hlp plz with trojan.win32.pakes.cdw

May 14, 2009 at 20:07:43
Specs: Windows XP
when I run my virus scanner it picks up a virus called trojan.win32.pakes.cdw it says under it c:\windows\system32\c_isci.dll but it just puts it in quarantine but it will not remove it can u plz hlp me remove this from my comp thank u in advance

See More: hlp plz with trojan.win32.pakes.cdw

Report •


#1
May 14, 2009 at 20:11:17
Hi,
Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE(http://www.z-oleg.com/avz4.zip). Please save this file to your desktop or "My Documents" folder.
2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open
If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and past the link here or pm it to me.


Report •

#2
May 15, 2009 at 01:47:50
http://www.systemsecurityinstitute....
See this site maybe they include some research on this kind of a trojan.

Want A Weekly Update on Latest System Security Problem http://www.systemsecurityinstitute.org


Report •

#3
May 15, 2009 at 09:14:32
I pmed u the link to the avz log

Report •

Related Solutions

#4
May 15, 2009 at 10:05:56
Did/Do you run sunbelt AV?

Run this script same way as before your computer will restart.

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\System32\Drivers\IsDrv122.sys','');
 QuarantineFile('C:\WINDOWS\system32\drivers\wmahotzy.dat','');
 DeleteService('majyqzuf');
 StopService('majyqzuf');
 DeleteFile('C:\WINDOWS\system32\drivers\wmahotzy.dat');
 DeleteFile('C:\WINDOWS\System32\Drivers\IsDrv122.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After reboot follow this steps carefully:

Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause/stop any Antivirus/Spyware application you have running until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.


Report •

#5
May 15, 2009 at 10:43:01
how do i turn everything running off and how do i know if there
all off

Report •

#6
May 15, 2009 at 10:59:09
Did you run first half of the script with AVZ? What antivirus/anti-spyware programs you running?

Report •

#7
May 15, 2009 at 11:02:48
avanquest fix it

Report •

#8
May 15, 2009 at 11:07:09
If there is icon in taskbar right click on it and see if there is option to disable it. Also run first half of the script(AVZ part) first.

Report •

#9
May 15, 2009 at 11:07:47
i did all the steps up to where it says please make sure no
other programs are running, close all other windows and
pause/stop any Antivirus/Spyware application you have
running until after the scanning and removal process has
taken place. but i want to make sure i have all the programs
turned off how do i know if i do

Report •

#10
May 15, 2009 at 11:12:18
Does your virus scanner still detect the trojan? If you can't find disable option its ok just add combofix to total exception from it in your antivirus and run it.

Report •

#11
May 15, 2009 at 11:29:18
ok i ran combofix it has finished what do i do now

Report •

#12
May 15, 2009 at 11:32:14
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.

Report •

#13
May 15, 2009 at 11:35:34
ComboFix 09-05-15.01 - fran s 05/15/2009 14:19.1 - NTFSx86
Microsoft Windows XP Home Edition
5.1.2600.3.1252.1.1033.18.478.124 [GMT -4:00]
Running from: c:\documents and settings\fran
s\Desktop\123.exe
AV: Avanquest Fix-It *On-access scanning disabled*
(Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\fran s\Application Data\inst.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\AutoRun.inf
c:\windows\system32\dcads-remove.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-
15 )))))))))))))))))))))))))))))))
.

