i_am_stuck

This one has really got me stuck guys.

Summary: All my anti-spyware programs have been disabled by virus or spyware. My machine is running slow and even when I go into safe mode, none of the anti-spyware programs work.

OS: XP Home Edition Version 2002 Service Pack 3

WHAT I have tried so far?
- ComboFix.exe (ran this program and I am not sure it did anything)
- Win32Diag.exe (I have a report from this program available as well)
- attempted to install malwarebytes from cd but no luck, as soon as I install it is attacked somehow and it does not run

Has anyone faced this before? How do I get out of this mess? Please help!
thanks!

Ried

Kindly follow the instructions in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply.


**Please note this section of the forum is very busy, so be sure to familiarize yourself with the Bumping Rules also found in our sticky topic mentioned above. One of our Analysts will review your log as soon as possible.

Also - when reading our sticky topic, pay special attention to Post #2 in that thread regarding the use of ComboFix.

i_am_stuck

Hi,
Sorry for initial post. I didn't know the rules. Now I think I have gotten it correct.

Here is the DDS.txt file and I have added attach.zip as well to this post. Please let me know how I should proceed. Thanks.


DDS (Ver_09-10-26.01) - NTFSx86
Run by umansu at 6:16:39.54 on Fri 11/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.674 [GMT -8:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: Norton Internet Security *disabled* {825036E0-9F94-4752-8789-8B92454AF49B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\umansu\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~3\SDHelper.dll
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy4\TeaTimer.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy4\SpybotSD.exe" /autocheck
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~3\SDHelper.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190856969937
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1205591671_40aead00358afe8cea46a2d069d58f5b&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
TCP: {00CB86B9-C0EC-439C-8A64-F88BDCA48D20} = 77.74.48.113
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S1 xjviixnv;xjviixnv;\??\c:\windows\system32\drivers\xjviixnv.sys --> c:\windows\system32\drivers\xjviixnv.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]

=============== Created Last 30 ================

2009-11-05 15:27:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 15:27:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 15:27:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 06:33:48 60416 ----a-w- c:\windows\system32\godobovo.dll
2009-11-02 14:34:32 0 d-----w- c:\program files\Spybot - Search & Destroy4
2009-11-02 13:24:17 0 d--h--w- c:\windows\PIF
2009-11-02 00:56:43 85504 ----a-w- c:\temp\Inherit.exe
2009-11-01 21:04:55 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-01 19:40:34 54272 ----a-w- c:\windows\system32\jopisado.dll
2009-11-01 19:38:48 39424 ----a-w- c:\windows\system32\buvujano.dll
2009-11-01 19:32:25 0 d-sha-r- C:\cmdcons
2009-11-01 18:53:37 77312 ----a-w- c:\windows\MBR.exe
2009-11-01 18:53:36 98816 ----a-w- c:\windows\sed.exe
2009-11-01 18:53:36 236544 ----a-w- c:\windows\PEV.exe
2009-11-01 18:53:36 161792 ----a-w- c:\windows\SWREG.exe
2009-10-28 16:22:19 2184 ----a-w- c:\windows\system32\wpa.dbl
2009-10-28 16:22:16 0 ----a-r- c:\windows\win32k.sys

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2008-11-19 20:46:38 18521 ----a-w- c:\program files\common files\piqo.com
2008-11-19 20:46:38 13465 ----a-w- c:\program files\common files\ocegogy.dat
2008-11-19 20:46:38 10535 ----a-w- c:\program files\common files\ekipopo.bin
2006-11-24 02:08:59 182 --sha-r- c:\windows\Regbak.dat
2009-08-01 19:48:36 45056 --sha-w- c:\windows\system32\difebebu.dll
2009-07-28 13:08:24 91648 --sha-w- c:\windows\system32\fivajubu.dll
2009-07-28 13:08:24 1051168 --sha-w- c:\windows\system32\ramegige.exe
2009-08-04 14:54:10 3 --sha-w- c:\windows\system32\yihaguta.dll
2009-07-28 13:08:25 39424 --sha-w- c:\windows\system32\zabinose.dll

============= FINISH: 6:17:26.87 ===============

Attached Files

attach.zip (4.9 KB, 0 views)

Ried

Thanks, i_am_stuck. I'll need to see the ComboFix.txt that was produced. You'll find it at C:\ComboFix.txt