Very slow internet and popups

Acer / Aspire m5100
May 17, 2009 at 16:45:15
Specs: Microsoft Windows Vista Home Premium, 2.2 GHz / 3326 MB
hey my internet has become very slow, and i get random web page popups. one web page said "Get registry defender" and a few other ones were blank. ive tried a few anti virus/spyware programs, spybot S&D, AVG, Norton, but none of them found the problem.

See More: Very slow internet and popups

Report •


#1
May 17, 2009 at 17:30:39
Hi,
Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial


Report •

#2
Report •

#3
May 17, 2009 at 18:29:14
Run this script in AVZ:


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('{2cebcd29-cffd-4081-ac05-5164494776ba}');
 QuarantineFile('C:\ProgramData\lopuheso\lopuheso.dll','');
 QuarantineFile('C:\Windows\System32\Drivers\spbg.sys','');
 QuarantineFile('C:\Windows\system32\migisibi.dll','');
 QuarantineFile('C:\Windows\system32\sipaneya.dll','');
 QuarantineFile('C:\Windows\system32\faloyita.dll','');
 QuarantineFile('c:\windows\system32\vuboduje.dll','');
 QuarantineFile('C:\Windows\system32\vafedewe.dll','');
 DeleteFile('C:\Windows\system32\vafedewe.dll');
 DeleteFile('c:\windows\system32\vuboduje.dll');
 DeleteFile('C:\Windows\system32\faloyita.dll');
 DeleteFile('C:\Windows\system32\sipaneya.dll');
 DeleteFile('C:\Windows\system32\migisibi.dll');
 DeleteFile('C:\Windows\System32\Drivers\spbg.sys');
 DeleteFile('C:\ProgramData\lopuheso\lopuheso.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Your PC will reboot. After you reboot let me know and i will tell you next step.


Report •

Related Solutions

#4
May 17, 2009 at 18:53:38
Alright i did it, and i dont seem to be getting any pop ups and its not taking minutes to load any pages anymore, i do get an error on startup saying it failed to load migisibi.dll, vuboduje.dll, faloyita.dll, a few files that were quarantined i think but other than that it seems really good

Report •

#5
May 17, 2009 at 19:00:00
Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.


Report •

#6
May 18, 2009 at 04:05:15
ComboFix 09-05-17.03 - Guy 17/05/2009 19:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3327.2404 [GMT -7:00]
Running from: c:\users\Guy\Desktop\123a.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Guy\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\arasagug.ini
c:\windows\system32\atiyolaf.ini
c:\windows\system32\bunosuja.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\ezekimit.ini
c:\windows\system32\gugasara.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\rodudaya.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\timikeze.dll
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\yafakeje.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-17 22:59 . 2009-05-17 22:59 -------- d-----w c:\program files\Trend Micro
2009-05-16 20:35 . 2009-05-16 20:35 -------- d-----w c:\program files\AVG
2009-05-14 14:04 . 2009-05-16 20:54 -------- d-----w c:\programdata\katowola
2009-05-14 14:04 . 2009-05-14 14:04 -------- d-----w c:\programdata\ravufuge
2009-05-14 14:04 . 2009-05-16 20:54 -------- d-----w c:\users\All Users\katowola
2009-05-14 14:04 . 2009-05-14 14:04 -------- d-----w c:\users\All Users\ravufuge
2009-05-14 01:59 . 2009-05-14 02:08 -------- d-----w c:\users\Guy\AppData\Roaming\ptidle
2009-05-14 01:59 . 2009-05-14 22:31 -------- d-----w c:\programdata\bodizeya
2009-05-14 01:59 . 2009-05-14 22:31 -------- d-----w c:\users\All Users\bodizeya
2009-05-14 01:59 . 2009-05-15 15:30 -------- d-----w c:\programdata\lahofipe
2009-05-14 01:59 . 2009-05-15 15:30 -------- d-----w c:\users\All Users\lahofipe
2009-05-14 01:59 . 2009-05-15 15:30 -------- d-----w c:\programdata\lopuheso
2009-05-14 01:59 . 2009-05-15 15:30 -------- d-----w c:\users\All Users\lopuheso
2009-05-08 23:04 . 2009-05-08 23:04 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-19 13:37 . 2009-04-19 13:37 -------- d-----w c:\program files\MONOGRAM AMR SplitterDecoder
2009-04-19 13:37 . 2009-04-19 13:37 -------- d-----w c:\program files\CD Audio Reader Filter
2009-04-19 13:37 . 2009-04-19 13:37 -------- d-----w c:\program files\DScaler5
2009-04-19 13:37 . 2009-04-19 13:37 -------- d-----w c:\program files\OpenSource Flash Video Splitter
2009-04-19 13:37 . 2009-04-19 13:37 -------- d-----w c:\program files\RealMedia
2009-04-19 13:37 . 2009-04-19 13:37 -------- d-----w c:\program files\Haali
2009-04-19 13:37 . 2009-04-19 13:37 -------- d-----w c:\program files\DSP-worx
2009-04-19 13:37 . 2008-12-18 02:22 57344 ----a-w c:\windows\system32\ff_vfw.dll
2009-04-19 13:37 . 2008-12-11 20:26 60273 ----a-w c:\windows\system32\pthreadGC2.dll
2009-04-19 13:37 . 2009-04-19 13:37 -------- d-----w c:\program files\ffdshow
2009-04-19 13:36 . 2009-04-19 13:36 -------- d-----w c:\program files\DirectVobSub
2009-04-19 13:36 . 2009-04-19 13:36 -------- d-----w c:\program files\Zoom Player
2009-04-19 13:36 . 2009-04-19 13:45 -------- d-----w c:\programdata\Zoom Player
2009-04-19 13:36 . 2009-04-19 13:45 -------- d-----w c:\users\All Users\Zoom Player
2009-04-19 13:32 . 2009-04-19 13:33 -------- d-----w c:\users\Guy\AppData\Roaming\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 21:30 . 2008-11-15 19:15 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-16 21:30 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-15 01:00 . 2007-04-17 00:52 -------- d-----w c:\program files\Symantec
2009-05-15 01:00 . 2007-04-17 00:53 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-15 01:00 . 2007-04-17 00:53 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-15 01:00 . 2007-04-17 00:53 10635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-08 23:07 . 2008-06-24 06:25 -------- d-----w c:\program files\DivX
2009-05-03 18:54 . 2008-05-21 05:31 -------- d-----w c:\program files\Veoh Networks
2009-04-29 23:53 . 2009-04-14 20:16 -------- d-----w c:\program files\Diablo II
2009-04-17 02:15 . 2009-01-29 20:22 -------- d-----w c:\program files\Vuze
2009-04-15 15:07 . 2008-02-01 20:36 680 ----a-w c:\users\Guy\AppData\Local\d3d9caps.dat
2009-04-14 20:58 . 2009-04-14 20:57 -------- d-----w c:\program files\Hamachi
2009-04-14 20:57 . 2009-04-14 20:57 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-04-14 20:33 . 2009-04-14 20:24 35855 ----a-w c:\windows\DIIUnin.dat
2009-04-14 20:32 . 2008-06-25 03:05 21840 ----atw c:\windows\system32\SIntfNT.dll
2009-04-14 20:32 . 2008-06-25 03:05 17212 ----atw c:\windows\system32\SIntf32.dll
2009-04-14 20:32 . 2008-06-25 03:05 12067 ----atw c:\windows\system32\SIntf16.dll
2009-04-14 20:24 . 2009-04-14 20:24 94208 ----a-w c:\windows\DIIUnin.exe
2009-04-14 20:24 . 2009-04-14 20:24 2829 ----a-w c:\windows\DIIUnin.pif
2009-04-13 01:46 . 2009-04-13 01:46 -------- d-----w c:\program files\uTorrent
2009-04-10 16:44 . 2008-11-11 22:16 -------- d-----w c:\program files\Warcraft III
2009-03-17 03:38 . 2009-04-15 06:17 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 06:17 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-03 04:46 . 2009-04-15 06:17 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 06:17 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-15 06:17 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-15 06:17 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 06:17 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 06:17 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 06:17 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-15 06:17 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 06:17 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-15 06:17 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 03:04 . 2009-04-15 06:17 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 06:17 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-15 06:17 26624 ----a-w c:\windows\system32\ieUnatt.exe
2008-05-20 20:24 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 107112]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-11-21 22696]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-10-15 3387392]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-31 4669440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-4-16 1885]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-4-16 528384]
Logitech SetPoint.lnk.disabled [2009-1-16 1837]
PCM Media Sharing.lnk.disabled [2007-4-16 2241]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"BitTorrent DNA"="c:\users\Guy\Program Files\DNA\btdna.exe"
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE
"PlayMovie"="c:\program files\Acer Arcade Live\Acer PlayMovie\PMVService.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"w3dr.exe"=c:\program files\Warcraft III\\w3dr.exe
"WheelMouse"=c:\program files\Mouse\Amoumain.exe
"WinampAgent"="c:\program files\Winamp\winampa.exe"
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ED1E9675-5C5C-4552-8979-8FFBD704C996}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C5A6A6A0-D297-4AA6-9383-21A16C3F9929}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C0B04953-9D63-4886-9FEE-B20972592777}"= c:\program files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{64C52DD3-2977-4C34-BDA1-8FD96179DF00}"= c:\program files\Acer Arcade Live\SlideShow DVD\Component\CLSLDVD.exe:SlideShow DVD workprocess
"{F42A10AE-D383-4A78-9E05-64BBC84376C5}"= c:\program files\Acer Arcade Live\Acer DV Magician\Component\ARAWP.exe:DV Magician ARA workprocess
"{A0E22BD1-9D17-41A4-BF50-419B503C50D0}"= c:\program files\Acer Arcade Live\Acer DV Magician\Component\DVAX2Process.exe:DV Magician AVAX workprocess
"{E59634F8-1C07-40AC-84E1-E301FBC238EE}"= c:\program files\Acer Arcade Live\Acer DVDivine\DVDivine.exe:DVDivine
"{DFFF3429-DA90-43DB-898C-FAEEFE3F39E2}"= c:\program files\Acer Arcade Live\Acer HomeMedia\HomeMedia.exe:HomeMedia
"{5F06C73B-3B46-4ED5-983C-2880071833B2}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\HomeMedia Connect.exe:HomeMedia Connect
"{1955E669-BE1F-4C13-B854-FB32F2900974}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:HomeMedia Connect Service
"{A8757501-B402-4C19-AD10-EA4697A9512B}"= c:\program files\Acer Arcade Live\Acer VideoMagician\VideoMagician.exe:VideoMagician
"{A0576B5F-BF16-4EDE-A02D-F9AF5C9DBB87}"= c:\program files\Acer Arcade Live\Acer PlayMovie\PlayMovie.exe:Acer PlayMovie
"{E75F3995-F39E-47B1-A193-CD6C385B6971}"= c:\program files\Acer Arcade Live\Acer PlayMovie\PMVService.exe:Acer PlayMovie Resident Program
"{F7D0102E-D8C3-4AE9-A366-5607D9A0758B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0CE5F6AF-4BB5-4637-9850-7FF88BA6AEB4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0B47F89A-9D52-4EDD-B611-DBEAD156BE43}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{562B8812-5022-4193-9D57-62A1FA7FF88A}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{17DF48F2-9B14-4739-AF59-1452B0FCBDCC}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{05CDBDAB-3F9E-4ACE-808C-13125B9A79DD}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{B53E6235-831B-4DE5-9B8F-2030B61CA8F5}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{29EDCBAC-9306-4F63-838B-62629300A3A3}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{37EAB6D4-6A18-42B9-9146-1C82559BB9CD}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{1D7B7E09-874F-4A0E-A31A-0F001B27AFD6}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{B03C37E7-62ED-4664-94B6-3C07BE8F4964}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{0EF30A37-112D-4B43-9127-B32F78FFEBBD}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{54719967-FF82-479D-9F4C-FCE3D68A7C82}"= UDP:c:\windows\explorer.exe:Explorer
"{C02B6247-8C55-48A5-A63D-F5C4EBF05DE3}"= TCP:c:\windows\explorer.exe:Explorer
"{3DB051D3-22E7-4226-8177-49187514EFC9}"= UDP:c:\windows\explorer.exe:Explorer
"{C4938E2C-5D1D-4A62-BE4D-983F0A89D980}"= TCP:c:\windows\explorer.exe:Explorer
"{7B278408-9077-4F47-86D4-0C3124E8451F}"= UDP:c:\windows\System32\taskeng.exe:taskeng
"{7BA4605B-A7C9-4205-9C6A-C3D5CF8CB1F0}"= TCP:c:\windows\System32\taskeng.exe:taskeng
"{D00C0898-794F-4D26-8F8F-8F786CE0EB75}"= UDP:c:\windows\System32\wininit.exe:wininit
"{0846C108-B469-46AA-BB5D-A5855481B38E}"= TCP:c:\windows\System32\wininit.exe:wininit
"{E117D99E-D267-452D-9B50-A8A716E85A8E}"= UDP:c:\windows\System32\wininit.exe:wininit
"{F3F38DB1-7377-45C5-85A2-45E2A10B975F}"= TCP:c:\windows\System32\wininit.exe:wininit
"{2DEFCFCE-5F8F-4A93-A5CC-7F2126EB2E3D}"= UDP:c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe:AppSvc32
"{2B81D37F-9D0A-4727-9FAA-27E08A87BA08}"= TCP:c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe:AppSvc32