2009-05-10 17:12 . 2008-09-12 15:12 69168 ----a-w
c:\windows\system32\drivers\sbapifs.sys
2009-05-10 17:12 . 2008-09-12 15:12 13360 ----a-w
c:\windows\system32\drivers\sbaphd.sys
2009-05-10 17:11 . 2008-10-09 14:21 202928 ----a-w
c:\windows\system32\drivers\sbtis.sys
2009-05-10 17:09 . 2009-05-10 17:11 -------- d-----w
c:\documents and settings\All Users\Application
Data\Avanquest
2009-05-10 17:03 . 2009-05-10 17:03 -------- d-----w
c:\program files\Avanquest update
2009-05-10 17:03 . 2009-05-10 17:11 -------- d-----w
c:\program files\Common Files\AntiVirus
2009-05-10 16:20 . 2009-05-10 16:20 -------- d-----w
c:\program files\Common Files\Wise Installation Wizard
2009-05-05 11:34 . 2009-05-05 11:34 262144 ----a-w
C:\ntuser.dat
2009-04-27 18:40 . 2009-04-27 18:40 -------- d-----w
c:\documents and settings\fran s\Application Data\Search
Settings
2009-04-27 18:40 . 2009-05-14 16:06 -------- d-----w
c:\documents and settings\fran s\Application Data\Dealio
2009-04-27 18:36 . 2009-04-27 18:36 -------- d-----w
c:\program files\Search Settings
2009-04-27 18:36 . 2009-04-27 18:36 -------- d-----w
c:\program files\Dealio Toolbar
2009-04-27 18:35 . 2009-04-28 20:49 -------- d-----w
c:\program files\Blubster
2009-04-26 18:45 . 2009-04-26 18:45 -------- d-----w
c:\documents and settings\All Users\Application Data\1ADA
2009-04-24 23:50 . 2009-04-24 23:50 -------- d-----w
c:\documents and settings\All Users\Application Data\vsosdk
2009-04-24 22:46 . 2009-04-24 22:46 47360 ----a-w
c:\windows\system32\drivers\pcouffin.sys
2009-04-24 22:46 . 2009-04-24 22:46 47360 ----a-w
c:\documents and settings\fran s\Application
Data\pcouffin.sys
2009-04-24 22:45 . 2009-05-11 02:00 -------- d-----w
c:\program files\DVDFab 5
2009-04-24 01:55 . 2009-04-24 01:55 -------- d-----w
c:\documents and settings\fran s\Application Data\AVS4YOU
2009-04-24 01:55 . 2009-05-11 02:00 -------- d-----w
c:\documents and settings\All Users\Application
Data\AVS4YOU
2009-04-24 01:53 . 2009-05-11 02:01 -------- d-----w
c:\program files\Common Files\AVSMedia
2009-04-24 01:53 . 2009-04-24 01:59 -------- d-----w
c:\program files\AVS4YOU
2009-04-20 00:40 . 2009-04-20 00:40 -------- d-----w
c:\documents and settings\All Users\Application Data\35F
2009-04-19 16:50 . 2009-05-03 01:47 -------- d-----w
c:\documents and settings\All Users\Application Data\DVD
Shrink
2009-04-19 16:50 . 2009-04-19 16:50 -------- d-----w
c:\program files\DVD Shrink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 02:01 . 2009-04-08 20:49 -------- d-----w
c:\program files\CDex_150
2009-05-11 02:01 . 2007-05-10 17:14 -------- d-----w
c:\program files\Yahoo!
2009-05-11 02:01 . 2005-11-15 07:37 -------- d-----w
c:\program files\LizardTech
2009-05-11 02:01 . 2008-10-06 23:18 -------- d-----w
c:\program files\Google
2009-05-11 02:01 . 2008-05-28 03:21 -------- dcsh--w
c:\program files\Common Files\WindowsLiveInstaller
2009-05-11 02:01 . 2007-04-24 16:49 -------- d-----w
c:\program files\directx
2009-05-11 02:00 . 2005-06-01 19:17 -------- d-----w
c:\program files\Autodesk Learning Assistance
2009-05-10 17:03 . 2004-11-20 10:35 -------- d--h--w
c:\program files\InstallShield Installation Information
2009-05-10 03:45 . 2008-01-26 15:10 93072 -c--a-w
c:\documents and settings\fran s\Local Settings\Application
Data\GDIPFONTCACHEV1.DAT
2009-04-26 15:19 . 2005-06-09 17:05 -------- d-----w
c:\program files\Common Files\Adobe
2009-04-26 15:12 . 2008-08-23 04:53 -------- d-----w
c:\program files\Common Files\Apple
2009-04-26 15:08 . 2005-06-22 21:39 -------- d-----w
c:\program files\Common Files\AOL
2009-04-13 22:09 . 2009-04-13 21:54 -------- d-----w
c:\program files\DivX
2009-04-13 22:08 . 2009-04-13 21:54 -------- d-----w
c:\program files\Common Files\DivX Shared
2009-04-10 17:11 . 2004-11-20 10:38 -------- d-----w
c:\program files\Java
2009-04-10 17:10 . 2004-11-20 10:36 -------- d-----w
c:\program files\Intel
2009-04-10 17:10 . 2009-04-10 17:10 -------- d-----w
c:\program files\CONEXANT
2009-04-10 17:09 . 2009-04-10 17:09 -------- d-----w
c:\program files\Microsoft
2009-04-10 17:05 . 2007-10-21 23:25 -------- d-----w
c:\program files\Serif
2009-04-10 16:56 . 2004-11-20 10:44 -------- d-----w
c:\program files\HPQ
2009-04-10 16:53 . 2009-04-08 20:46 -------- d-----w
c:\program files\Common Files\snp2std
2009-04-08 20:47 . 2009-04-08 20:47 -------- d-----w
c:\program files\ArcSoft
2009-04-05 15:50 . 2009-04-05 15:50 -------- d-----w
c:\program files\Common Files\muvee Technologies
2009-04-05 15:50 . 2009-04-05 15:50 -------- d-----w
c:\program files\Zone.com
2009-04-05 03:33 . 2009-04-05 03:33 -------- d-----w
c:\program files\Microsoft Silverlight
2009-04-05 03:32 . 2009-04-05 03:32 -------- d-----w
c:\program files\Microsoft Sync Framework
2009-04-05 03:30 . 2009-04-05 03:30 -------- d-----w
c:\program files\Microsoft SQL Server Compact Edition
2009-03-30 22:47 . 2009-03-30 22:47 -------- d-----w
c:\program files\MSBuild
2009-03-30 22:47 . 2009-03-30 22:47 -------- d-----w
c:\program files\Reference Assemblies
2009-03-29 01:22 . 2009-03-29 01:22 -------- d-----w
c:\program files\Common Files\Windows Live
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w
c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w
c:\windows\system32\wininet.dll
2009-02-24 19:35 . 2009-04-13 21:55 9464 ------w
c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-13 21:55 9336 ------w
c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-13 21:55 129784 ------w
c:\windows\system32\pxafs.dll
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w
c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w
c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w
c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w
c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w
c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w
c:\windows\system32\DivX.dll
2009-02-20 18:09 . 2008-09-08 05:26 78336 ----a-w
c:\windows\system32\ieencode.dll
2008-03-16 13:58 . 2007-08-29 12:19 1366 -c--a-w
c:\program files\MasterTickerList.Test
2007-11-29 11:34 . 2007-11-29 11:34 0 -c-ha-w
c:\program files\LauncherAppUpdate.log
2007-05-27 14:50 . 2007-05-27 14:50 774144 -c--a-w
c:\program files\RngInterstitial.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w
c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w
c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}]
2009-04-10 00:09 688128 ----a-w c:\program
files\Dealio Toolbar\DealioToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar]
"{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}"=
"c:\program files\Dealio Toolbar\DealioToolbarIE.dll" [2009-04-
10 688128]

