4 replies to this topic

[MANDA]

FOR THE PAST 2 DAYS I HAVE BEEN HAVING MANY POP UPS FROM AN ANTIVIRUS PRO THAT HAS BEEN DOWNLOADED TO MY COMPUTER SOME HOW. MY MCAFEE KEEPS PICKING UP THE VIRUS:ARTEMIS, VUNDO, AND GENERIC.DX I DONT KNOW WHAT TO DO BECAUSE IT WILL NOT REMOVE THEM. MALWAREBYTES .EXE HAS BEEN DELETED AND IM UNABLE TO DOWNLOAD IT AGAIN. IM ALSO GETTING POP UPS ON THE INTERENT TO DIFFERENT PORN SITES AND THINGS LIKE THAT. HERE IS MY HIJAK THIS LOG. PLEASE HELP ME!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:39 AM, on 11/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Amanda\LOCALS~1\Temp\_A00FD899B5.exe
C:\DOCUME~1\Amanda\LOCALS~1\Temp\ejq9vdp.exe
C:\DOCUME~1\Amanda\LOCALS~1\Temp\mdm.exe
C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kscdaglx] C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [fovuzevevo] Rundll32.exe "gukehere.dll",s
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [fawiyumoz] Rundll32.exe "c:\windows\system32\guyubaha.dll",a
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [A00FD899B5.exe] C:\DOCUME~1\Amanda\LOCALS~1\Temp\_A00FD899B5.exe
O4 - HKCU\..\Run: [BackUp Windows 2009] C:\DOCUME~1\Amanda\LOCALS~1\Temp\ejq9vdp.exe
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Amanda\LOCALS~1\Temp\mdm.exe
O4 - HKCU\..\Run: [kscdaglx] C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe
O4 - HKCU\..\Run: [fontatmgfx] rundll32.exe "C:\Documents and Settings\Amanda\Local Settings\Application Data\fontatmgfx\fontatmgfx.dll", DllInit
O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: scandisk.dll (User 'SYSTEM')
O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - .DEFAULT Startup: scandisk.dll (User 'Default user')
O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: scandisk.dll
O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace....ceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E31D0C89-560C-40C7-8212-462ED91CF1ED}: NameServer = 77.74.48.113
O18 - Filter hijack: text/html - {6d9b3587-f751-4785-b21b-adb3418eedd5} - C:\WINDOWS\batmeter16.dll
O20 - AppInit_DLLs: c:\windows\system32\guyubaha.dll,jiyazami.dll
O20 - Winlogon Notify: __c003F1D - C:\WINDOWS\system32\__c003F1D.dat (file missing)
O20 - Winlogon Notify: __c0098C4 - C:\WINDOWS\system32\__c0098C4.dat (file missing)
O20 - Winlogon Notify: __c00A3FDB - C:\WINDOWS\system32\__c00A3FDB.dat (file missing)
O20 - Winlogon Notify: __c00CC4E9 - C:\WINDOWS\system32\__c00CC4E9.dat (file missing)
O21 - SSODL: gidumutuh - {6d8c948b-4f91-4b96-a369-21c93d315cd9} - c:\windows\system32\guyubaha.dll
O22 - SharedTaskScheduler: kjaf83hfriunf3sf9sfinoi\sufh\87sefhuhdd - {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\mkw4se9xn4.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {6d8c948b-4f91-4b96-a369-21c93d315cd9} - c:\windows\system32\guyubaha.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9637 bytes

[AdvancedSetup]

Please stop posting with ALL CAPITAL LETTERS as that is considered rude and is difficult to read.



STEP 01
With all other applications closed (Taskbar empty), open HijackThis again
and run Do a system scan only and place a check mark on the following items.

• O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
  
• O4 - HKLM\..\Run: [kscdaglx] C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe
  
• O4 - HKLM\..\Run: [fovuzevevo] Rundll32.exe "gukehere.dll",s
  
• O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
  
• O4 - HKLM\..\Run: [fawiyumoz] Rundll32.exe "c:\windows\system32\guyubaha.dll",a
  
• O4 - HKCU\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0
  
• O4 - HKCU\..\Run: [A00FD899B5.exe] C:\DOCUME~1\Amanda\LOCALS~1\Temp\_A00FD899B5.exe
  
• O4 - HKCU\..\Run: [BackUp Windows 2009] C:\DOCUME~1\Amanda\LOCALS~1\Temp\ejq9vdp.exe
  
• O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Amanda\LOCALS~1\Temp\mdm.exe
  
• O4 - HKCU\..\Run: [kscdaglx] C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe
  
• O4 - HKCU\..\Run: [fontatmgfx] rundll32.exe "C:\Documents and Settings\Amanda\Local Settings\Application Data\fontatmgfx\fontatmgfx.dll", DllInit
  
• O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'SYSTEM')
  
• O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
  
• O4 - S-1-5-18 Startup: scandisk.dll (User 'SYSTEM')
  
• O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')
  
• O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
  
• O4 - .DEFAULT Startup: scandisk.dll (User 'Default user')
  
• O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
  
• O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
  
• O4 - Startup: scandisk.dll
  
• O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
  
• O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
  
• O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
  
• O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace....ceUploader2.cab
  
• O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
  
• O17 - HKLM\System\CCS\Services\Tcpip\..\{E31D0C89-560C-40C7-8212-462ED91CF1ED}: NameServer = 77.74.48.113
  
• O18 - Filter hijack: text/html - {6d9b3587-f751-4785-b21b-adb3418eedd5} - C:\WINDOWS\batmeter16.dll
  
• O20 - AppInit_DLLs: c:\windows\system32\guyubaha.dll,jiyazami.dll
  
• O20 - Winlogon Notify: __c003F1D - C:\WINDOWS\system32\__c003F1D.dat (file missing)
  
• O20 - Winlogon Notify: __c0098C4 - C:\WINDOWS\system32\__c0098C4.dat (file missing)
  
• O20 - Winlogon Notify: __c00A3FDB - C:\WINDOWS\system32\__c00A3FDB.dat (file missing)
  
• O20 - Winlogon Notify: __c00CC4E9 - C:\WINDOWS\system32\__c00CC4E9.dat (file missing)
  
• O21 - SSODL: gidumutuh - {6d8c948b-4f91-4b96-a369-21c93d315cd9} - c:\windows\system32\guyubaha.dll
  
• O22 - SharedTaskScheduler: kjaf83hfriunf3sf9sfinoi\sufh\87sefhuhdd - {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\mkw4se9xn4.dll (file missing)
  
• O22 - SharedTaskScheduler: gahurihor - {6d8c948b-4f91-4b96-a369-21c93d315cd9} - c:\windows\system32\guyubaha.dll
  Then Quit All Browsers including the one you're reading this in now.
  Then click on Fix checked and then quit HJT

STEP 02
Restart The Computer

STEP 03
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[AdvancedSetup]

Please post a status update on this.

Thanks.

[AdvancedSetup]

Are you still with us Manda?

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.