oaktree777

a2 and computer shut down when deleting gen.trojan!ik

Recommended Posts

Hi,

I am new here and have been reading other remedies for the gen.tojan.!IK viures that is found on my a2 scan. When I attempt to delete it, a windows shutdown message comes up and turns off my computer with a countdown of 60 sec. I have not been able to run any other malware removal programs either. They disappear and and disable when attempting to scan. The a2 scan also cannot remove a file called system32\iehelper.dll.

The a2 scan report is copied below. After that I copied the win32kdiag report.

Thanks for any help you can provide. This has been very frustrating!

a-squared Free - Version 4.5

Last update: 10/2/2009 9:06:49 AM

Scan settings:

Scan type: Smart Scan

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files

Scan archives: On

Heuristics: Off

ADS Scan: On

Scan start: 10/3/2009 9:56:01 AM

[1168] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[1312] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[1676] C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK

[1988] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[236] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[512] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[2156] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[2516] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[2620] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[1344] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[1344] C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK

[3044] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK

[3044] C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK

C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][1].txt detected: Trace.TrackingCookie.247realmedia!A2

C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][1].txt detected: Trace.TrackingCookie.atdmt!A2

C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.casalemedia!A2

C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.cms!A2

C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][1].txt detected: Trace.TrackingCookie.com!A2

C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.doubleclick!A2

C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.fastclick!A2

C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.tribalfusion!A2

Scanned

Files: 2354

Traces: 645170

Cookies: 341

Processes: 41

Found

The win32kdiag report is provided below (I saw that most helpers request this).

Running from: C:\Documents and Settings\Bill O'Brien\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Bill O'Brien\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP12D.tmp\ZAP12D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E1.tmp\ZAP1E1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Program Files\Downloaded Program Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000030\8.0.0\8.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1592454029-839522115-1003\S-1-5-21-515967899-1592454029-839522115-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Proof\Proof

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.MSO\Content.MSO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.Word\Content.Word

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dim\dim

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dPI19\dPI19

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

Share this post


Link to post
Share on other sites

Hi oaktree777,

Welcome to the forum

Please do not try to quarantine / delete anything by your own

Do not run any Utilities that were suggested in other users' threads

despite the similarities you can find. You can render your system inoperable.

If you have any difficulties when downloading/running Tools referred below, just stop and describe the situation.

=======

Read the following instructions in

http://forum.emsisoft.com/Default.aspx?g=posts&t=1930

Prepare and post the required log files into this thread

Wait for reply from ShadowPuterDude, Katana, or JeanInMontana for assistance and further instructions.

=======

My regards

Share this post


Link to post
Share on other sites

Your Win32kDiag report appears to be incomplete. Repost the log and be sure to inclose the log in code tags. All logs are to be posted in that manner.

Share this post


Link to post
Share on other sites

Hi oaktree777,

Welcome to the forum

Please do not try to quarantine / delete anything by your own

Do not run any Utilities that were suggested in other users' threads

despite the similarities you can find. You can render your system inoperable.

If you have any difficulties when downloading/running Tools referred below, just stop and describe the situation.

=======

Read the following instructions in

http://forum.emsisoft.com/Default.aspx?g=posts&t=1930

Prepare and post the required log files into this thread

Wait for reply from ShadowPuterDude, Katana, or JeanInMontana for assistance and further instructions.

=======

My regards

Share this post


Link to post
Share on other sites

Hi and thanks for your speedy reply.

I followed the instructions and I think everything went okay. The logs from a2 scan, and hijack this are copied below.

Interestingly, when I reran the a2 scan (after running atf, explorerxp), the gen.tojan!ik didn't show up on the a2 scan.

A2 scan results:

a-squared Free - Version 4.5

Last update: 10/2/2009 9:06:49 AM

Scan settings:

Scan type: Deep Scan

Objects: Memory, Traces, Cookies, C:\

Scan archives: On

Heuristics: Off

ADS Scan: On

Scan start: 10/3/2009 12:57:06 PM

[1780] C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK

C:\Avenger\eventlog.dll detected: Trojan.Win32.Sirefef!IK

C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK

Scanned

Files: 105534

Traces: 645170

Cookies: 89

Processes: 37

Found

Files: 2

Traces: 0

Cookies: 0

Processes: 1

Registry keys: 0

Scan end: 10/3/2009 2:02:16 PM

Scan time: 1:05:10

Hijack this Log

NameProcessIDPriorityLocation

a2hijackfree.exe2648NormalC:\Program Files\a-squared

HiJackFree\a2hijackfree.exe

a2service.exe1296NormalC:\Program Files\a-squared Free\a2service.exe

alg.exe3124NormalC:\WINDOWS\System32\alg.exe

ati2evxx.exe1048NormalC:\WINDOWS\system32\Ati2evxx.exe

ati2evxx.exe1572NormalC:\WINDOWS\system32\Ati2evxx.exe

atiptaxx.exe1216NormalC:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe

csrss.exe796NormalC:\WINDOWS\system32\csrss.exe

ctfmon.exe1568NormalC:\WINDOWS\system32\ctfmon.exe

Dot1XCfg.exe2520NormalC:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

EvtEng.exe1360NormalC:\Program Files\Intel\Wireless\Bin\EvtEng.exe

explorer.exe1668NormalC:\WINDOWS\Explorer.EXE

HPZIPM12.EXE2124NormalC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

iexplore.exe1780NormalC:\Program Files\Internet Explorer\iexplore.exe

iFrmewrk.exe1272NormalC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

iPodService.exe2560NormalC:\Program Files\iPod\bin\iPodService.exe

iTunesHelper.exe1368NormalC:\Program Files\iTunes\iTunesHelper.exe

lsass.exe880NormalC:\WINDOWS\system32\lsass.exe

Mctray.exe916NormalC:\Program Files\McAfee\Common Framework\McTray.exe

MDM.EXE2088NormalC:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE

RegSrvc.exe2248NormalC:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

S24EvMon.exe1772NormalC:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

services.exe868NormalC:\WINDOWS\system32\services.exe

smss.exe748NormalC:\WINDOWS\System32\smss.exe

spoolsv.exe544NormalC:\WINDOWS\system32\spoolsv.exe

svchost.exe1060NormalC:\WINDOWS\system32\svchost.exe

svchost.exe1164NormalC:\WINDOWS\system32\svchost.exe

svchost.exe1308NormalC:\WINDOWS\System32\svchost.exe

svchost.exe1932NormalC:\WINDOWS\system32\svchost.exe

svchost.exe236NormalC:\WINDOWS\system32\svchost.exe

svchost.exe1136NormalC:\WINDOWS\system32\svchost.exe

svchost.exe2336NormalC:\WINDOWS\system32\svchost.exe

System4NormalN/A

System Idle Processes0IdleN/A

UdaterUI.exe1280NormalC:\Program Files\McAfee\Common

Framework\UdaterUI.exe

VM30xSnap.exe1288NormalC:\WINDOWS\VM30xSnap.exe

winlogon.exe820HighC:\WINDOWS\system32\winlogon.exe

WINWORD.EXE436NormalC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

WkUFind.exe1524NormalC:\Program Files\Common Files\Microsoft Shared\Works

Shared\WkUFind.exe

WLKEEPER.exe1860NormalC:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

ZCfgSvc.exe1260NormalC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

Thanks.

Share this post


Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.

-----------------------------------------------------------

Post fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Please, don't quote an entire post.

I deleted your last post, as it only quoted my entire last post. Was there something you meant to add?

Share this post


Link to post
Share on other sites

Hi,

Sorry about that. My internet connection was lost in the middle of typing a reply and it apparently never made it.

I ran all of the programs as you recommended. The following log files are copied below:

A2

Combofix

win32diag

I attached the Iseeyou.txt because it was really long and I figured it may take up too much space on the email.

To make a long story short. After following your instructions, it looks like the gen.trojan.!IK is gone! The other ones appear to be gone as well. The last A2 scan did not pick up any viruses or malware.

Additionally, I ran malwarebytes just to see what would happen. Before, whatever virus I picked up would interrupt the scan and disable malwarebytes so it couldn't be run. Malwarebytes is now running too. It seems to pick up some things that A2 doesn't. But I deleted the identified files there too. In case it would be helpful, I added the malwarebytes text.

Please let me know if I should follow any additional procedures other than putting a giant condom over my laptop in the future :)

Thanks again. You're assistance has been great!

A2 LOG COPIED BELOW:

a-squared Free - Version 4.5

Last update: 10/3/2009 6:02:19 PM

Scan settings:

Scan type: Quick Scan

Objects: Memory, Traces, Cookies

Scan archives: On

Heuristics: Off

ADS Scan: On

Scan start: 10/3/2009 7:59:53 PM

Scanned

Files: 1708

Traces: 645170

Cookies: 132

Processes: 38

Found

Files: 0

Traces: 0

Cookies: 0

Processes: 0

Registry keys: 0

Scan end: 10/3/2009 8:02:15 PM

Scan time: 0:02:22

COMBOFIX LOG COPIED BELOW:

ComboFix 09-10-01.05 - Bill O'Brien 10/03/2009 16:59.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.584 [GMT -4:00]

Running from: c:\documents and settings\Bill O'Brien\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\kobosoheh.bin

c:\documents and settings\All Users\Application Data\mahodoqus.com

c:\documents and settings\All Users\Documents\ecurojin._dl

c:\documents and settings\All Users\track.sys

c:\documents and settings\Bill O'Brien\Application Data\obehuhirud.scr

c:\documents and settings\Bill O'Brien\Local Settings\Application Data\ygyzelonag.bat

C:\p2hhr.bat

c:\program files\awywon

c:\program files\awywon\hcipsysguard.exe

c:\program files\Common Files\laheradif.dll

c:\program files\Common Files\moji.pif

c:\windows\biguxehos.sys

c:\windows\Downloaded Program Files\Downloaded Program Files

c:\windows\Installer\2cabcf9.msp

c:\windows\Installer\2cabd01.msp

c:\windows\Installer\4d0f32b.msp

c:\windows\run.log

c:\windows\syssvc.exe

c:\windows\system32\_000013_.tmp.dll

c:\windows\system32\41.exe

c:\windows\system32\bLlnmnnn.ini

c:\windows\system32\detebutu.dll

c:\windows\system32\dim

c:\windows\system32\dPI19

c:\windows\system32\dutujahi.exe

c:\windows\system32\fuhaleke.dll

c:\windows\system32\gp2

c:\windows\system32\guhehodi.exe

c:\windows\system32\hilivoze.dll

c:\windows\system32\hisekeke.exe

c:\windows\system32\ID2

c:\windows\system32\iehelper.dll

c:\windows\system32\juriyuyi.dll

c:\windows\system32\lsprst7.dll

c:\windows\system32\maligoha.exe

c:\windows\system32\nijopido.exe

c:\windows\system32\nsprs.dll

c:\windows\system32\onaxefegyq.pif

c:\windows\system32\pegeseyi.exe

c:\windows\system32\ssprs.dll

c:\windows\system32\tizovawe.dll

c:\windows\system32\tuwejipe.dll

c:\windows\system32\wefihipe.exe

c:\windows\system32\yosutihe.dll

c:\windows\system32\zibuyubo.dll

c:\windows\twain_30.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_tdssserv.sys

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))

.

2009-10-03 19:07 . 2009-10-03 19:07 -------- d-----w- C:\!KillBox

2009-10-03 18:48 . 2005-01-14 06:41 11254 ----a-w- c:\windows\system32\locate.com

2009-10-03 16:49 . 2009-10-03 16:49 -------- d-----w- C:\ISeeYouXP

2009-10-03 16:49 . 2009-10-03 20:48 -------- d-----w- c:\program files\ExplorerXP

2009-10-03 16:48 . 2009-10-03 16:48 -------- d-----w- c:\program files\a-squared HiJackFree

2009-10-03 13:33 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-03 13:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-02 12:59 . 2009-10-03 18:02 -------- d-----w- c:\program files\a-squared Free

2009-10-02 11:17 . 2009-10-02 11:17 0 ----a-w- c:\windows\nsreg.dat

2009-10-02 11:17 . 2009-10-02 11:17 -------- d-----w- c:\documents and settings\Bill O'Brien\Local Settings\Application Data\Mozilla

