Find your solution!

altogaflash · 10:41 PM

Greetings TSG!
Update!!! (28-Oct-2009, 7:10 AM Central Standard time USA) My first worriesome concern is if I have a backdoor trojan/Rootkit issue. If this can be detected quickly, it would be much appreciated. I keep researching and see this is critical. This is the only computer I have to check back here at the forum and If I have backdoor/Rootkit issue, I will need to see what I can do for another computer, to check for your responses, and change bank/credit card passwords etc.

(Scroll down to find my HJT log)
My personal computer: Dimension 5510
OS: MS Windows XP Proffesional
Anti-Virus Protection:McAfee Security Center, continous coverage since 2007 computer purchase which shows I'm currently protected (firewall protection etc.) I also have Windows Defender, it was turned off (Apparently by a recent trojan), but I was able to reactivate it by opening it in programs on 10/29/09).
Symptoms:
Several months ago I would get an odd pop up here and there. I would 'x' them out or just shut down my computer as I've always been leary of theses things (I always keep my pop up blocker on) Also about this time I noticed my mouse pointer would 'run erraticly' in my MS Explorer web browser favorites list only. I probably recieved 2-3 McAfee trojan removal warnings during this time span. I also noticed that Windows Defender was not doing it's weekly scan anymore. All red flags that I ignored. My McAfee weekely scan continued and never showed any items/issues found that I remember.
Starting about 10/19/09, the malware/spyware attacks via pop ups and hijacked goggle searches (and a few sudden web browser shutdowns) really kicked in.
About this same time, I also got a legit looking small pop up in my HUGHES NET email account stating something like 'item not found'. I'm sorry to say I clicked the OK button within the box 2-3 times and each time the box would pop back up with a simular suspicious message like 'sorry, there's still a problem, please try again' . It's been 3 days since I've logged back into that account as I think this is part of the trojan problem. (Update Oct 28 7:10 AM. I signed into this account and the pop up box did not appear- all seems normal with my hughesnet email service now)
I started running McAfee full scans. Each time it was finding different types of trojans (Vundo, Generic Fake Alert, Artemis, Spy Agent, DNSChanger) Most were quarantined, some repaired, some 'cannot be removed'. (I can provide more details on these if needed).
After a failed attempt to contact McAfee, I went to the Microsoft Online Safty web site (Sunday 10/25/09). After reseaching, I found my 'Windows Automatic Updates' was disabled. After trying to reenable it in Run-Sevices, it would return back to disabled...I then ran the MS Onecare live scan.
It deleted:
exploit:js/mult.bb (1 item)
trojan win32/vundo.fa (6 items)
worm:win32/emold.u (1 item)
worm:win32/vundo.b (6 items)
Items 'Unable to clean':
Trojan:Win32/vundo!bn (1 item)
trojan:win32/vundo!g (10 items)
Scan summary:
Protection- 6 issues found, 25 items deleted and cleaned.
objects that couldn't be scanned: 551

I was then able to reactivate my 'Windows Automatic Updates' in Run-Services and have'nt had a 'disabled' problem with it since. Butttt, I'm getting a RUNDLL pop up error now everytme I turn my computer on and login.
The RUNDLL ERROR pop up reads:
"error loading C\windows\system32\tayanage.dll. The specified module could not be found"
(Monday 10/26/09)
I then ran an ESET scan. It found 1 threat:
"a variant of win32/kryptic.ahr trojan" and quarantined it. It gave me the option to delete it and I did so.
I tried to reboot my computer in 'safe mode' and after promting it to do so I got the 'Blue Screen of Death' with the message:
"A problem has been detected and Windows has been shut down to prevent damage to your computer. Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run chk/f (which I tried to in the run screen and chk/f couldn't be found) to check for hard drive corruption and then restart your computer...Technical info: ***stop: 0x0000007b(0XF8A0F524,0x0000034,0X00000000,0X00000000).
I posted a thread over at the MS Online Safty forum and they advised me to come here.
Since I ran the MS Onecare live scan (10/25/09) and the ESET scan (10/26/09), these trojan attacks have been subdued. I have'nt noticed a rogue pop up or Google web search hijack. I did have one web browser shut down though.
Through out all of these problems I can still search the web and access files etc.
I worry about my recent secured bank account visits though.

Thanks,
Jack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:19 PM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spider.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hughesnet.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [jipohuvig] Rundll32.exe "c:\windows\system32\tayanage.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P7 /q C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TZ6XHLUC\YGM_1_~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\T2SGBZSG\4PACK_~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\T2SGBZSG\NAVSPE~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TZ6XHLUC\TRAFFI~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\VALERR~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\T2SGBZSG\FPLOWE~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TZ6XHLUC\BANNER~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\QZO7R61D\BTMNAV~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\BTNDIC~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\QZO7R61D\NAVNEW~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\FPCHEV~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\BTMNAV~3.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\QZO7R61D\IMGPAR~1.
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8942.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1256462443765
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL c:\windows\system32\tadebava.dll,ranuvozo.dll c:\windows\system32\tayanage.dll
O21 - SSODL: titadubeh - {69519aec-3ae8-4b22-b849-25625920164c} - (no file)
O21 - SSODL: hesedodan - {0c59e26d-56a4-429f-8fb2-c59da90d7f9f} - (no file)
O22 - SharedTaskScheduler: gahurihor - {69519aec-3ae8-4b22-b849-25625920164c} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {0c59e26d-56a4-429f-8fb2-c59da90d7f9f} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 12383 bytes

altogaflash · 29-Oct-2009, 10:04 PM #2

bump

altogaflash · 31-Oct-2009, 02:34 AM #3

Just an update. After about 48 hours of issue free computer/internet operation (other than still unable to login via the 'safe mode') I entered a website (hotair.com) that I hadn't visted since before 10/20 and within minutes the trojan attack (Trogen Win32/Vundo.gen!BP) was on. Windows defender was hijacked by a fake high alert Windows Security pop up.
I immediately ran Microsoft Onecare scan. It cleaned all but 2 items and took away the fake Windows Security issue. I was able to reactivate Windows Defender.
I then did ESET scan and it found 4 items (all variants of Win32/adware.SuperJuan.K application) that were all quarantined and cleaned by deletion.
It's now settled down to just google search redirects here and there.

Let me know if you need me to send a fresh HJT log.

Thanks,
Altoga

NeonFx · 31-Oct-2009, 02:52 AM #4

Hello there

Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Mediafire and post the sharing link.

Step 2

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

Double click to start the program
Click on the Report tab at the bottom of the program window
Click the button
In the Select Scan dialog, check:
- Shadow SSDT
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

altogaflash · 31-Oct-2009, 08:44 AM #5

Hi there Neonfx!
You are a sight for sore eyes!
Here's both OTS (attached file) and RR reports (below). Hope I do this it right.
Altogaflash

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/31 07:09
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF58D8000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A69000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF190A000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\windows\temp\mcafee_usathysbbx8cooh
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\windows\temp\mcmsc_b2oyjfufgm7qzlt
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\windows\temp\mcmsc_ei1x6weatd2lzdb
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\documents and settings\jack oliver\local settings\temp\~dfdfb1.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
==EOF==

NeonFx · 31-Oct-2009, 02:23 PM #6

Let's get to it

It's a good thing you came here as you're still infected.

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the following

Code:

[Unregister Dlls]
[Modules - Safe List]
YY -> kuwibipa.dll -> C:\WINDOWS\system32\kuwibipa.dll
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1286926325-4139982374-590142492-1006\] > -> 
YN -> HKEY_USERS\S-1-5-21-1286926325-4139982374-590142492-1006\: Main\\"Start Page" -> http://hughesnet.myway.com/
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "" -> []
YY -> "jipohuvig" -> C:\WINDOWS\System32\kuwibipa.DLL [Rundll32.exe "c:\windows\system32\kuwibipa.dll",a]
< Run [HKEY_USERS\S-1-5-21-1286926325-4139982374-590142492-1006\] > -> HKEY_USERS\S-1-5-21-1286926325-4139982374-590142492-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> nt.IE5\QZO7R61D\IMGPAR~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\QZO7R61D\NAVVIS~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TZ6XHLUC\FPBERE~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\QZO7R61D\FPOREI~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\HOTROD~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\NAVFAN~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TZ6XHLUC\FPUPS_~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\NAVFAQ~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\QZO7R61D\FPNATI~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\FPNEXT~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TZ6XHLUC\FPDMN_~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\T2SGBZSG\FPDICK~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\Q3DV3OC1\TCODE_~1.SH! c:\DOCUME~1\JACKOL~1\LOCALS~1\temp\~ef78ea.SH! c:\DOCUME~1\JACKOL~1\LOCALS~1\temp\HSPERF~1.SH! C:\DOCUME~1\JACKOL~1\LOC -> 
YN -> ALS~1\TEMPOR~1\Content.IE5\3RFT29SH\B29240~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\3RFT29SH\343235~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TQIRN6SO\343235~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\EQZZ9AZ1\BONVUE~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\IX8WXPEH\FAVICO~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\H1QWTPH2\FAVICO~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\SAPO60V8\343531~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\WKMWQANE\ACTIVI~2.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\JPY311KN\TOUR_1~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\WKMWQANE\TWOTIE~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\366G2TPX\_ORD_9~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TT31N3TJ\FAVICO~2.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\KN242UL0\343235~2.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\2INM1112\FAVICO~1.SH! C:\DOCUME~1\JACKOL~1\LOCAL -> 
YN -> S~1\TEMPOR~1\Content.IE5\6U6902WR\FAVICO~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\LOH6N2VZ\FAVICO~4.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\W788QSJ6\FAVICO~4.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\JC7GBLN7\TOPBUT~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\LOH6N2VZ\FAVICO~3.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\JC7GBLN7\FAVICO~3.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\JC7GBLN7\ANSWER~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\WWLU7KA8\BLANK_~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\WWLU7KA8\FAVICO~2.SH!] -> [2009/09/25 12:22:14 | 00,113,168 | ---- | M] ()
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found.
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1286926325-4139982374-590142492-1006\] > -> HKEY_USERS\S-1-5-21-1286926325-4139982374-590142492-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_USERS\S-1-5-21-1286926325-4139982374-590142492-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 3 domain(s) found.
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{2b6094cc-7629-48b1-b576-8cb81b85957e}" [HKLM] -> C:\WINDOWS\system32\kuwibipa.dll [rupagakad]
YN -> "{69519aec-3ae8-4b22-b849-25625920164c}" [HKLM] -> Reg Error: Key error. [titadubeh]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> "{0c59e26d-56a4-429f-8fb2-c59da90d7f9f}" [HKLM] -> Reg Error: Key error. [mujuzedij]
YY -> "{2b6094cc-7629-48b1-b576-8cb81b85957e}" [HKLM] -> C:\WINDOWS\system32\kuwibipa.dll [kupuhivus]
YN -> "{69519aec-3ae8-4b22-b849-25625920164c}" [HKLM] -> Reg Error: Key error. [gahurihor]
[Files/Folders - Modified Within 30 Days]
NY -> kadidulu -> C:\WINDOWS\System32\kadidulu
NY ->  190 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  190 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  10 C:\Documents and Settings\Jack Oliver\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jack Oliver\Local Settings\Temp\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files - No Company Name]
NY -> regred.exe -> C:\WINDOWS\regred.exe
NY -> usexplorer.exe -> C:\WINDOWS\usexplorer.exe
NY -> microsoftdef.dll -> C:\WINDOWS\microsoftdef.dll
NY -> spoov.exe -> C:\WINDOWS\spoov.exe
NY -> certsystem.exe -> C:\WINDOWS\certsystem.exe
NY -> securits.com -> C:\WINDOWS\securits.com
NY -> mirajehi.dll -> C:\WINDOWS\System32\mirajehi.dll
NY -> kuwibipa.dll -> C:\WINDOWS\System32\kuwibipa.dll
[Custom Items]
:files
c:\windows\system32\tadebava.dll 
c:\windows\system32\ranuvozo.dll 
c:\windows\system32\tayanage.dll
c:\windows\system32\gedekuye.dll 
c:\windows\system32\kuwibipa.dll
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"
:end
[Purity]
[Empty Temp Folders]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste the contents of that file here.

STEP 2

Run OTS again and click on the Quick Scan button at the top. Copy and Paste the results of this scan in your next reply.

altogaflash · 31-Oct-2009, 10:21 PM #7

Hi Neonfx
I sent full OTS fix log in 4 attachments as I could not figure out how send it via MediaFire (I got my file uploaded to MediaFire, but dould't get the URL to post here). Hope thats OK.
I also list the abnormal incidents I experienced during and after the OTS fix process below.
Thanks!

While the fix was running, a Windows message popped up that said:

'OTS:OTS.exe-Bad Image'
"The application or Dll c:\windows\microsoftdef.dll is not a valid windows image. Please check this against your installation diskette".
I clicked the 'Ok' button.

After the fix completed and before my computer turned off. I got the Windows message:

'End Program McAgent_Main_Hidden_Window'
"If you chose to end the program immediately you will lose any unsaved data. To end program now, check end now."
I let the above program complete and did 'alt- pf4' to escape this box.

