Infected with mimoyibi.dll, muvetuvo.dll,gitalobo.dll, all started with tivivapi.dll

[ashkel]

System: Windows XP SP3

Current problem:
When run System Configuration Utility (SCU), see suspicious “Rundll32.exe” running

C:\WINDOWS\system32\mimoyibi.dll
C:\WINDOWS\system32\muvetuvo.dll
C:\WINDOWS\system32\gitalobo.dll

When uncheck these lines in SCU and reboot, the processes reappear in SCU.

IE runs slowly, often non-responsive, cannot connect to some sites. Long booting and often “Windows is shutting down …” does not complete.

Several times had “ Avast! Warning, File name: C:\WINDOWS\SYSTEM32\KUJAKURI.DLL, Win32:Trojan-gen {Other}, Malware type: Virus/Worm, VPS version: 081204-0, 12/04/2008.

This is how it started:

The problem started when I downloaded an executable form what I thought was a trusted site, run the file to install software and it started downloading some strange links (a lot of regrets I’ve done it). First I was getting two error windows during the reboot: rundll errors “Windows cannot find tivivapi.dll” and “Windows cannot find jumovasi.dll”. This problem somehow disappeared (and the current problems appeared). Even though anti-spyware scans were finding Trojans and seemingly fixing , the problems and errors reappeared after each reboot.

DDS (Version 1.0) - NTFSx86
Run by Administrator at 21:51:48.04 on Thu 12/04/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.459 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\System Recovery\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {d513cef2-7fe9-44a6-bc7c-56ba4a5a15f7} - c:\windows\system32\royomuya.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe
mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [vesesaroli] Rundll32.exe "c:\windows\system32\mimoyibi.dll",s
mRun: [640e5c82] rundll32.exe "c:\windows\system32\muvetuvo.dll",b
mRun: [CPM673d6f1e] Rundll32.exe "c:\windows\system32\gitalobo.dll",a
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\nonabefa.dll c:\windows\system32\balinoto.dll c:\windows\system32\gitalobo.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gitalobo.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gitalobo.dll
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\balinoto.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-3 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-3 20560]
R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2008-8-15 9344]

=============== Created Last 30 ================

2008-12-04 21:18 250 a------- c:\windows\gmer.ini
2008-12-04 15:00 1,430,057 ---sh--- c:\windows\system32\ovutevum.ini
2008-12-03 23:18 1,387,472 ---sh--- c:\windows\system32\amiritip.ini
2008-12-03 11:18 1,387,472 ---sh--- c:\windows\system32\obeyisak.ini
2008-12-02 23:18 1,355,518 ---sh--- c:\windows\system32\erikatih.ini
2008-12-02 11:18 1,355,509 ---sh--- c:\windows\system32\isabegif.ini
2008-12-01 23:17 1,333,214 ---sh--- c:\windows\system32\irukajuk.ini
2008-11-30 11:17 1,296,258 ---sh--- c:\windows\system32\awefulit.ini
2008-11-30 01:19 <DIR> --d----- c:\windows\pss
2008-11-30 00:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Uniblue
2008-11-29 02:07 <DIR> --d----- c:\program files\FixTunes
2008-11-29 01:45 <DIR> --d----- c:\program files\FlashGet
2008-11-28 16:54 <DIR> --d----- c:\program files\Zortam Mp3 Media Studio
2008-11-28 16:19 <DIR> --d----- c:\program files\TagScanner
2008-11-27 13:22 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-11-27 13:22 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-27 13:22 <DIR> --d----- c:\program files\iPod
2008-11-27 13:22 <DIR> --d----- c:\program files\iTunes
2008-11-27 13:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-27 13:21 <DIR> --d----- c:\program files\Bonjour
2008-11-24 23:20 10,368 a------- c:\windows\system32\drivers\pfc.sys
2008-11-24 23:20 <DIR> --d----- c:\program files\MemoriesOnTV4
2008-11-12 09:50 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:49 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-12-04 15:00 65,589 a--sh--- c:\windows\system32\worukehe.dll
2008-12-04 15:00 92,725 a--sh--- c:\windows\system32\gitalobo.dll
2008-12-04 15:00 87,093 a--sh--- c:\windows\system32\muvetuvo.dll
2008-12-03 23:18 94,261 a--sh--- c:\windows\system32\pirabumo.dll
2008-12-03 23:18 85,557 a--sh--- c:\windows\system32\pitirima.dll
2008-12-03 11:18 64,565 a--sh--- c:\windows\system32\wuwijaba.dll
2008-12-03 11:18 94,261 a--sh--- c:\windows\system32\sapayuse.dll
2008-12-02 23:18 93,749 a--sh--- c:\windows\system32\jedevihi.dll
2008-12-02 11:17 93,749 a--sh--- c:\windows\system32\vadihihe.dll
2008-12-01 23:17 65,076 a--sh--- c:\windows\system32\tozujozo.dll
2008-12-01 23:17 86,580 a--sh--- c:\windows\system32\kujakuri.dll
2008-12-01 23:17 93,748 a--sh--- c:\windows\system32\zijodope.dll
2008-11-30 10:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 13:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\ZoomBrowser EX
2008-10-19 09:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TomTom
2008-10-19 09:25 <DIR> --d----- c:\program files\TomTom HOME 2
2008-10-19 09:21 <DIR> --d----- c:\docume~1\admini~1\applic~1\TomTom
2008-10-17 00:01 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2008-10-17 00:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-10-16 22:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-10-16 22:50 <DIR> --d----- c:\program files\Lavasoft
2008-10-16 22:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-21 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-08-15 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Network Associates
2008-09-04 15:00 65,589 a--sh--- c:\windows\system32\balinoto.dll
2008-09-04 15:00 65,589 a--sh--- c:\windows\system32\mimoyibi.dll
2008-09-04 15:00 65,589 a--sh--- c:\windows\system32\royomuya.dll