2009-10-01 10:10 . 2009-10-01 10:10 -------- d-----w- c:\documents and settings\Bill O'Brien\Application Data\8540052764

2009-09-30 11:18 . 2009-10-02 12:14 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-29 23:06 . 2009-10-02 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\12473754

2009-09-29 23:01 . 2009-10-03 21:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-29 15:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-29 15:36 . 2009-09-29 15:36 -------- d-----w- c:\program files\Avira

2009-09-28 12:08 . 2009-10-03 13:20 0 ----a-w- c:\windows\win32k.sys

2009-09-23 18:04 . 2009-09-23 18:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-16 20:51 . 2009-09-16 20:51 13696 ----a-w- c:\windows\system32\drivers\wpsnuio.sys

2009-09-16 20:51 . 2009-09-16 20:51 -------- d-----w- c:\documents and settings\Bill O'Brien\Local Settings\Application Data\Skyhook Wireless

2009-09-13 13:53 . 2009-09-13 14:00 -------- d-----w- C:\budget

2009-09-13 13:45 . 2009-09-13 13:45 -------- d-----w- c:\documents and settings\Bill O'Brien\Application Data\Webroot

2009-09-13 13:45 . 2009-09-13 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2009-09-13 13:21 . 2009-09-13 13:45 164 ----a-w- c:\windows\install.dat

2009-09-13 12:21 . 2009-09-13 21:39 -------- d-----w- c:\program files\Webroot

2009-09-13 12:21 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll

2009-09-12 12:01 . 2009-09-29 17:43 -------- d-----w- C:\belgium

2009-09-11 22:36 . 2009-09-23 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\gwr

2009-09-11 21:19 . 2009-09-11 21:19 12724 ----a-w- c:\windows\adyhaha.com

2009-09-11 20:50 . 2009-09-11 21:56 -------- d-----w- C:\sh4ldr

2009-09-09 11:21 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-03 11:24 . 2009-07-03 11:24 52736 --sha-w- c:\windows\system32\degipeme.dll

2009-10-03 11:24 . 2009-07-03 11:24 89088 --sha-w- c:\windows\system32\fujegifu.dll

2009-10-02 21:32 . 2009-01-17 22:30 -------- d-----w- c:\program files\RealArcade

2009-10-02 21:30 . 2007-10-06 01:01 -------- d-----w- c:\program files\Common Files\AOL

2009-10-02 21:30 . 2007-10-06 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2009-10-02 13:26 . 2008-11-22 14:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-02 12:46 . 2009-02-05 17:07 -------- d-----w- c:\program files\Windows Live Safety Center

2009-10-01 23:11 . 2009-07-01 23:11 50688 --sha-w- c:\windows\system32\mivalivo.dll

2009-10-01 23:11 . 2009-07-01 23:11 91136 --sha-w- c:\windows\system32\lilofati.dll

2009-10-01 17:23 . 2007-09-26 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-10-01 10:11 . 2009-07-01 10:10 50176 --sha-w- c:\windows\system32\bidiyije.dll

2009-09-30 11:10 . 2009-06-30 11:10 39424 --sha-w- c:\windows\system32\dezifamu.dll

2009-09-29 11:06 . 2009-06-29 11:06 53248 --sha-w- c:\windows\system32\deporare.dll

2009-09-29 11:06 . 2009-06-29 11:06 36864 --sha-w- c:\windows\system32\hopawiki.dll

2009-09-24 11:28 . 2007-09-26 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-24 11:28 . 2007-09-26 16:03 -------- d-----w- c:\program files\McAfee

2009-09-13 13:22 . 2009-09-13 13:22 775168 ----a-w- c:\windows\isRS-000.tmp

2009-08-25 17:54 . 2009-07-01 22:55 -------- d-----w- c:\documents and settings\Bill O'Brien\Application Data\dvdcss

2009-08-23 13:22 . 2007-10-02 13:20 70672 ----a-w- c:\documents and settings\Bill O'Brien\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-23 12:47 . 2009-08-23 12:47 -------- d-----w- c:\program files\MSBuild

2009-08-23 12:46 . 2009-08-23 12:46 -------- d-----w- c:\program files\Reference Assemblies

