HELP! I think my computer is infected

BullGuard Antivirus Forum > Virus Removal > Removal Help > HELP! I think my computer is infected

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

wordonthestreet2006
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-28-2008 11:57 (GMT +1)

have no idea bout computers, how they run, or what to do when they don't but PLEASE can some one helpme.

Yesterday I turned on my PC, I have had it for 4 years and it's always been great, on start up, as son as I got to the windows screen I got a message saying error loading c:/windows/system32/pipibuju.dll I ignored it (I didn't know what it meant) and waited for my pc t load. It took ages....

Then when I clicked on my home page, another tab opened with it and then another and then another. The first one had cowresti.com in the address bar: the second one had zustaurs.com and the third one had gallimp.com. I was unable to close them at all and they all froze, as white screens, as did my home page.

As a bit of history, my Norton Anti virus had run out two days before and on the advice of a friend, I installed AVG. When I ran a scan it said I had a trojan horse SHeur2. EGl.

I then installed XsoftspySE and ran it. I was told I had 912 infections and repaired them. My computer is running so slow. I can't access the web (Much) I've managed to get on here but I have 9 other windows open all cowresti, zustaurs, gallimp and now a new one registery defender.com

I have no idea what to do. I had no problems with Norton, I just didn't have the money to renew so went with AVG. Since this happened I have uninstalled AVG and installed avast antivirus.

I love my machine. I have loads of stuff on there that I can't bear to lose. My husband and daughter are disabled and I am their carer. My computer is my little bit of down time and I'm so upset.

I'd be really grateful if someone can help me, but you'll have to explain in !!!!!s terms what I can do, if anything.

MAny thanks for taking the time to read my plea.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-29-2008 5:01 (GMT +1)

Hello

It sounds like You´ve got some vundo infections, therefore ->

Download this program: http://www.ctrlaltdel.dk/Fix_download.exe

and save it on the desktop. Then double click on it (Fix_download.exe).

You may have to allow the program to download files from the web!

The program download the necessary cleaning programs. Once the program
is downloaded, there will be a folder on your desktop named
Fix. – if the instructions not automatically opens, so
double-click "FIX_manual.htm" in Fix folder.

Please follow the instructions and copy the logs here, in this Topic.

Note : Fix_download.exe is detected by some antivirus programs as a "RiskTool" /infection; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

If necessary, temporarily disable your anti-virus, real-time protection before downloading

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

wordonthestreet2006
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-29-2008 12:15 (GMT +1)

None of this means anything to me, but I think this is what you asked for:

ComboFix 08-11-28.03 - Jo 2008-11-29 10:56:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.459 [GMT 0:00]
Running from: d:\documents and settings\Jo\Desktop\FIX\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patchw32.dll
c:\windows\pw32a.dll
c:\windows\Temp\tmp3.tmp
d:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
d:\documents and settings\Jo\Application Data\inst.exe
d:\documents and settings\Jo\Desktop\Download programs.url
d:\documents and settings\Jo\Desktop\Translator.url
d:\documents and settings\Jo\Desktop\Videos.url
d:\documents and settings\Jo\Favorites\Download programs.url
d:\documents and settings\Jo\Favorites\Translator.url
d:\documents and settings\Jo\Start Menu\Programs\Download programs.url
d:\documents and settings\Jo\Start Menu\Programs\Games.url
d:\documents and settings\Jo\Start Menu\Programs\Translator.url
d:\documents and settings\Jo\Start Menu\Programs\Videos.url
d:\documents and settings\Lee\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-28 23:39 . 2008-11-29 11:01 4,096 --ahs---- C:\VSNAP.IDX
2008-11-28 22:19 . 2008-11-28 22:19 <DIR> d-------- d:\documents and settings\Jo\Application Data\Malwarebytes
2008-11-28 22:18 . 2008-11-28 22:18 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-28 22:18 . 2008-11-28 22:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 22:18 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-28 22:18 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-28 21:09 . 2008-11-28 21:09 10,344 --a------ c:\windows\system32\drivers\symlcbrd.sys
2008-11-28 21:08 . 2008-11-28 21:08 <DIR> d-------- c:\program files\Symantec
2008-11-28 21:08 . 2008-11-28 21:36 <DIR> d-------- c:\program files\Norton Save and Restore
2008-11-28 21:08 . 2006-03-04 04:52 636,568 -r------- c:\windows\system32\NSRSte.dll
2008-11-28 12:27 . 2008-11-28 12:27 <DIR> d-------- d:\documents and settings\All Users\Application Data\Avg8
2008-11-28 10:22 . 2008-11-28 10:22 <DIR> d-------- c:\program files\Alwil Software
2008-11-27 23:20 . 2008-11-27 23:20 <DIR> d-------- c:\program files\NoAdware
2008-11-27 20:59 . 2008-11-27 21:17 <DIR> d-------- c:\program files\XoftSpySE
2008-11-22 23:46 . 2008-11-22 23:46 <DIR> d-------- c:\windows\LMIDF.tmp
2008-11-12 20:12 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 20:08 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 11:01 --------- d-----w d:\documents and settings\All Users\Application Data\Kontiki
2008-11-29 10:51 --------- d-----w c:\program files\MSN Messenger
2008-11-28 22:08 --------- d-----w d:\documents and settings\All Users\Application Data\Symantec
2008-11-28 22:02 21,440 ----a-w d:\documents and settings\Jo\Application Data\wklnhst.dat
2008-11-28 21:09 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-27 23:31 --------- d-----w d:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-27 23:02 --------- d-----w c:\program files\NCH Swift Sound
2008-11-27 20:01 --------- d--h--r d:\documents and settings\Jo\Application Data\yahoo!
2008-11-27 20:01 --------- d-----w d:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-27 20:01 --------- d-----w d:\documents and settings\All Users\Application Data\Yahoo!
2008-11-27 20:01 --------- d-----w c:\program files\Yahoo!
2008-11-24 22:01 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-11-22 14:12 --------- d-----w d:\documents and settings\Jo\Application Data\Any Video Converter
2008-11-18 19:00 --------- d-----w d:\documents and settings\All Users\Application Data\UDL
2008-11-09 09:39 --------- d-----w d:\documents and settings\Jo\Application Data\Smilebox
2008-11-02 18:45 --------- d-----w d:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-02-03 00:30 47,360 ----a-w d:\documents and settings\Jo\Application Data\pcouffin.sys
2007-07-16 21:26 904 ----a-w d:\documents and settings\Jo\DMOrganizer.dat
2007-05-22 20:20 25,990,392 -c--a-w c:\program files\FLV PlayerRCSetup.exe
2007-05-22 20:20 2,874,926 -c--a-w c:\program files\FLV PlayerRCATSetup.exe
2006-10-03 01:43 2,402,550 -c--a-w c:\windows\inf\SET17B.tmp
2006-10-03 01:43 2,402,550 -c----w c:\windows\inf\SET46B.tmp
2004-08-10 13:00 1,431,144 -c--a-w c:\windows\inf\SET4E4.tmp
2004-08-10 13:00 1,431,144 -c--a-w c:\windows\inf\SET1EE.tmp
2007-03-09 07:12 27,648 -csha-w c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-08-20 1569304]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2008-08-20 20:27 1569304 --a------ c:\program files\Freecorder\tbFre1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-08-20 1569304]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-08-20 1569304]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-05-31 143360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-10-17 171448]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4687352]
"SmileboxTray"="d:\documents and settings\Jo\Application Data\Smilebox\SmileboxTray.exe" [2008-10-16 254600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7573504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-27 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Converter 4\\RegistryController.exe" [2006-08-22 40960]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-24 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-02 52896]
"Norton Save and Restore"="c:\program files\Norton Save and Restore\Agent\NSRTray.exe" [2007-03-26 1582696]
"SMSERIAL"="sm56hlpr.exe" [2005-10-18 c:\windows\sm56hlpr.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2006-04-27 c:\windows\system32\nwiz.exe]
"MacrokeyManager"="WTMKM.exe" [2007-05-29 c:\windows\system32\WTMKM.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2006-01-30 07:53 49152 c:\apps\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"msacm.iac2"= c:\progra~1\REPLAY~1\iac25_32.ax
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
--a------ 2008-10-16 08:22 254600 d:\documents and settings\Jo\Application Data\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-12-01 04:21 4687352 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YahooMessenger]
--a------ 2006-12-01 04:21 4687352 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\kdx\\KHost.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\KService\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Sonic\\DigitalMedia LE v7\\MyDVD LE\\DetectorApp.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-28 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-28 20560]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [2006-03-03 2111080]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-03-10 360096]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\DRIVERS\V0230Vfx.sys [2007-01-16 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\DRIVERS\V0230VID.sys [2007-01-16 498464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23349b30-6ef5-11dd-b54c-001617ce86fe}]
\Shell\AutoRun\command - F:\ImageViewer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-11-28 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-09-27 01:01]

2008-11-28 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- d:\documents and settings\Jo\My Documents [2008-11-28 23:37]

2007-03-23 c:\windows\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-09-27 01:01]

2007-03-24 c:\windows\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-09-27 01:01]

2008-11-29 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-11-26 20:11]

2008-11-27 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-11-26 20:11]
.
- - - - ORPHANS REMOVED - - - -

BHO-{03735fc7-b1a6-4956-acd3-c24bf41d8621} - (no file)
Toolbar-SITEguard - (no file)
HKLM-Run-OmniPass - c:\apps\Softex\OmniPass\scureapp.exe
HKLM-Run-zikumagofo - c:\windows\system32\pipibuju.dll
HKLM-Run-RegistryMechanic - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - d:\documents and settings\Jo\Application Data\Mozilla\Firefox\Profiles\fygs5rjj.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.zerourl.com/en/index.php?rvs=hompag
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 11:03:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\apps\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\apps\Softex\OmniPass\OmniServ.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\windows\ehome\mcrdsvc.exe
c:\apps\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\dllhost.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
.
**************************************************************************
.
Completion time: 2008-11-29 11:11:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 11:10:39

Pre-Run: 8,617,803,776 bytes free
Post-Run: 8,903,475,200 bytes free

285 --- E O F --- 2008-11-12 21:39:08

wordonthestreet2006
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-29-2008 12:16 (GMT +1)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-29-2008 1:55 (GMT +1)

It is

How are things running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

wordonthestreet2006
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-29-2008 3:00 (GMT +1)

It's running ok, part from when I start the computer. I still get the message "Error loading c:\windows\system32\pipibuju.dll and whenever I do a system scan it keeps coming up with new infections.
Here is the latest log:

Malwarebytes' Anti-Malware 1.30
Database version: 1433
Windows 5.1.2600 Service Pack 3

29/11/2008 13:48:46
mbam-log-2008-11-29 (13-48-46).txt

Scan type: Full Scan (C:\|D:\|E:\|L:\|M:\|)
Objects scanned: 217556
Time elapsed: 1 hour(s), 52 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123769.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123799.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123720.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123752.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123753.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123755.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123759.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123760.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123762.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123765.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123766.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123770.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123771.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123772.EXE (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123773.DLL (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123774.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123775.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123776.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123777.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123778.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123781.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP460\A0123782.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP466\A0127206.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP466\A0127207.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-29-2008 5:35 (GMT +1)

Ok.

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
System Restore

Please post new hijackthis log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

wordonthestreet2006
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-29-2008 11:06 (GMT +1)

My PC wont do a system restore. I tried that, but it does seem to be running great now, in fact faster than ever. I'm hoping that it's sorted. If not I'll be back LOL

Thanks for all the advice so far. :-)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-30-2008 5:10 (GMT +1)

My pleasure smile

If your computer problems are solved, it is time for the clean-up procedure. Download this file and save it on desktop as FIX_removal.exe

http://www.ctrlaltdel.dk/FIX_removal.exe

Double click FIX_removal.exe and follow the instructions - this will remove the programs that you have used during the cleaning process. Once the program is finished, reboot your computer to finalise the clean-up procedure.

I also suggest you read Tony Klein´s article :

So_how_did_I_get_infected_in_the_first_place.html

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

wordonthestreet2006
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-30-2008 12:41 (GMT +1)

Thanks I've done that. Fingers crossed all systems are go.
I read Tony Klein's article and all it did was confuse me LOL but I think I'm secure now.
Thanks again

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-30-2008 5:34 (GMT +1)

Great

Since this issue appears to be resolved ... this Topic has been closed.

If you need this topic reopened, please contact Me with the address of the thread.
Thank you !

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Friday, January 09, 2009 3:16 AM (GMT +1)
There are a total of 65.964 posts in 16.185 threads.
In the last 3 days there were 23 new threads and 96 reply posts. View Active Threads