[HKEY_CLASSES_ROOT\clsid\{01398b87-61af-4ffb-9ab5-
1a1c5fb39a9c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"Google Update"="c:\documents and settings\fran s\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe"
[2008-12-31 133104]
"Messenger (Yahoo!)"="c:\program
files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18
4363504]
"Search Protection"="c:\program files\Yahoo!\Search
Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"SPC610NC_Monitor"="c:\windows\Philips\SPC610NC\Monit
or.exe" [2006-11-03 319488]
"ISUSPM
Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\IS
USPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common
Files\InstallShield\UpdateService\issch.exe" [2004-06-16
81920]
"SearchSettings"="c:\program files\Search
Settings\SearchSettings.exe" [2009-04-10 970240]
"YSearchProtection"="c:\program files\Yahoo!\Search
Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\SBAMSvc]
@="Service"
path=
backup=

[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^HP Digital Imaging
Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^STK017 PNP
Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^VPro610.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^fran
s^Start Menu^Programs^Startup^AOL Desktop.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdobeUpdater
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\ccApp
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MBkLogOnHook
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\mcagent_exe
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\McENUI
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Microsoft Windows Adapter
5.1.3214
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Spyware Doctor
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\VirusScannerPro

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program
Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common
Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common
Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common
Files\\AOL\\1212585554\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common
Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common
Files\\AOL\\1212585554\\ee\\AOLDesktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\fran s\\Local
Settings\\Application Data\\Google\\Google Talk
Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\fran s\\Local
Settings\\Application Data\\Google\\Google Talk
Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0
majyqzuf;majyqzuf;c:\windows\system32\drivers\wmahotzy.d
at --> c:\windows\system32\drivers\wmahotzy.dat [?]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys
[5/10/2009 1:12 PM 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys
[5/10/2009 1:11 PM 202928]
R2 SBAMSvc;Fix-It;c:\program files\Common
Files\AntiVirus\SBAMSvc.exe [10/28/2008 4:28 PM 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys
[5/10/2009 1:12 PM 69168]
R2 YahooAUService;Yahoo! Updater;c:\program
files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008
4:48 PM 602392]
S2 Ca533av;Polaroid Digital Cam
Video;c:\windows\system32\drivers\Ca533av.sys [5/2/2006
7:20 PM 515803]
S2 DComEx;COM+ System Executer; [x]
S3 DCamUSBSTK017;STK017
Camera;c:\windows\system32\drivers\STK017W2.sys
[1/3/2008 6:59 PM 99476]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys
[10/23/2008 4:09 AM 92464]
S3
SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAud
io.sys [12/27/2008 4:55 PM 23096]
S3
SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVid
eo.sys [12/27/2008 4:55 PM 3768]
S3 SPC610NC;SPC 610NC Laptop
Camera;c:\windows\system32\drivers\SPC610NC.SYS
[12/6/2007 2:54 PM 409728]
S3 USBCamera;Icatch(IV) Still Camera
Device;c:\windows\system32\drivers\Bulk533.sys [5/2/2006
7:20 PM 10986]
S4 0229331218860743mcinstcleanup;McAfee Application
Installer Cleanup (0229331218860743); [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver
HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe
[2008-07-30 16:34]