2009-08-17 16:12 . 2007-11-15 17:05 -------- d-----w- c:\program files\Picasa2

2009-08-15 20:10 . 2009-08-15 20:10 -------- d-----w- c:\program files\Microsoft Picture It! 7

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-01 23:11 . 2009-07-01 23:11 50688 --sha-w- c:\windows\system32\tazofehu.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74e98632-f013-423c-a5c3-c520163d1f28}]

2009-07-01 23:11 50688 --sha-w- c:\windows\system32\tazofehu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]

"VM30xSnap"="c:\windows\VM30xSnap.exe" [2007-02-05 53248]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

"c:\\WINDOWS\\VM30xSnap.exe"=

"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HPZIPM12.EXE"=

S1 2093de44;2093de44;c:\windows\system32\drivers\2093de44.sys [1/29/2009 11:42 AM 0]

S1 orerthdy;orerthdy;\??\c:\windows\system32\drivers\orerthdy.sys --> c:\windows\system32\drivers\orerthdy.sys [?]

S2 cpnwr;cpnwr;c:\windows\system32\drivers\jjve.sys --> c:\windows\system32\drivers\jjve.sys [?]

S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?]

S3 VM30xx86;Vimicro USB PC Camera (ZC030x);c:\windows\system32\drivers\vm30xx86.sys [3/22/2008 8:01 PM 1294336]

.

Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-26 c:\windows\Tasks\ParetoLogic Privacy Controls_{3CEEF1D2-AA8F-11DE-AE79-0012F0AB7742}.job

- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30]

2009-09-26 c:\windows\Tasks\ParetoLogic Privacy Controls_{5FAAE77E-AAA0-11DE-AE7A-0012F0AB7742}.job

- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30]

2009-09-24 c:\windows\Tasks\ParetoLogic Privacy Controls_{7D54321D-A92F-11DE-AE75-0012F0AB7742}.job

- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30]

2009-09-07 c:\windows\Tasks\ParetoLogic Privacy Controls_{D801D5B4-C20E-11DD-AD82-0012F0AB7742}.job

- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30]

2009-03-01 c:\windows\Tasks\ParetoLogic Privacy Controls_{EC89D382-069D-11DE-ADD3-8AEF67650B1F}.job

- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30]

2009-10-02 c:\windows\Tasks\ParetoLogic Privacy Controls_{F34EE94C-AEFD-11DE-AE93-0012F0AB7742}.job

- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30]

2009-09-19 c:\windows\Tasks\ParetoLogic Privacy Controls_{FC2C06F0-A564-11DE-AE6D-0012F0AB7742}.job

- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30]

2009-09-29 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2009-09-10 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]

.

.

------- Supplementary Scan -------

.

uLocal Page = \blank.htm

mLocal Page = \blank.htm

mStart Page = hxxp://www.google.com

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: advancedmd.com

FF - ProfilePath - c:\documents and settings\Bill O'Brien\Application Data\Mozilla\Firefox\Profiles\z60eckcq.default\

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

FF - plugin: c:\program files\Picasa2\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{385F2EEB-EF59-4400-9156-CEF1C3B303BD} - c:\windows\system32\iehelper.dll

HKLM-Run-Acrobat Assistant 8.0 - c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

HKLM-Run-jakiduwab - c:\windows\system32\tizovawe.dll

HKLM-Run-julafinire - zibuyubo.dll

SharedTaskScheduler-{eb847b3d-b9c8-4e93-bc88-ddd3807a0ab4} - (no file)

SharedTaskScheduler-{3d5bdeda-38b8-489d-b16f-21d245c24ff6} - (no file)

SharedTaskScheduler-{6138dd23-ff27-4634-812f-c7dc2291c1b0} - (no file)

SharedTaskScheduler-{057c2cce-49f2-4b21-bcd0-a8a0b79dccf4} - c:\windows\system32\tizovawe.dll

SSODL-beyopazod-{eb847b3d-b9c8-4e93-bc88-ddd3807a0ab4} - (no file)

SSODL-bojuluteg-{3d5bdeda-38b8-489d-b16f-21d245c24ff6} - (no file)

SSODL-ketinikel-{6138dd23-ff27-4634-812f-c7dc2291c1b0} - (no file)

SSODL-dukibapaf-{057c2cce-49f2-4b21-bcd0-a8a0b79dccf4} - c:\windows\system32\tizovawe.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-03 17:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3836)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\a-squared Free\a2service.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\McAfee\Common Framework\Mctray.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

.