============= FINISH: 21:54:15.96 ===============

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[ashkel]

Thank you for looking into my problems. Attached is the requested log file


ComboFix 08-12-06.03 - Administrator 2008-12-06 11:14:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.284 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\amiritip.ini
c:\windows\system32\awefulit.ini
c:\windows\system32\drivers\fad.sys
c:\windows\system32\erikatih.ini
c:\windows\system32\feyavezi.dll
c:\windows\system32\fikitiku.dll
c:\windows\system32\gitalobo.dll
c:\windows\system32\hirisaki.dll
c:\windows\system32\hukodare.dll
c:\windows\system32\irukajuk.ini
c:\windows\system32\isabegif.ini
c:\windows\system32\izevayef.ini
c:\windows\system32\jedevihi.dll
c:\windows\system32\kesibahi.dll
c:\windows\system32\muvetuvo.dll
c:\windows\system32\obeyisak.ini
c:\windows\system32\ovutevum.ini
c:\windows\system32\pirabumo.dll
c:\windows\system32\pitirima.dll
c:\windows\system32\povisema.dll
c:\windows\system32\radayogu.dll
c:\windows\system32\sapayuse.dll
c:\windows\system32\sikizela.dll
c:\windows\system32\tozujozo.dll
c:\windows\system32\ugoyadar.ini
c:\windows\system32\ukitikif.ini
c:\windows\system32\vadihihe.dll
c:\windows\system32\wilubore.dll
c:\windows\system32\worukehe.dll
c:\windows\system32\wuwijaba.dll
c:\windows\system32\zenimoru.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-04 21:18 . 2008-12-04 21:27 250 --a------ c:\windows\gmer.ini
2008-11-30 00:42 . 2008-11-30 00:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Uniblue
2008-11-29 02:07 . 2008-11-30 10:32 <DIR> d-------- c:\program files\FixTunes
2008-11-29 01:45 . 2008-11-29 01:45 <DIR> d-------- c:\program files\Google
2008-11-29 01:45 . 2008-11-30 10:32 <DIR> d-------- c:\program files\FlashGet
2008-11-28 16:54 . 2008-11-30 00:23 <DIR> d-------- c:\program files\Zortam Mp3 Media Studio
2008-11-28 16:19 . 2008-11-28 16:19 <DIR> d-------- c:\program files\TagScanner
2008-11-27 13:23 . 2008-11-27 13:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-27 13:22 . 2008-11-27 13:22 <DIR> d-------- c:\program files\iTunes
2008-11-27 13:22 . 2008-11-27 13:22 <DIR> d-------- c:\program files\iPod
2008-11-27 13:22 . 2008-11-27 13:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-27 13:22 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-27 13:22 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-27 13:21 . 2008-11-27 13:21 <DIR> d-------- c:\program files\Bonjour
2008-11-27 13:20 . 2008-11-27 13:22 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-27 13:20 . 2008-11-27 13:21 <DIR> d-------- c:\program files\QuickTime
2008-11-27 13:20 . 2008-11-27 13:20 <DIR> d-------- c:\program files\Apple Software Update
2008-11-27 13:20 . 2008-11-27 13:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-27 13:19 . 2008-11-27 13:22 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-27 13:19 . 2008-11-27 13:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-24 23:20 . 2008-11-24 23:39 <DIR> d-------- c:\program files\MemoriesOnTV4
2008-11-24 23:20 . 2006-10-02 12:38 10,368 --a------ c:\windows\system32\drivers\pfc.sys
2008-11-12 09:50 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:49 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 19:22 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2008-12-06 19:20 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-12-06 18:55 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-12-06 17:42 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2008-11-30 18:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-30 07:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-13 05:38 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 21:23 --------- d-----w c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2008-11-04 02:43 --------- d-----w c:\program files\Alwil Software
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 16:48 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype
2008-10-23 00:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-23 00:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-19 17:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-19 17:29 --------- d-----w c:\documents and settings\All Users\Application Data\TomTom
2008-10-19 17:25 --------- d-----w c:\program files\TomTom HOME 2
2008-10-19 17:21 --------- d-----w c:\documents and settings\Administrator\Application Data\TomTom
2008-10-18 22:16 --------- d-----w c:\program files\Windows Defender
2008-10-17 20:25 --------- d-----w c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-10-17 08:01 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-10-17 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-17 06:51 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-17 06:50 --------- d-----w c:\program files\Lavasoft
2008-10-17 06:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-01-18 196608]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-09-26 206184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-11-29 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-06-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-06-19 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 45056]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 05:39 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-16 127037]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2008-08-15 42168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-08-15 25214]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-08-16 1528880]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-03 111184]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-08-15 58048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-03 20560]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b28aae7-9e02-11dd-8e47-000874b6ea95}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-30 c:\windows\Tasks\At1.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-03 c:\windows\Tasks\At10.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-06 c:\windows\Tasks\At11.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-06 c:\windows\Tasks\At12.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-03 c:\windows\Tasks\At13.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-03 c:\windows\Tasks\At14.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-03 c:\windows\Tasks\At15.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-04 c:\windows\Tasks\At16.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-04 c:\windows\Tasks\At17.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-04 c:\windows\Tasks\At18.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-04 c:\windows\Tasks\At19.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-11-30 c:\windows\Tasks\At2.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-06 c:\windows\Tasks\At20.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-06 c:\windows\Tasks\At21.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-06 c:\windows\Tasks\At22.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-06 c:\windows\Tasks\At23.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-06 c:\windows\Tasks\At24.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-11-29 c:\windows\Tasks\At3.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-10-17 c:\windows\Tasks\At4.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-10-17 c:\windows\Tasks\At5.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-10-17 c:\windows\Tasks\At6.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-10-17 c:\windows\Tasks\At7.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-05 c:\windows\Tasks\At8.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-05 c:\windows\Tasks\At9.job
- c:\windows\system32\7Jv5vJhh.exe []

2008-12-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{d513cef2-7fe9-44a6-bc7c-56ba4a5a15f7} - c:\windows\system32\zenimoru.dll
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 11:20:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1072)
c:\windows\system32\EntApi.dll

- - - - - - - > 'explorer.exe'(7900)
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Alwil Software\Avast4\Setup\avast.setup
.
**************************************************************************
.
Completion time: 2008-12-06 11:25:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 19:25:24

Pre-Run: 456,126,844,928 bytes free
Post-Run: 456,690,311,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

270 --- E O F --- 2008-11-27 17:20:32

[sUBs]

This requires your immediate intervention. I notice that you have more than one anti-virus programs on your machine (AVG & Symantec). That's not a good idea!!

This messes up the machine pretty badly. Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable results. Please uninstall ALL leaving only one of them.

ALL the antivirus programs must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

## Do NOT proceed with the rest of the fix until you have resolved the dual antivirus programs ##



-----------------



Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

[ashkel]

I was not able to find AVG & Symantec simultaniosuly running on my machine. Following your advise, I re-installed the programs -> rebooted -> uninstalled.

After that I disactivated avast! and McAfee, and follwing the suggested link installed and run on-line scanning (Kaspersky, and it also required to install Java). After installation of Java, I run on-line Kaspersky. The scan didn't detect any threats on my computer. So, i don't have anything to attach. Do I do something wrong ?

[sUBs]

Quote:

I was not able to find AVG & Symantec

Sorry. I meant to say Avast & McAfee. Decide on which one you want to keep & get rid of the other one.


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
C:\windows\Tasks\At4.job
C:\windows\Tasks\At5.job
C:\windows\Tasks\At6.job
C:\windows\Tasks\At7.job
C:\windows\Tasks\At3.job
C:\windows\Tasks\At1.job
C:\windows\Tasks\At2.job
C:\windows\Tasks\At10.job
C:\windows\Tasks\At13.job
C:\windows\Tasks\At14.job
C:\windows\Tasks\At15.job
C:\windows\Tasks\At16.job
C:\windows\Tasks\At17.job
C:\windows\Tasks\At18.job
C:\windows\Tasks\At19.job
C:\windows\Tasks\At8.job
C:\windows\Tasks\At9.job
C:\windows\Tasks\At11.job
C:\windows\Tasks\At12.job
C:\windows\Tasks\At20.job
C:\windows\Tasks\At21.job
C:\windows\Tasks\At22.job
C:\windows\Tasks\At23.job
C:\windows\Tasks\At24.job
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[ashkel]

It says "Deleted Succesfully"

[sUBs]

Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[ashkel]

Thank you !