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080429.001\IDSvix86.sys [29/04/2008 3:29 PM 261680]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Live\Acer PlayMovie\[u]0[/u]00.fcl [01/02/2008 1:35 PM 39408]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [16/04/2007 6:13 PM 266343]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [15/11/2008 12:15 PM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/02/2008 3:03 PM 109616]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [03/10/2008 3:14 PM 37936]
S2 gupdate1c98d55baa521e7;Google Update Service (gupdate1c98d55baa521e7);c:\program files\Google\Update\GoogleUpdate.exe [12/02/2009 2:06 PM 133104]
S3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\System32\drivers\Amps2prt.sys [19/04/2007 6:45 AM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd
.
Contents of the 'Scheduled Tasks' folder

2008-02-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]

2009-05-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-12 00:30]

2009-05-18 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 21:05]

2009-05-02 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Guy.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-11-21 04:41]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2cebcd29-cffd-4081-ac05-5164494776ba} - c:\windows\system32\sipaneya.dll
HKLM-Run-CPM330d8f45 - c:\windows\system32\vuboduje.dll
HKLM-Run-303ebcd9 - c:\windows\system32\faloyita.dll
HKLM-Run-hoyukilila - c:\windows\system32\migisibi.dll
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://ca.yahoo.com
uInternet Settings,ProxyOverride = localhost
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd....
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbine.com\download
Trusted Zone: youtube.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 03:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Live\Acer PlayMovie\[u]0[/u]00.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\conime.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\ehome\ehmsas.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-05-18 4:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 11:02

Pre-Run: 201,348,128,768 bytes free
Post-Run: 201,234,870,272 bytes free

295 --- E O F --- 2009-05-14 02:09


Report •

#7
May 18, 2009 at 04:38:50
Follow these next steps:

1) Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type 123a /u > ok. Or Start > run > type 123a.exe /u > ok.

There are two more important steps after this.


Report •

#8
May 18, 2009 at 05:07:11
Thanks for the files. Seems you are infected with win32.krap.q virus.

1) Download and run Kaspersky AVP tool:
http://devbuilds.kaspersky-labs.com...

2) If you use Windows System restore, turn it off > reboot and do a full scan with AVP tool( instruction step 3). Then turn system restore back on, if you wish; this to remove malware from system volume information files. How to turn it off/on: http://support.kaspersky.com/faq/?q... Let me know if your antivirus still detects anything and is unable to get rid of it.

3) Once you download and start the tool select all the objects to be scanned and hit Scan. Fix what it detects and at the end of the scan post screen shot/log of detected items that is fixed and which it could not fix.


Report •

#9
May 18, 2009 at 10:51:12
Scan
----
Scanned: 651602
Detected: 18
Untreated: 0
Start time: 18/05/2009 5:22:28 AM
Duration: 05:24:28
Finish time: 18/05/2009 10:46:56 AM


Detected
--------
Status Object
------ ------
deleted: Trojan program Packed.Win32.Krap.q File: C:\Qoobox.rar/Qoobox\Quarantine\C\Windows\System32\bunosuja.dll.vir
deleted: Trojan program Packed.Win32.Krap.q File: C:\Qoobox.rar/Qoobox\Quarantine\C\Windows\System32\gugasara.dll.vir
deleted: Trojan program Packed.Win32.Krap.q File: C:\Qoobox.rar/Qoobox\Quarantine\C\Windows\System32\rodudaya.dll.vir
deleted: Trojan program Packed.Win32.Krap.q File: C:\Qoobox.rar/Qoobox\Quarantine\C\Windows\System32\timikeze.dll.vir
deleted: Trojan program Packed.Win32.Krap.q File: C:\Qoobox.rar/Qoobox\Quarantine\C\Windows\System32\yafakeje.dll.vir
deleted: Trojan program Packed.Win32.Krap.q File: C:\ProgramData\lahofipe\lahofipe.dll.tmp
deleted: Trojan program Packed.Win32.Krap.q File: C:\ProgramData\lopuheso\lopuheso.dll.tmp
deleted: Trojan program Packed.Win32.Krap.q File: C:\ProgramData\ravufuge\ravufuge.dll
not found: Trojan program Packed.Win32.Krap.q File: C:\Users\All Users\lahofipe\lahofipe.dll.tmp
not found: Trojan program Packed.Win32.Krap.q File: C:\Users\All Users\lopuheso\lopuheso.dll.tmp
not found: Trojan program Packed.Win32.Krap.q File: C:\Users\All Users\ravufuge\ravufuge.dll
deleted: Trojan program Trojan-Downloader.JS.Psyme.amg File: C:\Users\Guy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MUNKUZBU\show[1].htm
deleted: Trojan program Packed.Win32.Krap.q File: C:\Users\Guy\Desktop\avz4\Quarantine\2009-05-17\avz00001.dta
deleted: Trojan program Packed.Win32.Krap.q File: C:\Users\Guy\Desktop\avz4\Quarantine\2009-05-17\avz00002.dta
deleted: Trojan program Packed.Win32.Krap.q File: C:\Users\Guy\Desktop\avz4\Quarantine\2009-05-17\avz00003.dta
deleted: Trojan program Packed.Win32.Krap.q File: C:\Users\Guy\Desktop\avz4\Quarantine\2009-05-17\avz00004.dta
deleted: Trojan program Packed.Win32.Krap.q File: C:\Users\Guy\Desktop\avz4\Quarantine\2009-05-17\avz00005.dta
deleted: Trojan program Trojan-Downloader.WMA.GetCodec.g File: C:\Users\Guy\Downloads\lady ga ga sexy girl has shaking orgasm during sex.mpg


Events
------
Time Name Status Reason
---- ---- ------ ------
18/05/2009 5:22:35 AM Running module: smss.exe\smss.exe ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----


Report •

#10
May 18, 2009 at 11:20:31
Run this script in AVZ:


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\ProgramData\lahofipe\*.*','');
DeleteFileMask('C:\ProgramData\lahofipe\','*.*',true);
QuarantineFile('C:\Users\All Users\lahofipe\*.*','');
DeleteFileMask('C:\Users\All Users\lahofipe\','*.*',true);
QuarantineFile('C:\ProgramData\lopuheso\*.*','');
DeleteFileMask('C:\ProgramData\lopuheso\','*.*',true);
QuarantineFile('C:\Users\All Users\lopuheso\*.*','');
DeleteFileMask('C:\Users\All Users\lopuheso\','*.*',true);
QuarantineFile('C:\ProgramData\ravufuge\*.*','');
DeleteFileMask('C:\ProgramData\ravufuge\','*.*',true);
QuarantineFile('C:\Users\All Users\ravufuge\*.*','');
DeleteFileMask('C:\Users\All Users\ravufuge\','*.*',true);
QuarantineFile('C:\ProgramData\katowola\*.*','');
DeleteFileMask('C:\ProgramData\katowola\','*.*',true);
QuarantineFile('C:\Users\All Users\katowola\*.*','');
DeleteFileMask('C:\Users\All Users\katowola\','*.*',true);
QuarantineFile('C:\ProgramData\bodizeya\*.*','');
DeleteFileMask('C:\ProgramData\bodizeya\','*.*',true);
QuarantineFile('C:\Users\All Users\bodizeya\*.*','');
DeleteFileMask('C:\Users\All Users\bodizeya\','*.*',true);
DeleteDirectory('C:\Users\All Users\ravufuge\');
DeleteDirectory('C:\ProgramData\ravufuge\');
DeleteDirectory('C:\Users\All Users\lopuheso\');
DeleteDirectory('C:\ProgramData\lopuheso\');
DeleteDirectory('C:\Users\All Users\lahofipe\');
DeleteDirectory('C:\ProgramData\lahofipe\');
DeleteDirectory('c:\users\All Users\bodizeya\');
DeleteDirectory('c:\programdata\bodizeya\');
DeleteDirectory('c:\users\All Users\katowola\');
DeleteDirectory('c:\programdata\katowola\');
BC_ImportAll;
ExecuteSysClean;
CreateQurantineArchive('c:\quarantine2.zip');
BC_Activate;
RebootWindows(true);
end.

Your computer will reboot after it reboots:

Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.

--------------------------------------------
To Private Message me Click Here


Report •

#11
May 18, 2009 at 11:38:01
Please upload c:\quarantine2.zip to rapishare and private message me download link.

--------------------------------------------
To Private Message me Click Here


Report •

#12
May 18, 2009 at 14:30:26
Thanks for the links. Fix what malwarebyte detected. Seems you might have one of the rare Vundo infection please scan and clean with http://www.eset.com/onlinescan/ Post what it detects/fixes here. Is you original problem solved? Most of the active stuff should have been fixed.

--------------------------------------------
To Private Message me Click Here


Report •

#13
May 18, 2009 at 16:06:20
yes my original problem is solved, its running a lot better, i scanned but i dont see a place to save a log file so im just gonna type in what it found Win32/Adware.Virtumonde.NEO~(unable to clean - deleted)
C:\Users\Guy\Desktop\avz4\Quarantine\2009-05-18\avz00001.dta



Report •

#14
May 18, 2009 at 16:11:39
That's ok you can delete all those quarantined files.All of the viruses are removed. Error on startup is gone aswell?

--------------------------------------------
To Private Message me Click Here


Report •

#15
May 18, 2009 at 16:21:24
you mean the quarantined files that avz quarantined right? yea errors are startup are gone aswell. i cant thank you enough for all your help, im still in awe that such quick and quality service was free. i read that a lot of people on this site are volunteers aswel, thats awesome. thank you very much

Report •


Ask Question