**************************************************************************

.

Completion time: 2009-10-03 17:10 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-03 21:10

Pre-Run: 64,104,075,264 bytes free

Post-Run: 64,021,123,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

284 --- E O F --- 2009-09-10 07:04

WIN32DIAG LOG COPIED BELOW:

Running from: C:\Documents and Settings\Bill O'Brien\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Bill O'Brien\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP12D.tmp\ZAP12D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E1.tmp\ZAP1E1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000030\8.0.0\8.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1592454029-839522115-1003\S-1-5-21-515967899-1592454029-839522115-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Proof\Proof

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.MSO\Content.MSO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.Word\Content.Word

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 10\Shockwave 10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Finished!

MALWAREBYTES LOG COPIED BELOW:

Malwarebytes' Anti-Malware 1.41

Database version: 2902

Windows 5.1.2600 Service Pack 3

10/3/2009 8:25:35 PM

mbam-log-2009-10-03 (20-25-35).txt

Scan type: Quick Scan

Objects scanned: 100622

Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 5

Registry Data Items Infected: 3

Folders Infected: 4

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\piyudijo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{172e7c1f-6113-4cd3-b1a9-57c8abb8d268} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jakiduwab (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{172e7c1f-6113-4cd3-b1a9-57c8abb8d268} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\jalaforef (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0369133145 (Rogue.SecurityTool) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\julafinire (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\piyudijo.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\piyudijo.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\12473754 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill O'Brien\Application Data\0369133145 (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill O'Brien\Application Data\8540052764 (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\gwr (Rogue.GreenAV) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\system32\piyudijo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\Bill O'Brien\Application Data\0369133145\0369133145.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yepogofa.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\12473754\12473754 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\12473754\pc12473754ins (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill O'Brien\Application Data\0369133145\0369133145.bat (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill O'Brien\Application Data\0369133145\0369133145.cfg (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill O'Brien\Application Data\8540052764\8540052764.bat (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill O'Brien\Application Data\8540052764\8540052764.cfg (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\gwr\Viruses.dat (Rogue.GreenAV) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\deporare.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dezifamu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mivalivo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites
I attached the Iseeyou.txt because it was really long and I figured it may take up too much space on the email.

Actually according to the new instruction all log files should be attached

START HERE, if you don't we are just going to send you back to this thread <--click

You posted the result of Quick Scan

You should run Deep Scan of a2

Please do not run any additional Tools

and do not post additional reports. You were not instructed to run MBAM.

Run only those Utilities that were suggested by malware fighter.

Attach new a-squared report and other log files as per instruction

Share this post


Link to post
Share on other sites

The ISeeyouXP log was not attached.

-----------------------------------------------------------

Download Avenger from -->> HERE <<-- and unzip to your desktop.

  • Run Avenger
  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Drivers to delete:
    2093de44
    cpnwr
    orerthdy
    
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74e98632-f013-423c-a5c3-c520163d1f28}
    
    Registry values to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | UserFaultCheck
    
    Folders to delete:
    C:\sh4ldr
    
    Files to delete:
    c:\windows\adyhaha.com
    c:\windows\isRS-000.tmp
    c:\windows\system32\degipeme.dll
    c:\windows\system32\fujegifu.dll
    c:\windows\system32\mivalivo.dll
    c:\windows\system32\lilofati.dll
    c:\windows\system32\bidiyije.dll
    c:\windows\system32\dezifamu.dll
    c:\windows\system32\deporare.dll
    c:\windows\system32\hopawiki.dll
    c:\windows\system32\tazofehu.dll
    c:\windows\system32\drivers\2093de44.sys
    c:\windows\system32\drivers\jjve.sys
    c:\windows\system32\drivers\orerthdy.sys


    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

-----------------------------------------------------------

Attach fresh logs for:

  • Avenger (C:\avenger.txt)
  • a-squared Free
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude or Lynx to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.