Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WMISPRJ.exe error message..MalwareBytes and AVG free can't update


  • Please log in to reply

#1
eendra69

eendra69

    Member

  • Member
  • PipPip
  • 11 posts
Hi,

Every time I start my computer this message about "WMISPRJ.exe error" always pops up.
I haven't realized this as virus until I searched over google and found this link

http://www.prevx.com...MISPRJ.EXE.html

I've tried to update MalwareBytes & AVG for free but whenever I opened those softwares and clicked the Update Button, they will be closed automatically.
In addition, I noticed that all of components in my AVG are missing.

My friend says that it maybe a new virus that disables spybot, malware, hijack this and antivirus software.

Could you help me on this?

Thanks in advance
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,723 posts
  • MVP
Work through the guidelines: http://www.geekstogo...emoval-f37.html

Skip any that don't run.

Then post your logs (do not use the attachment option).

Ron
  • 0

#3
eendra69

eendra69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi. Ron.

So glad there's someone here who want to help me.
I did all the guideline says with GMER, OTL, MBAM, and somehow they all abruptly stop before I can even start.

However, I noted that GMER shows this in Red

Process windows/system32/wmisprj.exe (***hidden***) 768

I am sorry that I can't post any logs at all to make your job easier.

Indra
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,723 posts
  • MVP
I hoping this is an XP system. IF Vista it should still work but you need to right click on avenger and select Run As Administrator.

Download The Avenger by Swandog46 from
http://swandog46.gee...r2/download.php
* Unzip/extract it to a folder on your desktop.
* Double click on avenger.exe to run The Avenger.
* Click OK.
* Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
* Copy all of the text between the stars to the clipboard by highlighting it and then pressing Ctrl+C.
*******************************************************
Files to delete:
c:\windows/system32/wmisprj.exe

******************************************************
* In the avenger window, click the Paste Script from Clipboard icon, Image button.
* :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
* Click the Execute button.
* You will be asked Are you sure you want to execute the current script?.
* Click Yes.
* You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
* Click Yes.
* Your PC will now be rebooted.
* Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
* If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
* After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). I would like to see the log in your next post.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Ron

PS Going to bed now and off-island tomorrow so won't be back until late.
  • 0

#5
eendra69

eendra69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
hi, Ron,

This is log from Avenger
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\wmisprj.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


and this is from ComboFix
ComboFix 10-02-11.04 - user 02/12/2010 22:29:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1553 [GMT 11:00]
Running from: c:\documents and settings\user\Desktop\George.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\.#
c:\windows\system32\drivers\ndisvvan.sys
c:\windows\system32\msvmcls64.exe
c:\windows\system32\secupdat.dat
c:\windows\system32\twinv77.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2010-01-12 to 2010-02-12 )))))))))))))))))))))))))))))))
.