2009-05-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-4025097372-1847722436-726501949-1007.job
- c:\documents and settings\fran s\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe [2008-12-31 04:43]

2009-05-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-30 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} -
(no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} -
(no file)
HKCU-Run-Sonic RecordNow! - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http:
//www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext =
hxxp://downloads.yahoo.com/internetexplorer/welcome
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http:
//www.yahoo.com
IE: &Search -
http://edits.mywebsearch.com/toolba...
?p=ZNxmk572MSUS
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: badgewinners.com\www
Trusted Zone: pogo.com\www
Trusted Zone: skem9
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} -
hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstalle
r.CAB
FF - ProfilePath - c:\documents and settings\fran
s\Application Data\Mozilla\Firefox\Profiles\2h43bvxs.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage -
hxxp://www.myspace.com/
FF - prefs.js: keyword.URL -
hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-
8&type=634471&p=
FF - component: c:\program files\Mozilla
Firefox\extensions\browserhighlighter@ebay.com\component
s\Shim.dll
FF - component: c:\program files\Mozilla
Firefox\extensions\search@searchsettings.com\components\
SearchSettingsFF.dll
FF - plugin: c:\documents and settings\fran s\Application
Data\Mozilla\Firefox\Profiles\2h43bvxs.default\extensions\Obe
ronGameHost@OberonGames.com\platform\WINNT_x86-
msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\documents and settings\fran s\Application
Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\fran s\Local
Settings\Application
Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience
Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

***********************************************************************
***

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 14:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


***********************************************************************
***

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m
ajyqzuf]
"ImagePath"="system32\drivers\wmahotzy.dat"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet
Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=h
ex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,83,90,63,a6,48,fa,
c7,4e,b8,14,a6,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=he
x:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,83,90,63,a6,48,fa,
c7,4e,b8,14,a6,\
.
Completion time: 2009-05-15 14:25
ComboFix-quarantined-files.txt 2009-05-15 18:24

Pre-Run: 57,915,351,040 bytes free
Post-Run: 57,945,776,128 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery
Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft
Windows XP Home Edition" /noexecute=optin /fastdetect

250 --- E O F --- 2009-05-15 15:00


Report •

#14
May 15, 2009 at 12:02:12
i attached the log now what do i do?

Report •

#15
May 15, 2009 at 12:10:58
Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file. Lastly, uninstall Combofix by: pause AV > Start > run > type combofix /u > ok. Or Start > run > type 234 /u > ok.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Antivirus. Then turn system restore back on, if you wish; this to remove malware from system volume information files. How to turn it off/on: http://support.kaspersky.com/faq/?q... Let me know if your antivirus still detects anything.

Also, scan with Malwarebytes' Anti-Malware and attach its log, but Please Don't fix anything yet, until the log is reviewed.


Report •

#16
May 15, 2009 at 12:47:53
i tried uninstalling combofix like u said and when i hit run it
says it can not find it

Report •

#17
May 15, 2009 at 12:51:17
Try Start > Run > 123 /u > ok or Start > Run > 123.exe /u > ok.

Report •

#18
May 15, 2009 at 12:52:33
ok it said it was uninstalled the icon is still there does that
matter

Report •

#19
May 15, 2009 at 12:53:27
ok ty its gone

Report •

#20
May 15, 2009 at 18:10:16
here is the log of the malwarebytes

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/15/2009 9:05:41 PM
mbam-log-2009-05-15 (21-05-31).txt

Scan type: Quick Scan
Objects scanned: 89617
Time elapsed: 1 hour(s), 42 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\browsingenhancer.browserwatcher
(Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\browsingenhancer.browserwatcher.
1 (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\browsingenhancer.pornpro_bho
(Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\browsingenhancer.pornpro_bho.1
(Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\browsingenhancer.precachebrowser
host (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\browsingenhancer.precachebrowser
host.1 (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{125e9d24-2428-38d2-
8e23-804e3275209c} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{3f2579e9-ec37-3112-
9bde-d2db14e95c32} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e12688ce-9384-28e3-
a041-4e1a9ce14506} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{96fdc0f6-929e-e96c-597f-
386cd3c7d7aa} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b056fd59-0c72-3878-da81-
4c5239908200} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{98d555cc-a569-43fb-2f43-
3a98ccda4b50} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{40b2127e-cc18-37d0-43ca-
afa158c64001} (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\{56256a51-b582-467e-b8d4-
7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\AppID\BrowsingEnhancer.DLL
(Adware.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\BrowsingEnhancer
(Adware.Agent) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1
(Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\
WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No
action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) ->
No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) ->
No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) ->
No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\MenuExt\&Search\ (Adware.Hotbar) -> No action
taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\UpdatesDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\wmahotzy.dat
(Rootkit.Agent) -> No action taken.
C:\WINDOWS\Fonts\a_yummy_apology.zip (Worm.Archive) -
> No action taken.
C:\WINDOWS\Fonts\black_family.zip (Worm.Archive) -> No
action taken.
C:\WINDOWS\Fonts\candy_cane.zip (Worm.Archive) -> No
action taken.
C:\WINDOWS\Fonts\cheap_fire.zip (Worm.Archive) -> No
action taken.
C:\WINDOWS\Fonts\kiss_me.zip (Worm.Archive) -> No
action taken.
C:\WINDOWS\Fonts\olde_english.zip (Worm.Archive) -> No
action taken.
C:\WINDOWS\Fonts\plymouth_rock_snowd.zip
(Worm.Archive) -> No action taken.
C:\WINDOWS\Fonts\ruritania.zip (Worm.Archive) -> No
action taken.
C:\WINDOWS\Fonts\sexyrexy_smitten.zip (Worm.Archive) ->
No action taken.


Report •

#21
May 15, 2009 at 18:16:11
Okay fix that and re post an AVZ log from Response Number 1. Seems like some of component is still there not deleted.

Report •

#22
May 15, 2009 at 18:37:19
By re-post i mean remake AVZ log again.

Report •

#23
May 15, 2009 at 19:33:41
Before i manually start deleting stuff i want you to download and run Kaspersky AVP Tool:
http://devbuilds.kaspersky-labs.com...

Once you download and start the tool select these objects:
System Memory
Startup Objects
Disk boot sectors
C:

And hit Scan

Post me log/Screen shot of what it detects once it finished and fix what it recommends.


Report •

#24
May 16, 2009 at 06:02:13
ok i did the kaspersky scan as u said i sent u the link to the
screenshot and the log and i fixed what it said

Report •

#25
May 16, 2009 at 06:11:10
Yes got it. Can you also send me those files to analyze. Then i will tell you how to proceed from there.

regards,
neo


Report •

#26
May 16, 2009 at 06:46:19
I cant find either of them files I even set it up to view hidden
files and still can not find them

Report •

#27
May 16, 2009 at 06:56:02
1) Download: http://mail.ustc.edu.cn/%7Ejfpan/do...

2) unpack and execute icesword.

3) Go to the file section and look for C:\WINDOWS\system32\drivers\wmahotzy.dat, repeat same for C:\DOCUME~1\FRANS~1\LOCALS~1\Temp\catchme.sys.

4) right click it and choose force delete. and make a new avz log and pm it to me.


Report •

#28
May 16, 2009 at 07:02:01
Also after new avz log re-run malaware byte -> full scan and post scan results again.

Report •

#29
May 16, 2009 at 07:08:11
still cant find them

Report •

#30
May 16, 2009 at 07:10:11
Ok continue with new AVZ log and re-scan with Malwarebytes.

Report •

#31
May 16, 2009 at 09:51:51
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/16/2009 12:48:03 PM
mbam-log-2009-05-16 (12-48-03).txt

Scan type: Quick Scan
Objects scanned: 89716
Time elapsed: 1 hour(s), 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

#32
May 16, 2009 at 11:43:56
Ok seems virus cleared out :). I highly recommend you use kaspersky/bitdefender/Norton/Eset as antivirus. Just to remove residual stuff do full scan with http://www.bitdefender.com/scanner/... . If anything pop's up which it can't take care of let me know.

Report •

#33
May 16, 2009 at 11:59:49
I forgot to mention also run those microsoft tools/link i pm you. How does system feels faster/bettter? Does your current AV detect anything?

Report •

#34
May 16, 2009 at 13:54:04
i did a scan using my virus scanner there were no threats
found woooohoooooo thank you so much you are a sweet
heart

Report •

#35
May 17, 2009 at 08:45:46
I tried running my disk defrag and it wont run not sure why

Report •


Ask Question