13:00 430080 ----a-w- c:\windows\system32\ZSHP1020.EXE
2009-10-15 14:16 . 2007-12-10 13:00 106496 ----a-w- c:\windows\system32\ZSPOOL.DLL
2009-10-15 14:16 . 2007-12-10 13:00 102400 ----a-w- c:\windows\system32\ZLhp1020.DLL
2009-10-15 14:16 . 2009-11-02 20:27 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-15 14:16 . 2009-10-15 14:16 -------- d-----w- c:\program files\Hewlett-Packard
2009-10-15 13:15 . 2009-10-24 04:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2009-10-15 08:45 . 2004-08-04 04:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-10-15 08:45 . 2004-08-04 04:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-15 08:43 . 2009-10-15 08:43 19125 ----a-w- c:\windows\ykybucizu.com
2009-10-15 08:43 . 2009-10-15 08:43 15334 ----a-w- c:\windows\fevyfovob.com
2009-10-15 08:43 . 2009-10-15 08:43 14523 ----a-w- c:\windows\system32\yzebihuku.dat
2009-10-15 07:33 . 2009-10-15 07:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\ImgBurn
2009-10-15 07:28 . 2009-10-15 07:28 -------- d-----w- c:\program files\ImgBurn
2009-10-15 06:16 . 2009-10-15 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-10-15 06:07 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-15 06:07 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-15 06:07 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-15 06:07 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-15 06:07 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-15 06:07 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-15 06:07 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-15 06:07 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-15 06:06 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-15 06:06 . 2009-10-15 06:06 -------- d-----w- c:\program files\Alwil Software
2009-10-15 06:06 . 2009-10-15 06:06 39045408 ----a-w- C:\setupengpro.exe
2009-10-15 06:02 . 2009-10-15 06:02 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-10-15 06:02 . 2009-11-01 18:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2009-10-15 06:02 . 2007-03-19 02:37 65602 ----a-w- c:\windows\system32\cook3260.dll
2009-10-15 06:02 . 2006-09-29 18:26 176165 ----a-w- c:\windows\system32\drv23260.dll
2009-10-15 06:02 . 2006-09-29 18:25 208935 ----a-w- c:\windows\system32\drv33260.dll
2009-10-15 06:02 . 2006-09-29 18:24 217127 ----a-w- c:\windows\system32\drv43260.dll
2009-10-15 06:02 . 2006-05-20 22:16 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2009-10-15 06:02 . 2006-05-12 01:21 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2009-10-15 06:02 . 2002-12-10 08:20 102439 ----a-w- c:\windows\system32\sipr3260.dll
2009-10-15 06:02 . 2009-10-15 06:02 -------- d-----w- c:\program files\VSO
2009-10-15 04:57 . 2009-10-15 04:57 18879 ----a-w- c:\windows\qyzodezo.dat
2009-10-14 22:14 . 2009-10-14 22:14 13229447 ----a-w- C:\R.B-02.zip
2009-10-14 13:16 . 2009-10-14 13:16 102143798 ----a-w- C:\R.B-01.zip
2009-10-14 01:56 . 2009-10-14 01:56 -------- d-----w- c:\program files\uTorrent
2009-10-14 01:56 . 2009-11-03 15:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-14 01:30 . 2009-10-14 01:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 02:11 . 2006-07-26 21:35 -------- d-----w- c:\program files\Java
2009-10-21 16:34 . 2006-07-26 23:07 53480 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 05:18 . 2007-10-19 17:36 1774432 ----a-w- C:\Rootkit_Detective.exe
2009-10-15 06:02 . 2009-10-15 06:02 47360 ----a-w- c:\documents and settings\Administrator\Application Data\pcouffin.sys
2009-10-13 23:49 . 2006-07-26 22:27 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-10-13 22:27 . 2006-07-26 21:30 -------- d-----w- c:\program files\Intel
2009-10-13 22:26 . 2006-07-26 22:28 -------- d-----w- c:\program files\Sony
2009-10-13 22:26 . 2006-07-26 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-10-13 14:31 . 2006-07-26 22:52 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-13 14:20 . 2009-10-13 14:20 -------- d-----w- c:\program files\Sonic
2009-10-13 14:20 . 2009-10-13 14:20 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-10-13 14:20 . 2009-10-13 14:20 -------- d-----w- c:\program files\Ulead Systems
2009-10-13 14:20 . 2009-10-13 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-09-27 23:12 . 2009-09-27 23:12 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-27 23:12 . 2009-09-27 23:12 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 23:12 . 2009-09-27 23:12 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 23:12 . 2009-09-27 23:12 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 23:12 . 2009-09-27 23:12 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-27 23:12 . 2006-07-26 20:46 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-27 23:12 . 2006-07-26 20:46 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-09-27 23:12 . 2006-07-26 20:46 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-27 23:12 . 2006-07-26 20:46 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-27 23:12 . 2006-07-26 20:46 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 23:12 . 2006-07-26 13:53 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-08-14 20:36 . 2009-08-14 20:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-08-02 15:07 . 2009-08-02 15:07 39424 --sha-w- c:\windows\system32\bitonuta.dll
2009-08-02 15:07 . 2009-08-02 15:07 53248 --sha-w- c:\windows\system32\hewalote.dll
2009-08-03 15:01 . 2009-08-03 15:01 3 --sha-w- c:\windows\system32\kakijigu.dll
2009-08-02 23:15 . 2009-08-02 23:15 39424 --sha-w- c:\windows\system32\migezomu.dll
2009-08-02 17:01 . 2009-08-02 17:01 39424 --sha-w- c:\windows\system32\mivimoru.dll
2009-08-02 18:14 . 2009-08-02 18:14 39424 --sha-w- c:\windows\system32\sudinasu.dll
2009-08-02 17:01 . 2009-08-02 17:01 91648 --sha-w- c:\windows\system32\sufokiyu.dll
2009-08-03 11:15 . 2009-08-03 11:15 39424 --sha-w- c:\windows\system32\tuhenato.dll
2009-08-02 21:15 . 2009-08-02 21:15 39424 --sha-w- c:\windows\system32\valopawi.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-02_21.31.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 08:19 . 2007-11-07 08:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2009-11-03 15:11 . 2009-11-03 15:11 16384 c:\windows\Temp\Perflib_Perfdata_670.dat
+ 2009-11-03 15:11 . 2009-11-03 15:11 16384 c:\windows\Temp\Perflib_Perfdata_1ec.dat
+ 2006-07-26 20:46 . 2009-11-03 15:00 60312 c:\windows\system32\perfc009.dat
- 2006-07-26 20:46 . 2009-11-02 21:23 60312 c:\windows\system32\perfc009.dat
+ 2009-11-03 14:14 . 2009-05-11 16:12 28520 c:\windows\system32\drivers\ssmdrv.sys
- 2006-07-26 20:46 . 2009-11-02 21:23 398180 c:\windows\system32\perfh009.dat
+ 2006-07-26 20:46 . 2009-11-03 15:00 398180 c:\windows\system32\perfh009.dat
+ 2009-11-03 14:13 . 2009-11-03 14:13 228352 c:\windows\Installer\395f46a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-14 289072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"pupehuruh"="c:\windows\system32\pawagibe.dll" [BU]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"hetalemiro"="gaduvoma.dll" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\sharinganguardian\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Paradox Interactive\\Majesty 2\\Majesty2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sony\\VAIO Event Service\\VESMgr.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/1/2009 11:05 PM 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/15/2009 12:07 AM 114768]
R1 regi;regi;c:\windows\system32\drivers\regi.sys [10/13/2009 8:26 AM 4864]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/3/2009 8:14 AM 108289]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/15/2009 12:07 AM 20560]
S3 23294;23294;\??\c:\windows\system32\23294.sys --> c:\windows\system32\23294.sys [?]
S3 29498;29498;\??\c:\windows\system32\29498.sys --> c:\windows\system32\29498.sys [?]
S3 49a93;49a93;\??\c:\windows\system32\49a93.sys --> c:\windows\system32\49a93.sys [?]
S3 6489C;6489C;\??\c:\windows\system32\6489C.sys --> c:\windows\system32\6489C.sys [?]
S3 69296;69296;\??\c:\windows\system32\69296.sys --> c:\windows\system32\69296.sys [?]
S3 70192;70192;\??\c:\windows\system32\70192.sys --> c:\windows\system32\70192.sys [?]
S3 85d9E;85d9E;\??\c:\windows\system32\85d9E.sys --> c:\windows\system32\85d9E.sys [?]
S3 86b9A;86b9A;\??\c:\windows\system32\86b9A.sys --> c:\windows\system32\86b9A.sys [?]
S3 8a2A0;8a2A0;\??\c:\windows\system32\8a2A0.sys --> c:\windows\system32\8a2A0.sys [?]
S3 ce49F;ce49F;\??\c:\windows\system32\ce49F.sys --> c:\windows\system32\ce49F.sys [?]
S3 e0d97;e0d97;\??\c:\windows\system32\e0d97.sys --> c:\windows\system32\e0d97.sys [?]
S3 f5a9B;f5a9B;\??\c:\windows\system32\f5a9B.sys --> c:\windows\system32\f5a9B.sys [?]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u2sv08d2.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{4c472c7b-b477-4e2e-969c-3ecda8b4c305} - c:\windows\system32\pawagibe.dll
SSODL-bosavemom-{4c472c7b-b477-4e2e-969c-3ecda8b4c305} - c:\windows\system32\pawagibe.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 09:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\r3cvqfye.TMP

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spsy.sys hal.dll >>UNKNOWN [0x8A4F6938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a4ef1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0xF186 != 0xB7D5D7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0xF186 != 0xB7D5D7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x12896 != 0xB7D5D7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x12B58 != 0xB7D5D7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0x17E66 != 0xB7D5D7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x17FC6 != 0xB7D5D7B0 iaStor.sys
\Driver\iaStor IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2765405622-2405749440-4174155836-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,97,2c,27,7d,81,8d,42,a6,f7,e7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,97,2c,27,7d,81,8d,42,a6,f7,e7,\

[HKEY_USERS\S-1-5-21-2765405622-2405749440-4174155836-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EROTICA PEACH\T0ム宗bマ扱0・ッ0・ *^'`Yeイ€o0゙0゙0k0J0瀅[0c0^]
"Order"=hex:08,00,00,00,02,00,00,00,2a,01,00,00,01,00,00,00,02,00,00,00,80,00,
00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3320)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-03 9:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-03 15:13
ComboFix2.txt 2009-11-02 21:34

Pre-Run: 123,054,555,136 bytes free
Post-Run: 123,106,480,128 bytes free

- - End Of File - - 5CFC9C7DA58D7FDBC6238FE3698FE626

#2
LDTate
Posted 05 November 2009 - 11:52 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 15,632 posts
  • Gender:Male
  • Location:Missouri, USA
Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. 

File::
c:\windows\ykybucizu.com
c:\windows\fevyfovob.com
c:\windows\system32\yzebihuku.dat
c:\windows\qyzodezo.dat
c:\windows\system32\kakijigu.dll
c:\windows\system32\bitonuta.dll
c:\windows\system32\hewalote.dll
c:\windows\system32\migezomu.dll
c:\windows\system32\mivimoru.dll
c:\windows\system32\sudinasu.dll
c:\windows\system32\sufokiyu.dll
c:\windows\system32\tuhenato.dll
c:\windows\system32\valopawi.dll


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pupehuruh"=-
"hetalemiro=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.
Larry Tate
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3
AdvancedSetup
Posted 15 November 2009 - 11:08 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us