2010-02-12 10:11 . 2010-02-12 10:11 50354 ----a-w- c:\documents and settings\user\Application Data\Facebook\uninstall.exe
2010-02-12 10:11 . 2010-02-12 10:11 -------- d-----w- c:\documents and settings\user\Application Data\Facebook
2010-02-12 07:11 . 2010-02-12 07:11 -------- d-----w- c:\program files\ERUNT
2010-02-08 18:53 . 2010-02-08 18:53 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-08 18:17 . 2010-02-08 18:17 -------- d-----w- c:\documents and settings\user\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2010-02-07 02:10 . 2007-10-12 04:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-02-07 02:07 . 2010-02-11 11:27 -------- d-----w- c:\program files\League of Legends
2010-02-07 02:06 . 2010-02-07 02:06 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\user\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\user\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-24 08:18 . 2010-01-24 08:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Yahoo
2010-01-24 08:14 . 2010-01-24 08:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-24 08:14 . 2010-01-24 08:18 -------- d-----w- c:\documents and settings\user\Application Data\Yahoo!
2010-01-24 08:13 . 2010-01-24 08:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-24 08:13 . 2009-11-10 03:39 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-01-24 07:59 . 2010-01-24 08:14 -------- d-----w- c:\program files\Yahoo!
2010-01-23 02:47 . 2010-01-23 02:47 39936 ---ha-w- c:\documents and settings\user\vrajuw.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-12 11:26 . 2009-09-01 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-10 11:55 . 2009-09-02 23:53 -------- d-----w- c:\documents and settings\user\Application Data\EndNote
2010-02-09 22:59 . 2009-09-12 22:19 -------- d-----w- c:\program files\Heroes of Newerth
2010-02-08 18:53 . 2010-02-07 02:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-08 18:53 . 2010-02-07 02:10 38784 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-26 03:03 . 2009-09-11 00:49 -------- d-----w- c:\program files\Warcraft III
2010-01-13 08:01 . 2010-01-13 08:01 209408 --sha-w- c:\windows\system32\wmipxty.exe
2010-01-08 11:22 . 2009-10-07 06:58 -------- d-----w- c:\program files\ScreenshotCaptor
2009-12-28 05:16 . 2009-11-09 06:54 -------- d-----w- c:\program files\FlashGet
2009-12-26 01:25 . 2009-12-26 01:15 -------- d-----w- c:\program files\CrossFire
2009-12-11 23:15 . 2009-12-11 23:15 2065688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-11 00:50 . 2009-12-11 00:50 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 05:14 . 2009-11-17 09:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 05:13 . 2009-11-17 09:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 06:03 . 2009-09-01 00:43 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-11-18 15:57 . 2009-10-02 05:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 13:34 . 2009-10-01 13:33 24 --sh--w- c:\windows\SDE556877.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-07 133104]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShaPlus Bandwidth Meter"="c:\program files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-05 198160]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-18 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"MS Virtual CLS"="c:\windows\system32\wmipxty.exe" [2010-01-13 209408]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TL-WN321G Wireless Utility.lnk - c:\program files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe [2009-11-26 622592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-02 23:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\League of Legends\\Air\\LolClient.exe"=
"c:\\Program Files\\League of Legends\\Game\\League of Legends.exe"=
"c:\\Program Files\\League of Legends\\lol.launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8394:TCP"= 8394:TCP:League of Legends Launcher
"8394:UDP"= 8394:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6980:TCP"= 6980:TCP:League of Legends Launcher
"6980:UDP"= 6980:UDP:League of Legends Launcher