My computer then went to my screen saver only. After nothing seemed to be happenning/running , I tried to shut my computer down manually. A Windows message came up that read:

"End Program-McAgent_Main_Hidden_Window is not responding.
To return to Windows and check the status, clik cancel. If you chose to end the program immediately, you will lose any unsaved data. To end the program now, click end now."

I clicked the 'cancel' button in the box and my computer soon there after turned off.
I started my computer back up and signed back in. A RUN DLL message popped up that said:

"Error loading C:\Windows\System32\Kuwlbipa.dll-"The specified module could not be found"

I did not 'alt-pf4' or close out of this box. I left it up to see what you say.
The OTS Fix log pad popped up on note pad .
I then opened my browser, signed in here, and here I am.

NeonFx · 31-Oct-2009, 11:08 PM #8

It's odd that the computer reacted the way it did.

Do you have the results from Step 2?

altogaflash · 31-Oct-2009, 11:56 PM #9

Neonfx, (Happy Holloween, by the way)

I just now went to the OTS program and automatically clicked on Quick Scan. Then I said uh ohh. Should I have done the following again before hitting quick scan?

Check the box that says Scan All Users
Under Additional Scans check the following:

Reg - Desktop Components
Reg - Disabled MS Config Items
Reg - NetSvcs
Reg - Shell Spawning
Reg - Uninstall List
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Now click the Run Scan button on the toolbar

NeonFx · 01-Nov-2009, 12:00 AM **#10**

Nope, just click on the Quick Scan button and it should produce the results that I need.

altogaflash · 01-Nov-2009, 12:22 AM **#11**

Here it tis!
P.S. My free MediaFire account URL issue might have been just my lack of know how on getting it to cooperate.

NeonFx · 01-Nov-2009, 12:30 AM **#12**

Excellent. I think I see the source of our problems. Let me know if you get any errors again. Please do the following:

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the following

Code:

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "jipohuvig" -> C:\WINDOWS\System32\kuwibipa.DLL [Rundll32.exe "c:\windows\system32\kuwibipa.dll",a]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "DelayShred" -> C:\Program Files\McAfee\MSHR\ShrCL.EXE ["C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P7 /q C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TZ6XHLUC\YGM_1_~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\T2SGBZSG\4PACK_~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\T2SGBZSG\NAVSPE~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TZ6XHLUC\TRAFFI~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\VALERR~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\T2SGBZSG\FPLOWE~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\TZ6XHLUC\BANNER~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\QZO7R61D\BTMNAV~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\BTNDIC~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\QZO7R61D\NAVNEW~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\FPCHEV~1.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Content.IE5\28IB94KZ\BTMNAV~3.SH! C:\DOCUME~1\JACKOL~1\LOCALS~1\TEMPOR~1\Conte
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 3 domain(s) found.
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> c:\windows\system32\kuwibipa.dll -> C:\WINDOWS\System32\kuwibipa.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{2b6094cc-7629-48b1-b576-8cb81b85957e}" [HKLM] -> C:\WINDOWS\System32\kuwibipa.dll [rupagakad]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> "{2b6094cc-7629-48b1-b576-8cb81b85957e}" [HKLM] -> C:\WINDOWS\System32\kuwibipa.dll [kupuhivus]
[Files/Folders - Created Within 14 Days]
NY ->  C:\Program Files\Windows Police Pro -> C:\Program Files\Windows Police Pro
[ClearAllRestorePoints]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste the contents of that file here.

STEP 2

Run OTS again and click on the Quick Scan button at the top. Copy and Paste the results of this scan in your next reply.

altogaflash · 01-Nov-2009, 01:15 AM **#13**

Neonfx,
While the OTS Fix was running, Windows Defender popped a 'Review changes to your computer settings' alert and wants to know if I will allow the following change:
Spynet Community Rating: Not available

Path:
c:\Program Files\Google\Google Desktop Search\Google Desktop Network3.dll

Detected Changes:
Appintdll
HKLM\Software\Microsoft\WindowsNT/Current Version\Windows\\App_DLLa:c\progra~1\google\google~1\goec62~1.dll

File:
c:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll

Creation date: 7/5/2006
Size: 111616

No other info available

It is waiting for my decision.
The OTS Fix is complete, but I have not rebooted my computer yet.

NeonFx · 01-Nov-2009, 01:49 AM **#14**

Please allow any changes detected by your security programs.

altogaflash · 01:34 AM

I'm Baaaack!!!!

No errors during scan or after reboot either.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for: