First off- I love your program. Its easy to use and works great. Keep up the good work.
Anyways, I'm having a major problem with my computer. I recently got a virus while searching for guitar parts. I noticed it right away, as your program told me immediately, and my computer slowed down quite a bit. It was a Trojan virus. As it was getting late, I figured i would shut down my computer for the night, and work on removing the virus the next day, as Trojans take a bit of extra work to remove in my opinion. The next morning i log on, and almost nothing is working. Please understand that all programs, and i do mean ALL PROGRAMS with an exe. file do not work. Itunes, Windows Movie Maker, and even Malwarebytes WILL NOT start up no matter what i do or try. Not even my screensaver. I noticed Malwarebytes was missing the exe. file all together.
Heres where things start to get fun. I figured if maybe I un-installed Malwarebytes, re-installed it, and removed the virus, maybe things could go back to normal. but the problem is, the Add/Remove Programs Wizard is an application, and applications have an exe. file, which means it wont open. I have tried to System Restore my computer back a few days, but the System Restore program is also an application, so that won't work either.
My question is, what is my next step!?! I am completely stumped, and i have no idea where to go from here. I don't want to have to completely restore my computer, so any other possible option will be taken first.
Also, is it possible for a virus to corrupt and/or delete a exe. file?
Thanks for your time!!!!!
-peepster1005
Full Version: exe. files stopped working
Stay with this topic until I give you the final 'All clean' post.
Vista users:
1. These tools MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them
1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Vista users:
1. These tools MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them
1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
I did that but as soon as the black box opens, it closes immediately.
rename exeHelper.com to explorer.exe
Now try it.
Now try it.
thats better. this is what i got, but my programs still arent opening. do i need to restart?
exeHelper by Raktor
Build 20091021
Run at 16:56:14 on 11/01/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor
Build 20091021
Run at 16:57:14 on 11/01/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor
Build 20091021
Run at 16:56:14 on 11/01/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor
Build 20091021
Run at 16:57:14 on 11/01/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
QUOTE (peepster1005 @ Nov 1 2009, 04:58 PM) 
thats better. this is what i got, but my programs still arent opening. do i need to restart?
exeHelper by Raktor
Build 20091021
Run at 16:56:14 on 11/01/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor
Build 20091021
Run at 16:57:14 on 11/01/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor
Build 20091021
Run at 16:56:14 on 11/01/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor
Build 20091021
Run at 16:57:14 on 11/01/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
sorry, ran it twice because i accidentally closed the boxes.
I hope you're not infected with Virut.
Do this:
Download Combofix from any of the links below but rename it to ABCD.exe before saving it to your desktop.
* IMPORTANT !!! Save ABCD.exe to your Desktop
Link 1
Link 2
Double click on the ABCD.exe ComboFix.exe & follow the prompts.
Do this:
Download Combofix from any of the links below but rename it to ABCD.exe before saving it to your desktop.
* IMPORTANT !!! Save ABCD.exe to your Desktop
Link 1
Link 2
Double click on the ABCD.exe ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.
my computer doesnt allow me to rename things before they are downloaded.
QUOTE (peepster1005 @ Nov 1 2009, 05:04 PM)
my computer doesnt allow me to rename things before they are downloaded.
I've never heard of that. When you click on the download do you not get the option to Save and Select to save on the desktop and at the bottom of the open windows, the file name?
sorry, didnt know you could do that. thanks.
i double clicked it and it didnt do anything.
I want you to reboot and as soon as you see the desktop icons double click ABCD and try to run it.
nope that didnt do anything.
OK. By renaming exeHelper to explorer.exe worked so lets do this.
Rename ABCD.exe to explorer.exe
It will warn you that that file already exist but go ahead and replace it.
Now run explorer.exe
Rename ABCD.exe to explorer.exe
It will warn you that that file already exist but go ahead and replace it.
Now run explorer.exe
okay i changed the name, ran the program, clicked agree a couple times and it opened a blue box. it said it was missing a program and could not continue without it. so i agreed to download and now my programs are working. is this a final fix? if i reboot, will this all start over again?
oh and the icon for it disappeared, is that supposed to happen too?
oh and the icon for it disappeared, is that supposed to happen too?
QUOTE (peepster1005 @ Nov 1 2009, 05:40 PM)
okay i changed the name, ran the program, clicked agree a couple times and it opened a blue box. it said it was missing a program and could not continue without it. so i agreed to download and now my programs are working. is this a final fix? if i reboot, will this all start over again?
oh and the icon for it disappeared, is that supposed to happen too?
NO. You're far from being fixed. oh and the icon for it disappeared, is that supposed to happen too?
Will MBAM run? If so do a scan with MBAM and post the results.
Is Combofix running?
Yes, combofix is working. Or did work, I should say. I started it up, got the blue box again, and it started to scan (I think?) it said completed stage 1, 2, 3..and so on all the way to fifty. Then it restarted my computer and created a log of everything it has done.
Now here is my new problem. Most of my programs quit on me earlier today, but after i ran combofix, none of them work. Not even my Firefox is opening. I am writing this on my iPod touch. I will let you know ASAP when my Internet browser is working properly.
I could not scan my computer with malwarebytes because even after I redownloaded it, it is still missing the .exe file to run it.
But on the bright side, my Sophos Anti-virus is no longer telling me that I have a virus. (yes, I have two anti-virus programs. Can never be too safe, right?)
I'll check my computer in the morning to see if anything has changed. But for now, where do I go from here?
Now here is my new problem. Most of my programs quit on me earlier today, but after i ran combofix, none of them work. Not even my Firefox is opening. I am writing this on my iPod touch. I will let you know ASAP when my Internet browser is working properly.
I could not scan my computer with malwarebytes because even after I redownloaded it, it is still missing the .exe file to run it.
But on the bright side, my Sophos Anti-virus is no longer telling me that I have a virus. (yes, I have two anti-virus programs. Can never be too safe, right?)
I'll check my computer in the morning to see if anything has changed. But for now, where do I go from here?
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.
Look for the file combofix.txt and post the text file.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.
Look for the file combofix.txt and post the text file.
Here you go. Need anything else let me know.
------------------------------------------------------------------
ComboFix 09-10-30.01 - Owner 11/01/2009 22:13.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.399 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Owner\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Owner\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-2846970920-2938027396-4193320068-1003
c:\recycler\S-1-5-21-4254032958-3633240100-2296491676-1003
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\jestertb.dll
c:\windows\system32\bahaboho.dll
c:\windows\system32\bolapuno.dll
c:\windows\system32\bsfusxsd.ini
c:\windows\system32\camhkfty.ini
c:\windows\system32\cyawxtjg.ini
c:\windows\system32\eKRXyccf.ini2
c:\windows\system32\fnvytlep.ini
c:\windows\system32\fozojati.dll
c:\windows\system32\fqtdhtrl.ini
c:\windows\system32\gejapifo.dll
c:\windows\system32\gmoersnh.ini
c:\windows\system32\gmseivjm.ini
c:\windows\system32\gujavujo.dll.tmp
c:\windows\system32\guyohimu.dll
c:\windows\system32\haporapu.dll
c:\windows\system32\hekomuno.dll
c:\windows\system32\heoltnjq.ini
c:\windows\system32\hiyuvubo.dll
c:\windows\system32\iumpygka.ini
c:\windows\system32\jadegada.dll
c:\windows\system32\jaxtaiys.ini
c:\windows\system32\jevaziji.dll
c:\windows\system32\jewipaje.dll
c:\windows\system32\jibepobo.dll
c:\windows\system32\jijuwajo.dll
c:\windows\system32\kveneorp.ini
c:\windows\system32\libopeke.dll
c:\windows\system32\lijujuto.dll
c:\windows\system32\lymgygng.ini
c:\windows\system32\mivusufu.dll
c:\windows\system32\muyonuvu.dll.tmp
c:\windows\system32\nnbsxtnj.ini
c:\windows\system32\nunuluna.dll.tmp
c:\windows\system32\pinigalo.dll
c:\windows\system32\puleluro.dll.tmp
c:\windows\system32\qkwtpqpw.ini
c:\windows\system32\qqicpqkd.ini
c:\windows\system32\rizilipi.dll
c:\windows\system32\rujisovo.dll
c:\windows\system32\sabadobe.dll
c:\windows\system32\sorofita.dll
c:\windows\system32\soyifafi.dll.tmp
c:\windows\system32\suroteto.dll
c:\windows\system32\tatetimo.dll
c:\windows\system32\tehenupo.dll
c:\windows\system32\tupkcrug.ini
c:\windows\system32\vemewofo.dll
c:\windows\system32\vlduhhqg.ini
c:\windows\system32\vnojeopw.ini
c:\windows\system32\voriduzi.dll
c:\windows\system32\vovamoba.dll.tmp
c:\windows\system32\wxIRtDMp.ini2
c:\windows\system32\xkqrkbof.ini
c:\windows\system32\yilinetu.dll
c:\windows\system32\yjpjajlv.ini
c:\windows\system32\yoyiriku.dll
c:\windows\system32\zabanalu.dll
c:\windows\system32\zofisuvu.dll
c:\windows\Tasks\omjyxrsp.job
c:\windows\Tasks\zzqppvco.job
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.
2009-11-02 04:10 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 04:10 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 00:16 . 2009-11-02 00:17 -------- d-----w- c:\program files\iTunes
2009-11-02 00:16 . 2009-11-02 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-02 00:13 . 2009-11-02 00:13 -------- d-----w- c:\program files\QuickTime
2009-11-02 00:11 . 2009-11-02 00:17 -------- d-----w- c:\windows\LastGood.Tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 04:10 . 2009-02-26 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 00:21 . 2006-12-25 14:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-11-02 00:16 . 2006-12-25 14:48 -------- d-----w- c:\program files\iPod
2009-11-02 00:16 . 2007-12-25 14:12 -------- d-----w- c:\program files\Common Files\Apple
2009-11-02 00:11 . 2007-12-25 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-27 22:17 . 2009-06-24 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Cabos
2009-10-27 20:48 . 2009-10-27 20:48 73728 ---ha-w- c:\documents and settings\Owner\Application Data\RBRegEx550.dll
2009-10-27 20:48 . 2009-10-27 20:48 39936 ---ha-w- c:\documents and settings\Owner\Application Data\RBShell555.dll
2009-10-27 20:47 . 2006-09-13 23:08 93008 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 16:38 . 2006-09-13 23:08 13402 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-09-05 01:44 . 2009-09-05 01:44 -------- d-----w- c:\program files\Audacity
2009-08-29 01:42 . 2009-04-04 00:35 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 01:42 . 2007-12-25 14:13 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-30 20:45 . 2009-07-30 20:45 60928 --sha-w- c:\windows\system32\bikehizi.dll
2009-07-31 16:34 . 2009-07-31 16:34 89088 --sha-w- c:\windows\system32\fazotene.dll
2009-08-01 04:35 . 2009-08-01 04:35 89600 --sha-w- c:\windows\system32\hisakite.dll
2009-07-30 20:45 . 2009-07-30 20:45 89088 --sha-w- c:\windows\system32\tijayefe.dll
2009-08-01 16:35 . 2009-08-01 16:35 89088 --sha-w- c:\windows\system32\viwadefo.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\documents and settings\Owner\My Documents\My Pictures\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"gagehokah"="c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e5dd95c5-ddb5-4bfb-af7c-62fced274337}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{87b59fa5-8a82-4609-8042-56fd0fc50762}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{413f0a90-469a-44e0-ac55-2534858a2282}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{14fe8fbb-7a06-4215-8e00-9d7b38662bdc}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{61238692-df6d-4d78-a15f-cd48f9991f60}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{0c35cdec-f50f-4c9e-93a4-0ef26441ed77}"= "c:\windows\system32\viwadefo.dll" [2009-08-01 89088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nonomohev"= {e5dd95c5-ddb5-4bfb-af7c-62fced274337} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"tavanasag"= {87b59fa5-8a82-4609-8042-56fd0fc50762} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"kobuguhof"= {413f0a90-469a-44e0-ac55-2534858a2282} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"dibofehen"= {14fe8fbb-7a06-4215-8e00-9d7b38662bdc} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"soyerebog"= {61238692-df6d-4d78-a15f-cd48f9991f60} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"rivuzizum"= {0c35cdec-f50f-4c9e-93a4-0ef26441ed77} - c:\windows\system32\viwadefo.dll [2009-08-01 89088]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/6/2008 12:33 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/6/2008 12:33 PM 38528]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/5/2009 5:22 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [8/21/2008 6:04 AM 98304]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/29/2006 12:19 PM 200576]
S3 DzlUsb;Dazzle DVC USB Device;c:\windows\system32\drivers\DzlUsb.sys [2/12/2009 10:07 PM 62800]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 5:56 PM 14976]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
2008-08-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8210036949.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\odolpp8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\odolpp8q.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
BHO-{571d9660-bab1-4729-aa62-1f17d27c60cc} - bahaboho.dll
BHO-{7FE54E07-2F72-42D8-96C9-E7128D6A07D0} - c:\windows\system32\fccyXRKe.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-zipikobusi - jibepobo.dll
SharedTaskScheduler-{6676b59e-ea1a-436b-82d8-e8cfaa8b3072} - c:\windows\system32\gejapifo.dll
SSODL-fifidunod-{6676b59e-ea1a-436b-82d8-e8cfaa8b3072} - c:\windows\system32\gejapifo.dll
AddRemove-Picasa 3 - c:\documents and settings\Owner\My Documents\My Pictures\Google\Picasa3\Uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 22:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spaa.sys >>UNKNOWN [0x86588938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
atapi.sys @ 0x0 0x0 bytes
\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF73B4B40 atapi.sys
\Driver\atapi IRP hooks detected !
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\BCMLogon.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2880)
c:\windows\system32\viwadefo.dll
c:\windows\system32\tijayefe.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-02 22:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 04:48
Pre-Run: 2,599,698,432 bytes free
Post-Run: 10,353,078,272 bytes free
- - End Of File - - 6DE53CB9F135A344F92F25F29F5CC28C
------------------------------------------------------------------
ComboFix 09-10-30.01 - Owner 11/01/2009 22:13.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.399 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Owner\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Owner\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-2846970920-2938027396-4193320068-1003
c:\recycler\S-1-5-21-4254032958-3633240100-2296491676-1003
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\jestertb.dll
c:\windows\system32\bahaboho.dll
c:\windows\system32\bolapuno.dll
c:\windows\system32\bsfusxsd.ini
c:\windows\system32\camhkfty.ini
c:\windows\system32\cyawxtjg.ini
c:\windows\system32\eKRXyccf.ini2
c:\windows\system32\fnvytlep.ini
c:\windows\system32\fozojati.dll
c:\windows\system32\fqtdhtrl.ini
c:\windows\system32\gejapifo.dll
c:\windows\system32\gmoersnh.ini
c:\windows\system32\gmseivjm.ini
c:\windows\system32\gujavujo.dll.tmp
c:\windows\system32\guyohimu.dll
c:\windows\system32\haporapu.dll
c:\windows\system32\hekomuno.dll
c:\windows\system32\heoltnjq.ini
c:\windows\system32\hiyuvubo.dll
c:\windows\system32\iumpygka.ini
c:\windows\system32\jadegada.dll
c:\windows\system32\jaxtaiys.ini
c:\windows\system32\jevaziji.dll
c:\windows\system32\jewipaje.dll
c:\windows\system32\jibepobo.dll
c:\windows\system32\jijuwajo.dll
c:\windows\system32\kveneorp.ini
c:\windows\system32\libopeke.dll
c:\windows\system32\lijujuto.dll
c:\windows\system32\lymgygng.ini
c:\windows\system32\mivusufu.dll
c:\windows\system32\muyonuvu.dll.tmp
c:\windows\system32\nnbsxtnj.ini
c:\windows\system32\nunuluna.dll.tmp
c:\windows\system32\pinigalo.dll
c:\windows\system32\puleluro.dll.tmp
c:\windows\system32\qkwtpqpw.ini
c:\windows\system32\qqicpqkd.ini
c:\windows\system32\rizilipi.dll
c:\windows\system32\rujisovo.dll
c:\windows\system32\sabadobe.dll
c:\windows\system32\sorofita.dll
c:\windows\system32\soyifafi.dll.tmp
c:\windows\system32\suroteto.dll
c:\windows\system32\tatetimo.dll
c:\windows\system32\tehenupo.dll
c:\windows\system32\tupkcrug.ini
c:\windows\system32\vemewofo.dll
c:\windows\system32\vlduhhqg.ini
c:\windows\system32\vnojeopw.ini
c:\windows\system32\voriduzi.dll
c:\windows\system32\vovamoba.dll.tmp
c:\windows\system32\wxIRtDMp.ini2
c:\windows\system32\xkqrkbof.ini
c:\windows\system32\yilinetu.dll
c:\windows\system32\yjpjajlv.ini
c:\windows\system32\yoyiriku.dll
c:\windows\system32\zabanalu.dll
c:\windows\system32\zofisuvu.dll
c:\windows\Tasks\omjyxrsp.job
c:\windows\Tasks\zzqppvco.job
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.
2009-11-02 04:10 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 04:10 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 00:16 . 2009-11-02 00:17 -------- d-----w- c:\program files\iTunes
2009-11-02 00:16 . 2009-11-02 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-02 00:13 . 2009-11-02 00:13 -------- d-----w- c:\program files\QuickTime
2009-11-02 00:11 . 2009-11-02 00:17 -------- d-----w- c:\windows\LastGood.Tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 04:10 . 2009-02-26 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 00:21 . 2006-12-25 14:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-11-02 00:16 . 2006-12-25 14:48 -------- d-----w- c:\program files\iPod
2009-11-02 00:16 . 2007-12-25 14:12 -------- d-----w- c:\program files\Common Files\Apple
2009-11-02 00:11 . 2007-12-25 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-27 22:17 . 2009-06-24 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Cabos
2009-10-27 20:48 . 2009-10-27 20:48 73728 ---ha-w- c:\documents and settings\Owner\Application Data\RBRegEx550.dll
2009-10-27 20:48 . 2009-10-27 20:48 39936 ---ha-w- c:\documents and settings\Owner\Application Data\RBShell555.dll
2009-10-27 20:47 . 2006-09-13 23:08 93008 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 16:38 . 2006-09-13 23:08 13402 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-09-05 01:44 . 2009-09-05 01:44 -------- d-----w- c:\program files\Audacity
2009-08-29 01:42 . 2009-04-04 00:35 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 01:42 . 2007-12-25 14:13 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-30 20:45 . 2009-07-30 20:45 60928 --sha-w- c:\windows\system32\bikehizi.dll
2009-07-31 16:34 . 2009-07-31 16:34 89088 --sha-w- c:\windows\system32\fazotene.dll
2009-08-01 04:35 . 2009-08-01 04:35 89600 --sha-w- c:\windows\system32\hisakite.dll
2009-07-30 20:45 . 2009-07-30 20:45 89088 --sha-w- c:\windows\system32\tijayefe.dll
2009-08-01 16:35 . 2009-08-01 16:35 89088 --sha-w- c:\windows\system32\viwadefo.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\documents and settings\Owner\My Documents\My Pictures\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"gagehokah"="c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e5dd95c5-ddb5-4bfb-af7c-62fced274337}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{87b59fa5-8a82-4609-8042-56fd0fc50762}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{413f0a90-469a-44e0-ac55-2534858a2282}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{14fe8fbb-7a06-4215-8e00-9d7b38662bdc}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{61238692-df6d-4d78-a15f-cd48f9991f60}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]
"{0c35cdec-f50f-4c9e-93a4-0ef26441ed77}"= "c:\windows\system32\viwadefo.dll" [2009-08-01 89088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nonomohev"= {e5dd95c5-ddb5-4bfb-af7c-62fced274337} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"tavanasag"= {87b59fa5-8a82-4609-8042-56fd0fc50762} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"kobuguhof"= {413f0a90-469a-44e0-ac55-2534858a2282} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"dibofehen"= {14fe8fbb-7a06-4215-8e00-9d7b38662bdc} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"soyerebog"= {61238692-df6d-4d78-a15f-cd48f9991f60} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]
"rivuzizum"= {0c35cdec-f50f-4c9e-93a4-0ef26441ed77} - c:\windows\system32\viwadefo.dll [2009-08-01 89088]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/6/2008 12:33 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/6/2008 12:33 PM 38528]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/5/2009 5:22 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [8/21/2008 6:04 AM 98304]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/29/2006 12:19 PM 200576]
S3 DzlUsb;Dazzle DVC USB Device;c:\windows\system32\drivers\DzlUsb.sys [2/12/2009 10:07 PM 62800]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 5:56 PM 14976]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
2008-08-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8210036949.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\odolpp8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\odolpp8q.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
BHO-{571d9660-bab1-4729-aa62-1f17d27c60cc} - bahaboho.dll
BHO-{7FE54E07-2F72-42D8-96C9-E7128D6A07D0} - c:\windows\system32\fccyXRKe.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-zipikobusi - jibepobo.dll
SharedTaskScheduler-{6676b59e-ea1a-436b-82d8-e8cfaa8b3072} - c:\windows\system32\gejapifo.dll
SSODL-fifidunod-{6676b59e-ea1a-436b-82d8-e8cfaa8b3072} - c:\windows\system32\gejapifo.dll
AddRemove-Picasa 3 - c:\documents and settings\Owner\My Documents\My Pictures\Google\Picasa3\Uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 22:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spaa.sys >>UNKNOWN [0x86588938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
atapi.sys @ 0x0 0x0 bytes
\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF73B4B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF73B4B40 atapi.sys
\Driver\atapi IRP hooks detected !
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\BCMLogon.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2880)
c:\windows\system32\viwadefo.dll
c:\windows\system32\tijayefe.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-02 22:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 04:48
Pre-Run: 2,599,698,432 bytes free
Post-Run: 10,353,078,272 bytes free
- - End Of File - - 6DE53CB9F135A344F92F25F29F5CC28C
Copy/paste the text in the Codebox below into notepad:
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
Drag CFScript.txt into ComboFix.exe
Then post the results log and a new HijackThis log.
Also please describe how your computer behaves at the moment.
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.
CODE
File::
c:\windows\system32\bikehizi.dll
c:\windows\system32\fazotene.dll
c:\windows\system32\hisakite.dll
c:\windows\system32\tijayefe.dll
c:\windows\system32\viwadefo.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gagehokah"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e5dd95c5-ddb5-4bfb-af7c-62fced274337}"=-
"{87b59fa5-8a82-4609-8042-56fd0fc50762}"=-
"{413f0a90-469a-44e0-ac55-2534858a2282}"=-
"{14fe8fbb-7a06-4215-8e00-9d7b38662bdc}"=-
"{61238692-df6d-4d78-a15f-cd48f9991f60}"=-
"{0c35cdec-f50f-4c9e-93a4-0ef26441ed77}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nonomohev"=-
"tavanasag"=-
"kobuguhof"=-
"dibofehen"=-
"soyerebog"=-
"rivuzizum"=-
c:\windows\system32\bikehizi.dll
c:\windows\system32\fazotene.dll
c:\windows\system32\hisakite.dll
c:\windows\system32\tijayefe.dll
c:\windows\system32\viwadefo.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gagehokah"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e5dd95c5-ddb5-4bfb-af7c-62fced274337}"=-
"{87b59fa5-8a82-4609-8042-56fd0fc50762}"=-
"{413f0a90-469a-44e0-ac55-2534858a2282}"=-
"{14fe8fbb-7a06-4215-8e00-9d7b38662bdc}"=-
"{61238692-df6d-4d78-a15f-cd48f9991f60}"=-
"{0c35cdec-f50f-4c9e-93a4-0ef26441ed77}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nonomohev"=-
"tavanasag"=-
"kobuguhof"=-
"dibofehen"=-
"soyerebog"=-
"rivuzizum"=-
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
Drag CFScript.txt into ComboFix.exe
Then post the results log and a new HijackThis log.
Also please describe how your computer behaves at the moment.
As of right now, before i do anything of what you just gave me, basically nothing is working on the computer. only a select few programs will open (paint, windows media player, quicktime) but thats about it. Anything besides that will not work, along with my firefox (im currently on a different computer).
As soon as i get the CFScript done, and run the program, i will post back if there are any major changes.
As soon as i get the CFScript done, and run the program, i will post back if there are any major changes.
Hate to say it, but I did what your instructions told me to do, and nothing happened. Combofix.exe would not run.
Can you give me just a little more details?
Is the computer booting up?
Is the computer booting up?
Yes the computer is booting up just fine. Shuting down, restarting - everything is working. but now no programs will run except for a select few (windows media player, quicktime, paint - all the basic programs i would assume), but that is it. it basically doesnt do anything, but i can still look at my pictures just fine. it still gives me that little blue computer screen on the lower right hand corner saying that the computer is connected to the internet, but i cannot get on the internet as my Firefox nor my Windows Internet Explorer will open (im on a different computer.) The USB drives are still working. I believe thats it.
Lets see if we can get the PC back on the internet. This file will fit on a floppy or thumb drive.
Get a copy of winsockxpfix.exe and copy it to the infected computer.
You just run it and things should work OK after it reboots your system.
http://www.snapfiles.com/get/winsockxpfix.html
Get a copy of winsockxpfix.exe and copy it to the infected computer.
You just run it and things should work OK after it reboots your system.
http://www.snapfiles.com/get/winsockxpfix.html
I got the program on my computer, ran it, and restarted, but it didnt do anything. my firefox is still non-responsive, but im willing to try whatever you got.
Did you try IE?
Here's a couple more things to try.
Reset IP Stack.
1. Click on Start button.
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Type netsh int ip reset in the Command Prompt shell, and then press the Enter key.
Restart the computer.
1. Click on Start button.
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Type ping google.com in the Command Prompt shell, and then press the Enter key.
Did you get a reply or time-out?
Reset IP Stack.
1. Click on Start button.
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Type netsh int ip reset in the Command Prompt shell, and then press the Enter key.
Restart the computer.
1. Click on Start button.
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Type ping google.com in the Command Prompt shell, and then press the Enter key.
Did you get a reply or time-out?
okay so heres what i did
1) Start
2) Run
3) typed Cmd in the box
4) brought up the Command Prompt
5) typed in netsh int ip reset, hit enter
6) let it do whatever it needed, said it was reset
7) restarted and nothing happened.
is that the way i was supposed to do it? i wasnt sure on your directions.
It did it that way for both of your fixes, and the ping google.com came up with Reply.
1) Start
2) Run
3) typed Cmd in the box
4) brought up the Command Prompt
5) typed in netsh int ip reset, hit enter
6) let it do whatever it needed, said it was reset
7) restarted and nothing happened.
is that the way i was supposed to do it? i wasnt sure on your directions.
It did it that way for both of your fixes, and the ping google.com came up with Reply.
Ok. You did things correctly.
The ping tells us your getting access to the outside world.
Whatever version of IE you have I want you to uninstall it. It will go back to the previous version.
I suggest you do this:
Click "Start," and then click "Control Panel."
Click "Add or Remove Programs."
Check "Show Updates" at the top of the dialog box.
Scroll down the list and highlight the version of Internet Explorer that you are running, and then click "Change/Remove."
Reboot and try IE
The ping tells us your getting access to the outside world.
Whatever version of IE you have I want you to uninstall it. It will go back to the previous version.
I suggest you do this:
Click "Start," and then click "Control Panel."
Click "Add or Remove Programs."
Check "Show Updates" at the top of the dialog box.
Scroll down the list and highlight the version of Internet Explorer that you are running, and then click "Change/Remove."
Reboot and try IE
in the dialog box, it gives me two things - Windows Internet Explorer 7 and Windows Internet Explorer 7 - Software Updates. When I clicked Windows Explorer 7, it did not give me the Change/Remove option. When I clicked the software updates one, it allowed me to pick and choose which update I wanted to remove. So I figured i would go with the latest update, but when I clicked remove, nothing happened.
You asked me earlier if I tried IE, the answer is yes. Whenever I am done with whatever you tell me to do, I always test both of my internets (firefox and IE), just to see if one of them will work, and a program or two, like Windows Movie Maker, perhaps, to see if it will open.
You asked me earlier if I tried IE, the answer is yes. Whenever I am done with whatever you tell me to do, I always test both of my internets (firefox and IE), just to see if one of them will work, and a program or two, like Windows Movie Maker, perhaps, to see if it will open.
We'll keep trying.
see if you have this file:
C:\windows\ServicePackFiles\i386\ie.inf
Right Click on ie.inf and select install.
If that didn't fix IE, try this.
Run the following commands:
Click Start> Run> Copy/Paste each, one at a time
Run each line individually.
Note the space, it needs to be there.
After each run, you should see a short message stating the command was successful.
regsvr32 Urlmon.dll
regsvr32 Shdocvw.dll
regsvr32 Shell32.dll (only applicable to Windows ME, Windows 2000 and XP)
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 Mshtml.dll
Reboot Computer.
see if you have this file:
C:\windows\ServicePackFiles\i386\ie.inf
Right Click on ie.inf and select install.
If that didn't fix IE, try this.
Run the following commands:
Click Start> Run> Copy/Paste each, one at a time
Run each line individually.
Note the space, it needs to be there.
After each run, you should see a short message stating the command was successful.
regsvr32 Urlmon.dll
regsvr32 Shdocvw.dll
regsvr32 Shell32.dll (only applicable to Windows ME, Windows 2000 and XP)
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 Mshtml.dll
Reboot Computer.
all of them worked except for mshtml.dll, it said...
Mshtml.dll was loaded, but the DLLRegisterServer entry point was not found. This file can not be registered.
Reboot anyway?
Mshtml.dll was loaded, but the DLLRegisterServer entry point was not found. This file can not be registered.
Reboot anyway?
QUOTE (peepster1005 @ Nov 4 2009, 08:49 PM)
all of them worked except for mshtml.dll, it said...
Mshtml.dll was loaded, but the DLLRegisterServer entry point was not found. This file can not be registered.
Reboot anyway?
Yes reboot.Mshtml.dll was loaded, but the DLLRegisterServer entry point was not found. This file can not be registered.
Reboot anyway?
Do you have your windows CD?
I might be holding it in my hand right now, but im not sure if it is the disc for it. I'm checking all over looking to see if anything matches up.
Easy enough to find out.
You can use windows sfc (system file checker) You'd need your XP CD to make this work.
Click Start> Run> type sfc /scannow Note the space.
(Note that there is a space between sfc and /scannow)
You can use windows sfc (system file checker) You'd need your XP CD to make this work.
Click Start> Run> type sfc /scannow Note the space.
(Note that there is a space between sfc and /scannow)
I have an Operating System Disc, is that what I need to put into the computer?
QUOTE (peepster1005 @ Nov 4 2009, 09:05 PM)
I have an Operating System Disc, is that what I need to put into the computer?
When you run system file checker if it needs the cd it will inform you to put the cd in the drive.If it's the correct cd it will use the files it needs. If it isn't the correct cd if will keep asking to insert the correct one. So we'll find out if it's the right one.
okay I have it scanning right now. Give me a few minutes.
okay, scanning is complete, but when the the box closed that monitered the progress, nothing happened. Good or bad?
and the scan did not require the use of a CD.
QUOTE (peepster1005 @ Nov 4 2009, 09:42 PM)
okay, scanning is complete, but when the the box closed that monitered the progress, nothing happened. Good or bad?
If no errors it did what was needed for any corupt files.Dare I ask if either IE or FF is working? If not, try a reboot.
How dare you ask such a question! Haha just kidding I'm rebooting right now.
I can't remember if I've ever told you this before, but it didn't work.
QUOTE (peepster1005 @ Nov 4 2009, 09:52 PM)
I can't remember if I've ever told you this before, but it didn't work.
And I'm not surprised.I have one more to try tonite as I need to get to bed.
try System Restore.
1.
Click Start.
2.
Point to All Programs.
3.
Point to Accessories.
4.
Point to System Tools.
5.
Click System Restore.
6.
Follow the instructions on the wizard.
See if you can find the date it worked after we ran combofix.
system restore is unfortunetly an application with an .exe file to start it up, and no .exe files work on my computer, so that will not work.
Anyway, we'll try again tomorrow.
Anyway, we'll try again tomorrow.
OK. We're back to no .exe will work.
Is combofix still named explorer.exe on your desktop?
If so try it.
If so try it.
I checked back, and at post 15, I said that it dissapeared immeditately after I ran it, so this was a while back. But, I still have ComboFix.exe on my desktop. Do you want me to rename that and try again?
QUOTE (peepster1005 @ Nov 5 2009, 09:41 PM)
I checked back, and at post 15, I said that it dissapeared immeditately after I ran it, so this was a while back. But, I still have ComboFix.exe on my desktop. Do you want me to rename that and try again?
Yes.This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.