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/1/2009 3:31 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/1/2009 3:31 PM 108552]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 afvzzmbt;afvzzmbt;\??\c:\windows\System32\Drivers\afvzzmbt.sys --> c:\windows\System32\Drivers\afvzzmbt.sys [?]
S3 bexbxgvr;bexbxgvr;\??\c:\windows\System32\Drivers\bexbxgvr.sys --> c:\windows\System32\Drivers\bexbxgvr.sys [?]
S3 bezbcori;bezbcori;\??\c:\windows\System32\Drivers\bezbcori.sys --> c:\windows\System32\Drivers\bezbcori.sys [?]
S3 bpghtdbp;bpghtdbp;\??\c:\windows\System32\Drivers\bpghtdbp.sys --> c:\windows\System32\Drivers\bpghtdbp.sys [?]
S3 brlwjiex;brlwjiex;\??\c:\windows\System32\Drivers\brlwjiex.sys --> c:\windows\System32\Drivers\brlwjiex.sys [?]
S3 brwxarnp;brwxarnp;\??\c:\windows\System32\Drivers\brwxarnp.sys --> c:\windows\System32\Drivers\brwxarnp.sys [?]
S3 chacozfm;chacozfm;\??\c:\windows\System32\Drivers\chacozfm.sys --> c:\windows\System32\Drivers\chacozfm.sys [?]
S3 difozbxn;difozbxn;\??\c:\windows\System32\Drivers\difozbxn.sys --> c:\windows\System32\Drivers\difozbxn.sys [?]
S3 ekhronfb;ekhronfb;\??\c:\windows\System32\Drivers\ekhronfb.sys --> c:\windows\System32\Drivers\ekhronfb.sys [?]
S3 eqqbakzb;eqqbakzb;\??\c:\windows\System32\Drivers\eqqbakzb.sys --> c:\windows\System32\Drivers\eqqbakzb.sys [?]
S3 fdeanuuf;fdeanuuf;\??\c:\windows\System32\Drivers\fdeanuuf.sys --> c:\windows\System32\Drivers\fdeanuuf.sys [?]
S3 feaixipt;feaixipt;\??\c:\windows\System32\Drivers\feaixipt.sys --> c:\windows\System32\Drivers\feaixipt.sys [?]
S3 fgijpnmm;fgijpnmm;\??\c:\windows\System32\Drivers\fgijpnmm.sys --> c:\windows\System32\Drivers\fgijpnmm.sys [?]
S3 fhlllzcu;fhlllzcu;\??\c:\windows\System32\Drivers\fhlllzcu.sys --> c:\windows\System32\Drivers\fhlllzcu.sys [?]
S3 fmwwyseb;fmwwyseb;\??\c:\windows\System32\Drivers\fmwwyseb.sys --> c:\windows\System32\Drivers\fmwwyseb.sys [?]
S3 gdnvecwp;gdnvecwp;\??\c:\windows\System32\Drivers\gdnvecwp.sys --> c:\windows\System32\Drivers\gdnvecwp.sys [?]
S3 gsbwgxre;gsbwgxre;\??\c:\windows\System32\Drivers\gsbwgxre.sys --> c:\windows\System32\Drivers\gsbwgxre.sys [?]
S3 hphdaiix;hphdaiix;\??\c:\windows\System32\Drivers\hphdaiix.sys --> c:\windows\System32\Drivers\hphdaiix.sys [?]
S3 hxyvygdu;hxyvygdu;\??\c:\windows\System32\Drivers\hxyvygdu.sys --> c:\windows\System32\Drivers\hxyvygdu.sys [?]
S3 ilspktjr;ilspktjr;\??\c:\windows\System32\Drivers\ilspktjr.sys --> c:\windows\System32\Drivers\ilspktjr.sys [?]
S3 itmwfzbp;itmwfzbp;\??\c:\windows\System32\Drivers\itmwfzbp.sys --> c:\windows\System32\Drivers\itmwfzbp.sys [?]
S3 jlxhpbra;jlxhpbra;\??\c:\windows\System32\Drivers\jlxhpbra.sys --> c:\windows\System32\Drivers\jlxhpbra.sys [?]
S3 lrnalaia;lrnalaia;\??\c:\windows\System32\Drivers\lrnalaia.sys --> c:\windows\System32\Drivers\lrnalaia.sys [?]
S3 mjtsjjec;mjtsjjec;\??\c:\windows\System32\Drivers\mjtsjjec.sys --> c:\windows\System32\Drivers\mjtsjjec.sys [?]
S3 movvszwn;movvszwn;\??\c:\windows\System32\Drivers\movvszwn.sys --> c:\windows\System32\Drivers\movvszwn.sys [?]
S3 rbcpzfvq;rbcpzfvq;\??\c:\windows\System32\Drivers\rbcpzfvq.sys --> c:\windows\System32\Drivers\rbcpzfvq.sys [?]
S3 rhbygyls;rhbygyls;\??\c:\windows\System32\Drivers\rhbygyls.sys --> c:\windows\System32\Drivers\rhbygyls.sys [?]
S3 rozykclg;rozykclg;\??\c:\windows\System32\Drivers\rozykclg.sys --> c:\windows\System32\Drivers\rozykclg.sys [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP4\RpcAgentSrv.exe [9/1/2009 5:06 AM 99176]
S3 sklbbvlm;sklbbvlm;\??\c:\windows\System32\Drivers\sklbbvlm.sys --> c:\windows\System32\Drivers\sklbbvlm.sys [?]
S3 sodfupmw;sodfupmw;\??\c:\windows\System32\Drivers\sodfupmw.sys --> c:\windows\System32\Drivers\sodfupmw.sys [?]
S3 sykmrzyv;sykmrzyv;\??\c:\windows\System32\Drivers\sykmrzyv.sys --> c:\windows\System32\Drivers\sykmrzyv.sys [?]
S3 vejvzgtu;vejvzgtu;\??\c:\windows\System32\Drivers\vejvzgtu.sys --> c:\windows\System32\Drivers\vejvzgtu.sys [?]
S3 vtatargm;vtatargm;\??\c:\windows\System32\Drivers\vtatargm.sys --> c:\windows\System32\Drivers\vtatargm.sys [?]
S3 vuvdwvab;vuvdwvab;\??\c:\windows\System32\Drivers\vuvdwvab.sys --> c:\windows\System32\Drivers\vuvdwvab.sys [?]
S3 wsmbiuxt;wsmbiuxt;\??\c:\windows\System32\Drivers\wsmbiuxt.sys --> c:\windows\System32\Drivers\wsmbiuxt.sys [?]
S3 xdjqmytg;xdjqmytg;\??\c:\windows\System32\Drivers\xdjqmytg.sys --> c:\windows\System32\Drivers\xdjqmytg.sys [?]
S3 XDva317;XDva317;\??\c:\windows\system32\XDva317.sys --> c:\windows\system32\XDva317.sys [?]
S3 xxbuupsu;xxbuupsu;\??\c:\windows\System32\Drivers\xxbuupsu.sys --> c:\windows\System32\Drivers\xxbuupsu.sys [?]
S3 yhhwdqni;yhhwdqni;\??\c:\windows\System32\Drivers\yhhwdqni.sys --> c:\windows\System32\Drivers\yhhwdqni.sys [?]
S3 zazzywip;zazzywip;\??\c:\windows\System32\Drivers\zazzywip.sys --> c:\windows\System32\Drivers\zazzywip.sys [?]
S3 zfqvubrz;zfqvubrz;\??\c:\windows\System32\Drivers\zfqvubrz.sys --> c:\windows\System32\Drivers\zfqvubrz.sys [?]
S3 zixwpukn;zixwpukn;\??\c:\windows\System32\Drivers\zixwpukn.sys --> c:\windows\System32\Drivers\zixwpukn.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]

2010-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1614895754-725345543-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 05:26]

2010-02-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1614895754-725345543-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 05:26]

2010-02-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 08:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dmf2yz68.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\user\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 22:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2940)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-02-12 22:58:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-12 11:58

Pre-Run: 18,528,808,960 bytes free
Post-Run: 18,383,257,600 bytes free

- - End Of File - - 74E9E78415D77331DC08B5E2002423EE
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,723 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

DirLook::
c:\documents and settings\user\Application Data\Facebook
c:\documents and settings\user\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1

File::
c:\documents and settings\user\Application Data\Facebook\uninstall.exe
c:\windows\SDE556877.tmp
c:\documents and settings\user\vrajuw.exe
c:\documents and settings\user\Application Data\Facebook\axfbootloader.dll
c:\documents and settings\user\Application Data\Facebook\npfbplugin_1_0_1.dll
c:\windows\system32\wmipxty.exe
c:\windows\System32\Drivers\afvzzmbt.sys
c:\windows\System32\Drivers\bexbxgvr.sys
c:\windows\System32\Drivers\bezbcori.sys
c:\windows\System32\Drivers\bpghtdbp.sys
c:\windows\System32\Drivers\brlwjiex.sys
c:\windows\System32\Drivers\brwxarnp.sys
c:\windows\System32\Drivers\chacozfm.sys
c:\windows\System32\Drivers\difozbxn.sys
c:\windows\System32\Drivers\ekhronfb.sys
c:\windows\System32\Drivers\eqqbakzb.sys
c:\windows\System32\Drivers\fdeanuuf.sys
c:\windows\System32\Drivers\feaixipt.sys
c:\windows\System32\Drivers\fgijpnmm.sys
c:\windows\System32\Drivers\fhlllzcu.sys
c:\windows\System32\Drivers\fmwwyseb.sys
c:\windows\System32\Drivers\gdnvecwp.sys
c:\windows\System32\Drivers\gsbwgxre.sys
c:\windows\System32\Drivers\hphdaiix.sys
c:\windows\System32\Drivers\hxyvygdu.sys
c:\windows\System32\Drivers\ilspktjr.sys
c:\windows\System32\Drivers\itmwfzbp.sys
c:\windows\System32\Drivers\jlxhpbra.sys
c:\windows\System32\Drivers\lrnalaia.sys
c:\windows\System32\Drivers\mjtsjjec.sys
c:\windows\System32\Drivers\movvszwn.sys
c:\windows\System32\Drivers\rbcpzfvq.sys
c:\windows\System32\Drivers\rhbygyls.sys
c:\windows\System32\Drivers\rozykclg.sys
c:\windows\System32\Drivers\sklbbvlm.sys
c:\windows\System32\Drivers\sodfupmw.sys
c:\windows\System32\Drivers\sykmrzyv.sys
c:\windows\System32\Drivers\vejvzgtu.sys
c:\windows\System32\Drivers\vtatargm.sys
c:\windows\System32\Drivers\vuvdwvab.sys
c:\windows\System32\Drivers\wsmbiuxt.sys
c:\windows\System32\Drivers\xdjqmytg.sys
c:\windows\system32\XDva317.sys
c:\windows\System32\Drivers\xxbuupsu.sys
c:\windows\System32\Drivers\yhhwdqni.sys
c:\windows\System32\Drivers\zazzywip.sys
c:\windows\System32\Drivers\zfqvubrz.sys
c:\windows\System32\Drivers\zixwpukn.sys

Driver::
afvzzmbt
bexbxgvr
bezbcori
bpghtdbp
brlwjiex
brwxarnp
chacozfm
difozbxn
ekhronfb
eqqbakzb
fdeanuuf
feaixipt
fgijpnmm
fhlllzcu
fmwwyseb
gdnvecwp
gsbwgxre
hphdaiix
hxyvygdu
ilspktjr
itmwfzbp
jlxhpbra
lrnalaia
mjtsjjec
movvszwn
rbcpzfvq
rhbygyls
rozykclg
sklbbvlm
sodfupmw
sykmrzyv
vejvzgtu
vtatargm
vuvdwvab
wsmbiuxt
xdjqmytg
XDva317
xxbuupsu
yhhwdqni
zazzywip
zfqvubrz
zixwpukn

RootKit::
c:\windows\System32\Drivers\afvzzmbt.sys
c:\windows\System32\Drivers\bexbxgvr.sys
c:\windows\System32\Drivers\bezbcori.sys
c:\windows\System32\Drivers\bpghtdbp.sys
c:\windows\System32\Drivers\brlwjiex.sys
c:\windows\System32\Drivers\brwxarnp.sys
c:\windows\System32\Drivers\chacozfm.sys
c:\windows\System32\Drivers\difozbxn.sys
c:\windows\System32\Drivers\ekhronfb.sys
c:\windows\System32\Drivers\eqqbakzb.sys
c:\windows\System32\Drivers\fdeanuuf.sys
c:\windows\System32\Drivers\feaixipt.sys
c:\windows\System32\Drivers\fgijpnmm.sys
c:\windows\System32\Drivers\fhlllzcu.sys
c:\windows\System32\Drivers\fmwwyseb.sys
c:\windows\System32\Drivers\gdnvecwp.sys
c:\windows\System32\Drivers\gsbwgxre.sys
c:\windows\System32\Drivers\hphdaiix.sys
c:\windows\System32\Drivers\hxyvygdu.sys
c:\windows\System32\Drivers\ilspktjr.sys
c:\windows\System32\Drivers\itmwfzbp.sys
c:\windows\System32\Drivers\jlxhpbra.sys
c:\windows\System32\Drivers\lrnalaia.sys
c:\windows\System32\Drivers\mjtsjjec.sys
c:\windows\System32\Drivers\movvszwn.sys
c:\windows\System32\Drivers\rbcpzfvq.sys
c:\windows\System32\Drivers\rhbygyls.sys
c:\windows\System32\Drivers\rozykclg.sys
c:\windows\System32\Drivers\sklbbvlm.sys
c:\windows\System32\Drivers\sodfupmw.sys
c:\windows\System32\Drivers\sykmrzyv.sys
c:\windows\System32\Drivers\vejvzgtu.sys
c:\windows\System32\Drivers\vtatargm.sys
c:\windows\System32\Drivers\vuvdwvab.sys
c:\windows\System32\Drivers\wsmbiuxt.sys
c:\windows\System32\Drivers\xdjqmytg.sys
c:\windows\system32\XDva317.sys
c:\windows\System32\Drivers\xxbuupsu.sys
c:\windows\System32\Drivers\yhhwdqni.sys
c:\windows\System32\Drivers\zazzywip.sys
c:\windows\System32\Drivers\zfqvubrz.sys
c:\windows\System32\Drivers\zixwpukn.sys

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Drag it over to george and let it start as before.

Post the new log.

Now try OTL, GMER, and MBAM per the instructions. If they will run now please post the logs too.

Ron

Edited by RKinner, 13 February 2010 - 10:39 AM.

  • 0

#7
eendra69

eendra69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ho, Ron.. this is log from MBAM and GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-15 21:29:33
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kwloifod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.44
Database version: 3732
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/15/2010 8:29:18 PM
mbam-log-2010-02-15 (20-29-18).txt

Scan type: Quick Scan
Objects scanned: 108764
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,723 posts
  • MVP
Still looking for the latest combofix log. Also will OTL run now?

Your AVG8 is obsolete. There is an AVG9 available but I suggest you get Avast! instead. It's free and better.
Download it at:
http://www.avast.com...avast-home.html
Then uninstall your old AVG8. (Run the AVG removal tool too:
http://download.avg..../avgremover.exe

Then install Avast!


You do need to register but it's free. Once you install it will want to reboot and it will ask you if it should do a bootscan. Don't let it reboot yet but do tell it that you want the bootscan (but be warned it will take hours to complete and you will need to check back with it periodically to see if it found anything and needs you to tell it what to do).

At first you will get two balls in the systray. Rightclick on the first one and it will allow you to merge it with the other ball. You can turn off the sound if you want to. Right click on the ball then Program Settings then Sounds and check or uncheck the box where it says Disable Avast Sounds. There will be a slight delay at boot as it scans your system for rootkits and memory resident malware. If you find this delay objectionable you can disable rootkit scanning under Troubleshooting and the memory scan under General.


We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP