Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus(AntiVirus Pro 2010) [Closed]

Started by Bhattar , Oct 18 2009 06:32 PM

  • This topic is locked This topic is locked

#1
Bhattar
Posted 18 October 2009 - 06:32 PM

Bhattar

    New Member

  • Member
  • Pip
  • 1 posts
I got this virus/malware called antivius pro 2010 , 2 days back. From last 2 days i was trying to get rid of this virus and i was not successfull. So far none of my anti virus (Malware, SpyAntiS/w, Hijackthis, Spybot&destroy) are not running. So i tried the last option to run ComboFix and below is the log report. Please Help
:)

Below is the log report

ComboFix 09-10-17.01 - Ramgopal 10/18/2009 19:38.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.811 [GMT -4:00]
Running from: C:\xxx.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\29534427
c:\documents and settings\All Users\Application Data\29534427\29534427.bat
c:\documents and settings\All Users\Application Data\29534427\29534427.exe
c:\documents and settings\All Users\Application Data\56016826
c:\documents and settings\All Users\Application Data\56016826\56016826.bat
c:\documents and settings\All Users\Application Data\56016826\56016826.exe
c:\documents and settings\All Users\Application Data\xonik.exe
c:\documents and settings\All Users\Documents\lihimoka.reg
c:\documents and settings\All Users\Microsoft Private Data
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
c:\documents and settings\Athithi\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Athithi\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Ramgopal\Application Data\iniasd.txt
c:\documents and settings\Ramgopal\Application Data\jazo.dl
c:\documents and settings\Ramgopal\Application Data\lizkavd.exe
c:\documents and settings\Ramgopal\Desktop\Security Tool.lnk
c:\documents and settings\Ramgopal\Desktop\Windows Police Pro.lnk
c:\documents and settings\Ramgopal\Local Settings\Application Data\jopili._sy
c:\documents and settings\Ramgopal\Local Settings\Temporary Internet Files\kuwi.scr
c:\documents and settings\Ramgopal\Local Settings\Temporary Internet Files\lipofelek.inf
c:\documents and settings\Ramgopal\Local Settings\Temporary Internet Files\osodinacec.dl
c:\documents and settings\Ramgopal\Local Settings\Temporary Internet Files\pakimahoj.lib
c:\documents and settings\Ramgopal\Local Settings\Temporary Internet Files\pukyvexagu.lib
c:\documents and settings\Ramgopal\Local Settings\Temporary Internet Files\yhubyn.ban
c:\documents and settings\Ramgopal\My Documents\ZbThumbnail.info
c:\documents and settings\Ramgopal\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\Ramgopal\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Ramgopal\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
C:\p2hhr.bat
c:\program files\Common Files\jebi.dll
c:\program files\Common Files\onijuheq.com
c:\program files\Windows Police Pro
c:\windows\ejigidu.bin
c:\windows\Installer\29fc4.msi
c:\windows\Installer\29fca.msi
c:\windows\Installer\29fd0.msi
c:\windows\Installer\2b740.msp
c:\windows\Installer\2c6a1.msp
c:\windows\Installer\2c6a3.msp
c:\windows\Installer\4ccf1.msp
c:\windows\Installer\94c68d.msp
c:\windows\Installer\94c68e.msp
c:\windows\system32\_004031_.tmp.dll
c:\windows\system32\_004032_.tmp.dll
c:\windows\system32\_004033_.tmp.dll
c:\windows\system32\_004034_.tmp.dll
c:\windows\system32\_004041_.tmp.dll
c:\windows\system32\_004042_.tmp.dll
c:\windows\system32\_004043_.tmp.dll
c:\windows\system32\_004044_.tmp.dll
c:\windows\system32\_004045_.tmp.dll
c:\windows\system32\_004046_.tmp.dll
c:\windows\system32\_004047_.tmp.dll
c:\windows\system32\_004048_.tmp.dll
c:\windows\system32\_004049_.tmp.dll
c:\windows\system32\_004050_.tmp.dll
c:\windows\system32\_004051_.tmp.dll
c:\windows\system32\_004052_.tmp.dll
c:\windows\system32\_004053_.tmp.dll
c:\windows\system32\_004054_.tmp.dll
c:\windows\system32\_004055_.tmp.dll
c:\windows\system32\_004057_.tmp.dll
c:\windows\system32\_004060_.tmp.dll
c:\windows\system32\_004061_.tmp.dll
c:\windows\system32\_004065_.tmp.dll
c:\windows\system32\_004066_.tmp.dll
c:\windows\system32\_004067_.tmp.dll
c:\windows\system32\_004068_.tmp.dll
c:\windows\system32\_004069_.tmp.dll
c:\windows\system32\_004070_.tmp.dll
c:\windows\system32\_004071_.tmp.dll
c:\windows\system32\_004073_.tmp.dll
c:\windows\system32\_004074_.tmp.dll
c:\windows\system32\_004075_.tmp.dll
c:\windows\system32\_004076_.tmp.dll
c:\windows\system32\_004077_.tmp.dll
c:\windows\system32\_004078_.tmp.dll
c:\windows\system32\_004079_.tmp.dll
c:\windows\system32\_004080_.tmp.dll
c:\windows\system32\_004081_.tmp.dll
c:\windows\system32\_004082_.tmp.dll
c:\windows\system32\_004083_.tmp.dll
c:\windows\system32\_004084_.tmp.dll
c:\windows\system32\_004087_.tmp.dll
c:\windows\system32\_004088_.tmp.dll
c:\windows\system32\_004089_.tmp.dll
c:\windows\system32\_004091_.tmp.dll
c:\windows\system32\_004092_.tmp.dll
c:\windows\system32\_004093_.tmp.dll
c:\windows\system32\_004094_.tmp.dll
c:\windows\system32\_004096_.tmp.dll
c:\windows\system32\_004099_.tmp.dll
c:\windows\system32\_004100_.tmp.dll
c:\windows\system32\_004104_.tmp.dll
c:\windows\system32\_004105_.tmp.dll
c:\windows\system32\_004107_.tmp.dll
c:\windows\system32\_004110_.tmp.dll
c:\windows\system32\_004112_.tmp.dll
c:\windows\system32\_004113_.tmp.dll
c:\windows\system32\_004114_.tmp.dll
c:\windows\system32\_004115_.tmp.dll
c:\windows\system32\_004118_.tmp.dll
c:\windows\system32\_004119_.tmp.dll
c:\windows\system32\_004120_.tmp.dll
c:\windows\system32\_004121_.tmp.dll
c:\windows\system32\_004122_.tmp.dll
c:\windows\system32\_004127_.tmp.dll
c:\windows\system32\_004129_.tmp.dll
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\18467.exe
c:\windows\SYSTEM32\41.exe
c:\windows\system32\aseqowido.reg
c:\windows\system32\awfxrktx.ini
c:\windows\system32\bezuyiza.dll
c:\windows\system32\buyoziyi.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\critical_warning.html
c:\windows\system32\drivers\gasfkyxhdkupva.sys
c:\windows\system32\femigegi.dll
c:\windows\system32\gasfkyduvalylk.dll
c:\windows\system32\gasfkymmfcsfjw.dll
c:\windows\system32\gasfkysrnkuhyo.dat
c:\windows\system32\gasfkytingkjuj.dll
c:\windows\system32\gasfkytubrtemc.dat
c:\windows\system32\hjgruiexmpxxou.dat
c:\windows\system32\hjgruimbsvhkfg.dat
c:\windows\system32\huzivewe.dll
c:\windows\system32\lesugeti.dll
c:\windows\system32\lokuzoju.dll
c:\windows\system32\pidokobo.dll
c:\windows\system32\rereketi.dll
c:\windows\system32\sodukup.vbs
c:\windows\system32\tanovivo.dll
c:\windows\system32\test.ttt
c:\windows\system32\vavosiwo.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\yvgtakpl.ini
c:\windows\system32\zif6k0.dll
c:\windows\wiaserviv.log
c:\windows\win32k.sys
c:\windows\xako.bat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\PROQUOTA.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_gasfkyfowqyppp


((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-18 23:50 . 2004-08-04 11:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-18 23:15 . 2009-10-18 23:15 3367094 ----a-r- C:\xxx.exe
2009-10-18 22:49 . 2009-10-18 23:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-18 22:45 . 2009-10-18 22:45 -------- d-----w- c:\windows\system32\drivers\NSS
2009-10-18 22:45 . 2009-10-18 22:45 -------- d-----w- c:\program files\Norton Security Scan
2009-10-18 22:45 . 2009-10-18 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-18 22:45 . 2009-10-18 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-18 22:45 . 2009-10-18 22:45 -------- d-----w- c:\program files\NortonInstaller
2009-10-18 22:45 . 2009-10-18 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-18 22:30 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-18 22:30 . 2009-10-18 22:30 -------- d-----w- c:\program files\Panda Security
2009-10-18 22:30 . 2009-10-18 22:30 -------- d-----w- c:\windows\LastGood.Tmp
2009-10-18 13:58 . 2009-10-18 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-10-18 13:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 13:42 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 13:21 . 2009-10-18 13:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 12:48 . 2009-10-18 12:48 -------- d-----w- c:\documents and settings\Ramgopal\Local Settings\Application Data\Threat Expert
2009-10-18 02:30 . 2009-10-18 02:34 -------- d-----w- c:\program files\Trend Micro
2009-10-18 01:56 . 2009-10-18 01:56 49475640 ----a-w- C:\Norman_Malware_Cleaner.exe
2009-10-18 01:33 . 2009-10-18 01:33 34101624 ----a-w- C:\sdsetup_aff.exe
2009-10-17 22:53 . 2009-10-18 15:53 -------- d-----w- c:\program files\Spyware Doctor
2009-10-17 22:50 . 2009-10-17 22:53 18610984 ----a-w- C:\6.1.0.448b-sdrevenue-asetup-AVP.exe
2009-10-17 22:46 . 2009-10-18 12:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware-RAM
2009-10-17 22:26 . 2009-10-18 02:38 -------- d-----w- c:\program files\Angle Interactive
2009-10-17 22:26 . 2009-10-17 22:26 -------- d-----w- C:\ProgramData
2009-10-17 18:02 . 2009-10-17 18:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-10-17 17:55 . 2009-10-17 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\TextPad
2009-10-17 15:45 . 2009-10-17 15:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-17 14:59 . 2009-10-18 14:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 01:40 . 2009-10-15 01:40 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-15 01:40 . 2009-10-15 01:40 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-15 01:32 . 2009-10-15 01:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-15 01:20 . 2009-10-15 01:20 -------- d-sh--w- c:\documents and settings\Athithi\PrivacIE
2009-10-15 01:09 . 2009-10-15 01:09 -------- d-sh--w- c:\documents and settings\Athithi\IETldCache
2009-10-14 14:10 . 2009-10-14 14:10 24064 ----a-w- C:\lyqr.exe
2009-10-14 14:10 . 2009-10-14 14:10 9216 ----a-w- C:\svhkapw.exe
2009-09-24 02:46 . 2009-09-24 02:46 -------- d-----w- C:\spoolerlogs
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 23:46 . 2009-08-16 02:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-17 22:51 . 2009-07-21 01:03 -------- d-----w- c:\documents and settings\Ramgopal\Application Data\GetRightToGo
2009-09-24 16:30 . 2008-12-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-27 16:37 . 2004-06-24 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-16 12:55 . 2008-12-23 03:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 12:55 . 2008-12-23 03:01 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 12:55 . 2008-12-23 03:01 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-27 00:14 . 2005-02-09 01:33 54248 ----a-w- c:\documents and settings\Ramgopal\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-03-11 21:11 . 2004-03-11 21:11 995042 ----a-w- c:\program files\VS6sp6B3.cab
2004-03-11 21:11 . 2004-03-11 21:11 25080 ----a-w- c:\program files\sp698vbo.inf
2004-03-11 21:11 . 2004-03-11 21:11 10010624 ----a-w- c:\program files\VS6sp6B2.cab
2004-03-11 21:10 . 2004-03-11 21:10 9036800 ----a-w- c:\program files\VS6sp6B1.cab
2004-03-11 21:08 . 2004-03-11 21:08 55791 ------w- c:\program files\sp698vbo.stf
2004-03-11 21:08 . 2004-03-11 21:08 1636 ------w- c:\program files\setupsp6.lst
2004-03-11 19:01 . 2004-03-11 19:01 989512 ----a-w- c:\program files\vbrun60.cab
2004-03-11 02:39 . 2004-03-11 02:39 60699 ----a-w- c:\program files\msstdfmt.cab
2004-03-11 02:39 . 2004-03-11 02:39 37721 ----a-w- c:\program files\MSBind.CAB
2004-03-09 21:45 . 2004-03-09 21:45 397072 ----a-w- c:\program files\mswless.ocx
2004-03-09 21:45 . 2004-03-09 21:45 107008 ----a-w- c:\program files\msscript.ocx
2004-02-24 01:35 . 2004-02-24 01:35 3027068 ----a-w- c:\program files\msvbvm60.dbg
2004-02-18 01:56 . 2004-02-18 01:56 110080 ------w- c:\program files\sp698vbo.dll
2004-02-11 22:36 . 2004-02-11 22:36 6308 ------w- c:\program files\readme.htm
2003-01-14 19:58 . 2003-01-14 19:58 487481 ----a-w- c:\program files\jscript.dll
2003-01-14 19:58 . 2003-01-14 19:58 438330 ----a-w- c:\program files\vbscript.dll
2001-03-30 16:54 . 2001-03-30 16:54 149 ------w- c:\program files\setup.ini
2000-11-29 20:34 . 2000-11-29 20:34 4291 ------w- c:\program files\toc.htm
2000-07-15 19:43 . 2000-07-15 19:43 84 ------w- c:\program files\setup.tdf
2000-07-15 19:10 . 2000-07-15 19:10 26896 ----a-w- c:\program files\dispex.dll
2000-06-13 17:47 . 2000-06-13 17:47 2718 ------w- c:\program files\redist.txt
2000-06-13 15:33 . 2000-06-13 15:33 2482 ----a-w- c:\program files\mswless.dep
2000-06-13 15:29 . 2000-06-13 15:29 74352 ------w- c:\program files\setupsp6.exe
2000-06-13 15:29 . 2000-06-13 15:29 371200 ------w- c:\program files\acmsetup.exe
2000-06-13 15:29 . 2000-06-13 15:29 32256 ------w- c:\program files\selfreg.dll
2000-06-13 15:29 . 2000-06-13 15:29 283136 ------w- c:\program files\mssetup.dll
2000-06-13 15:29 . 2000-06-13 15:29 14490 ------w- c:\program files\acmsetup.hlp
2000-05-31 20:39 . 2000-05-31 20:39 22815 ----a-w- c:\program files\mscdrun.cab
2000-05-31 20:39 . 2000-05-31 20:39 62411 ----a-w- c:\program files\MSDERUN.CAB
2000-05-23 18:43 . 2000-05-23 18:43 47533 ----a-w- c:\program files\PicClp32.CAB
2000-05-23 18:43 . 2000-05-23 18:43 428304 ----a-w- c:\program files\Oleaut.cab
2000-05-23 18:43 . 2000-05-23 18:43 204656 ----a-w- c:\program files\MSHFlxGd.CAB
2000-05-23 18:43 . 2000-05-23 18:43 86616 ----a-w- c:\program files\Msrdc20.cab
2000-05-23 18:43 . 2000-05-23 18:43 86666 ----a-w- c:\program files\MSMask32.CAB
2000-05-23 18:43 . 2000-05-23 18:43 114278 ----a-w- c:\program files\MSDatLst.CAB
2000-05-23 18:43 . 2000-05-23 18:43 447654 ----a-w- c:\program files\MSChrt20.CAB
2000-05-23 18:43 . 2000-05-23 18:43 239354 ----a-w- c:\program files\comctl32.cab
2000-04-12 18:00 . 2000-04-12 18:00 485280 ----a-w- c:\program files\oleaut32.dbg
2009-07-18 15:29 . 2009-07-18 15:29 1114518 --sha-w- c:\windows\SYSTEM32\dijoromo.exe
2009-07-18 02:28 . 2009-07-18 02:28 53248 --sha-w- c:\windows\SYSTEM32\domemaha.dll
2009-07-14 14:11 . 2009-07-14 14:11 1078818 --sha-w- c:\windows\SYSTEM32\gurupifa.exe
2009-07-17 14:28 . 2009-07-17 14:28 1088034 --sha-w- c:\windows\SYSTEM32\jahamure.exe
2009-07-17 14:28 . 2009-07-17 14:28 24576 --sha-w- c:\windows\SYSTEM32\nakonaze.exe
2009-07-17 14:28 . 2009-07-17 14:28 1079842 --sha-w- c:\windows\SYSTEM32\suluyeba.exe
2009-07-14 14:11 . 2009-07-14 14:11 191496 --sha-w- c:\windows\SYSTEM32\vepiteji.exe
2009-07-14 14:11 . 2009-07-14 14:11 1085986 --sha-w- c:\windows\SYSTEM32\vihusaro.exe
2009-07-18 02:28 . 2009-07-18 02:28 1080354 --sha-w- c:\windows\SYSTEM32\vopeside.exe
2009-07-18 02:29 . 2009-07-18 02:29 53248 --sha-w- c:\windows\SYSTEM32\yujetata.dll
2009-07-17 14:28 . 2009-07-17 14:28 193544 --sha-w- c:\windows\SYSTEM32\zevihami.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{284e84f6-8bbe-422b-a870-ff25c5fe15b0}]
2009-07-18 02:29 53248 --sha-w- c:\windows\SYSTEM32\yujetata.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-29 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-27 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-22 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-02 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-27 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2004-08-12 53760]

c:\documents and settings\Ramgopal\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe [2007-5-4 2913840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2007-02-11 46080]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-12 20:18 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 12:55 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Ramgopal\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mercury Interactive\\QuickTest Professional\\bin\\AQTRmtAgent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\win32app\\exceed\\exceed.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"135:TCP"= 135:TCP:DCOM
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [12/22/2008 11:01 PM 108552]
S0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [10/18/2009 6:30 PM 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/22/2008 11:01 PM 335240]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/22/2008 11:01 PM 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/22/2008 11:01 PM 297752]
S2 cizigcbonfmq;cizigcbonfmq;\??\c:\windows\system32\drivers\tkhooll.sys --> c:\windows\system32\drivers\tkhooll.sys [?]
S2 iueszt;iueszt;\??\c:\windows\system32\drivers\cupqtarqwfqu.sys --> c:\windows\system32\drivers\cupqtarqwfqu.sys [?]
S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [5/20/2008 8:19 PM 75016]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/1/2008 1:19 AM 203280]
S2 paldrv;paldrv;c:\windows\SYSTEM32\pal_drv.sys [11/2/2008 8:06 PM 11107]
S2 wmpavkue;wmpavkue;\??\c:\windows\system32\drivers\pbgnikgoykn.sys --> c:\windows\system32\drivers\pbgnikgoykn.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\Norton Security Scan for Ramgopal.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-10-18 22:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?.home=msgr
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://www.google.com/
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{2a7ec8c4-5c9f-42c2-8b89-0c855290918b} - (no file)
BHO-{4a733e50-1a98-47bc-821e-d75e331b4c72} - (no file)
BHO-{B108FEBA-8A5E-4B38-BEE4-DA0D4AFDDD1A} - (no file)
BHO-{BCA16298-E531-49F6-B1FF-13113C778594} - (no file)
BHO-{fd17eeef-96e9-47d1-821e-d9fb74f0436e} - (no file)
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
HKLM-Run-56016826 - c:\documents and settings\All Users\Application Data\56016826\56016826.exe
HKLM-Run-29534427 - c:\documents and settings\All Users\Application Data\29534427\29534427.exe
HKLM-Run-medeyukog - c:\windows\system32\bezuyiza.dll
HKLM-Run-tejawohede - lesugeti.dll
HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe
SharedTaskScheduler-{7d9407e8-3f85-40a8-a4d9-e511afad6f55} - c:\windows\system32\bezuyiza.dll
SSODL-vilogerob-{7d9407e8-3f85-40a8-a4d9-e511afad6f55} - c:\windows\system32\bezuyiza.dll
Notify-opnlLDvw - (no file)
AddRemove-DVD Label Maker - c:\program files\ImageMixer CD Label Maker\uisurvey.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 20:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\gasfkyfowqyppp]
"imagepath"="\systemroot\system32\drivers\gasfkyxhdkupva.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\hjgruisasebwdf]
"imagepath"="\systemroot\system32\drivers\hjgruivxuirrxw.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-576152255-2740768814-1175737874-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-576152255-2740768814-1175737874-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-576152255-2740768814-1175737874-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-576152255-2740768814-1175737874-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\gasfkyfowqyppp]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gasfkyxhdkupva.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\hjgruisasebwdf]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\hjgruivxuirrxw.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\browselc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\xxx\CF30630.exe
.
**************************************************************************
.
Completion time: 2009-10-19 20:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-19 00:19

Pre-Run: 5,548,797,952 bytes free
Post-Run: 5,885,378,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

493 --- E O F --- 2009-07-14 07:03

Edited by Bhattar, 18 October 2009 - 06:56 PM.

  • 0

Advertisements

#2
chamber
Posted 19 October 2009 - 08:25 AM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi,

1) CFScript

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/VirusAntiVirus-Pro-2010-t255929.html

Collect::
C:\lyqr.exe
C:\svhkapw.exe
c:\windows\SYSTEM32\dijoromo.exe
c:\windows\SYSTEM32\domemaha.dll
c:\windows\SYSTEM32\gurupifa.exe
c:\windows\SYSTEM32\jahamure.exe
c:\windows\SYSTEM32\nakonaze.exe
c:\windows\SYSTEM32\suluyeba.exe
c:\windows\SYSTEM32\vepiteji.exe
c:\windows\SYSTEM32\vihusaro.exe
c:\windows\SYSTEM32\vopeside.exe
c:\windows\SYSTEM32\yujetata.dll
c:\windows\SYSTEM32\zevihami.exe
c:\windows\system32\drivers\tkhooll.sys
c:\windows\system32\drivers\cupqtarqwfqu.sys
c:\windows\system32\drivers\pbgnikgoykn.sys

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{284e84f6-8bbe-422b-a870-ff25c5fe15b0}]
[-HKEY_LOCAL_MACHINE\System\ControlSet005\Services\gasfkyfowqyppp]
[-HKEY_LOCAL_MACHINE\System\ControlSet005\Services\hjgruisasebwdf]

Driver::
cizigcbonfmq
iueszt
wmpavkue

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\gasfkyfowqyppp]
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\hjgruisasebwdf]

KillAll::

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

2) DDS

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

In your reply I would like to see copied and pasted,

1) ComboFix log
2) DDS logs
  • 0

#3
chamber
Posted 25 October 2009 - 12:04 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP