1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

It starts w/ Rundll mezugudo , I had some nasty malware

Discussion in 'Virus & Other Malware Removal' started by stingray_on, May 4, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    I have ad-ware spy removal Ativir antivirus, and they can't get rid of it. Many times, my web page is re-directed,

    I meant , I Have some nasty malware
     

    Attached Files:

  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi and welcome.

    Download OTL to your Desktop
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Standard Registry to All
      • Under File Scans, change File age to 30
    • Under the Custom Scan box paste this in

      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      %SYSTEMDRIVE%\*.*
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles

    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
      • Please post the contents of these files in your next reply.
     
  3. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    here we go, the results
     

    Attached Files:

  4. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    the next one, besides the malware, let me know, if there is any suggestions
     

    Attached Files:

    • OTL.Txt
      File size:
      163.5 KB
      Views:
      2
  5. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :OTL
      O2 - BHO: (no name) - {1f6c3b25-479a-45aa-8dab-cd7d1b19f38b} -  File not found
      O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
      O4 - HKLM..\Run: [gutelewuw] C:\WINDOWS\System32\leduhuma.DLL File not found
      O4 - HKLM..\Run: [Mouse Suite 98 Daemon]  File not found
      O4 - HKLM..\Run: [pifahegawu]  File not found
      O20 - AppInit_DLLs: (nohutabo.dll) -  File not found
      O20 - AppInit_DLLs: (c:\windows\system32\yolopuga.dll) - C:\WINDOWS\System32\yolopuga.dll File not found
      O20 - AppInit_DLLs: (c:\windows\system32\kamuyosu.dll) - C:\WINDOWS\System32\kamuyosu.dll File not found
      O20 - AppInit_DLLs: (c:\windows\system32\seyohale.dll) - C:\WINDOWS\System32\seyohale.dll File not found
      O20 - AppInit_DLLs: (c:\windows\system32\zerunuwa.dll) - C:\WINDOWS\System32\zerunuwa.dll File not found
      O20 - AppInit_DLLs: (c:\windows\system32\rayeboke.dll) - C:\WINDOWS\System32\rayeboke.dll File not found
      O20 - AppInit_DLLs: (c:\windows\system32\leduhuma.dll) - C:\WINDOWS\System32\leduhuma.dll File not found
      O21 - SSODL: bazadayid - {98565acd-bd31-479e-9e7d-60edcf93f5a8} - C:\WINDOWS\System32\zerunuwa.dll File not found
      O21 - SSODL: behujutik - {0ca74adf-6f74-4ef6-8f58-0efd07c4ebd3} - C:\WINDOWS\System32\kamuyosu.dll File not found
      O21 - SSODL: gegipuleb - {b93fba53-53f4-464d-a805-b366486f115d} - C:\WINDOWS\System32\kamuyosu.dll File not found
      O21 - SSODL: kifivezar - {84fb86c7-4d45-4b4c-836a-9567ba52528d} - C:\WINDOWS\System32\seyohale.dll File not found
      O21 - SSODL: nukibivif - {184c593e-b5a0-4dad-a9d7-9334be4af65a} - C:\WINDOWS\System32\leduhuma.dll File not found
      O21 - SSODL: ponofivab - {b72209f5-f4bf-4104-bbd6-2d7d50004857} - C:\WINDOWS\System32\kamuyosu.dll File not found
      O21 - SSODL: vepareraj - {60720a2b-e6f1-401c-b49d-841f363ad6e0} - C:\WINDOWS\System32\rayeboke.dll File not found
      O21 - SSODL: wakitewer - {15439d86-574c-41f7-8e5d-83ca7f14b657} - C:\WINDOWS\System32\kamuyosu.dll File not found
      O21 - SSODL: yusatataw - {f820416f-6ddc-4843-9bd0-624697da1b46} - C:\WINDOWS\System32\kamuyosu.dll File not found
      O22 - SharedTaskScheduler: {0ca74adf-6f74-4ef6-8f58-0efd07c4ebd3} - mujuzedij - C:\WINDOWS\System32\kamuyosu.dll File not found
      O22 - SharedTaskScheduler: {15439d86-574c-41f7-8e5d-83ca7f14b657} - tokatiluy - C:\WINDOWS\System32\kamuyosu.dll File not found
      O22 - SharedTaskScheduler: {184c593e-b5a0-4dad-a9d7-9334be4af65a} - kupuhivus - C:\WINDOWS\System32\leduhuma.dll File not found
      O22 - SharedTaskScheduler: {60720a2b-e6f1-401c-b49d-841f363ad6e0} - mujuzedij - C:\WINDOWS\System32\rayeboke.dll File not found
      O22 - SharedTaskScheduler: {84fb86c7-4d45-4b4c-836a-9567ba52528d} - gahurihor - C:\WINDOWS\System32\seyohale.dll File not found
      O22 - SharedTaskScheduler: {98565acd-bd31-479e-9e7d-60edcf93f5a8} - tokatiluy - C:\WINDOWS\System32\zerunuwa.dll File not found
      O22 - SharedTaskScheduler: {b72209f5-f4bf-4104-bbd6-2d7d50004857} - jugezatag - C:\WINDOWS\System32\kamuyosu.dll File not found
      O22 - SharedTaskScheduler: {b93fba53-53f4-464d-a805-b366486f115d} - mujuzedij - C:\WINDOWS\System32\kamuyosu.dll File not found
      O22 - SharedTaskScheduler: {f820416f-6ddc-4843-9bd0-624697da1b46} - kupuhivus - C:\WINDOWS\System32\kamuyosu.dll File not found
      
      :files
      C:\WINDOWS\System32\gubebusi.dll
      C:\WINDOWS\System32\kigebele.dll
      C:\WINDOWS\System32\topupabe.dll
      C:\WINDOWS\System32\merojoka.dll
      C:\WINDOWS\System32\jezemimu.dll
      C:\WINDOWS\System32\tibepozi.dll
      C:\WINDOWS\System32\zukepive.dll
      C:\WINDOWS\System32\biyanodi.dll
      C:\WINDOWS\System32\hewubuzi.dll
      C:\WINDOWS\System32\wahofune.dll
      C:\WINDOWS\System32\bakovoti.dll
      C:\WINDOWS\System32\nogorike.dll
      C:\WINDOWS\System32\wosarako.dll
      C:\WINDOWS\System32\hiyanuhe.dll
      C:\WINDOWS\System32\kosilalo.dll
      C:\WINDOWS\System32\niniyifu.dll
      C:\WINDOWS\System32\rujamika.dll
      C:\WINDOWS\System32\pikunuri.dll
      C:\WINDOWS\System32\rupegivo.dll
      C:\WINDOWS\System32\yayebare.dll
      C:\WINDOWS\System32\vusilina.dll
      C:\WINDOWS\System32\wotitiha.dll
      C:\WINDOWS\System32\kumenelo.dll
      C:\WINDOWS\System32\nivunaso.dll
      C:\WINDOWS\System32\wibuwigo.dll
      C:\WINDOWS\System32\todivuno.dll
      C:\WINDOWS\System32\duwifadu.dll
      C:\WINDOWS\System32\wapateve.dll
      
      :Commands
      [EMPTYTEMP]
      [RESETHOSTS]
      [REBOOT]
    • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
    • Click the red Run Fix button.
    • The computer will restart
    • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.

    • Launch and update Malwarebytes' Anti-Malware
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

    Please run the F-Secure Online Scanner

    • For information click Here.
    • Allow the installation of the Add-ons and Accept the License Agreement.
    • Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report in your next reply.
     
  6. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f6c3b25-479a-45aa-8dab-cd7d1b19f38b}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f6c3b25-479a-45aa-8dab-cd7d1b19f38b}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\gutelewuw deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Mouse Suite 98 Daemon deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\pifahegawu deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:nohutabo.dll deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\yolopuga.dll deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\kamuyosu.dll deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\seyohale.dll deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\zerunuwa.dll deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\rayeboke.dll deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\leduhuma.dll deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\bazadayid deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98565acd-bd31-479e-9e7d-60edcf93f5a8}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\behujutik deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ca74adf-6f74-4ef6-8f58-0efd07c4ebd3}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\gegipuleb deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b93fba53-53f4-464d-a805-b366486f115d}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\kifivezar deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84fb86c7-4d45-4b4c-836a-9567ba52528d}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\nukibivif deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{184c593e-b5a0-4dad-a9d7-9334be4af65a}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\ponofivab deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b72209f5-f4bf-4104-bbd6-2d7d50004857}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\vepareraj deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60720a2b-e6f1-401c-b49d-841f363ad6e0}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\wakitewer deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{15439d86-574c-41f7-8e5d-83ca7f14b657}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\yusatataw deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f820416f-6ddc-4843-9bd0-624697da1b46}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{0ca74adf-6f74-4ef6-8f58-0efd07c4ebd3} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ca74adf-6f74-4ef6-8f58-0efd07c4ebd3}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{15439d86-574c-41f7-8e5d-83ca7f14b657} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{15439d86-574c-41f7-8e5d-83ca7f14b657}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{184c593e-b5a0-4dad-a9d7-9334be4af65a} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{184c593e-b5a0-4dad-a9d7-9334be4af65a}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{60720a2b-e6f1-401c-b49d-841f363ad6e0} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60720a2b-e6f1-401c-b49d-841f363ad6e0}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{84fb86c7-4d45-4b4c-836a-9567ba52528d} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84fb86c7-4d45-4b4c-836a-9567ba52528d}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{98565acd-bd31-479e-9e7d-60edcf93f5a8} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98565acd-bd31-479e-9e7d-60edcf93f5a8}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{b72209f5-f4bf-4104-bbd6-2d7d50004857} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b72209f5-f4bf-4104-bbd6-2d7d50004857}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{b93fba53-53f4-464d-a805-b366486f115d} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b93fba53-53f4-464d-a805-b366486f115d}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{f820416f-6ddc-4843-9bd0-624697da1b46} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f820416f-6ddc-4843-9bd0-624697da1b46}\ not found.
    ========== FILES ==========
    C:\WINDOWS\System32\gubebusi.dll moved successfully.
    C:\WINDOWS\System32\kigebele.dll moved successfully.
    C:\WINDOWS\System32\topupabe.dll moved successfully.
    C:\WINDOWS\System32\merojoka.dll moved successfully.
    C:\WINDOWS\System32\jezemimu.dll moved successfully.
    C:\WINDOWS\System32\tibepozi.dll moved successfully.
    C:\WINDOWS\System32\zukepive.dll moved successfully.
    C:\WINDOWS\System32\biyanodi.dll moved successfully.
    C:\WINDOWS\System32\hewubuzi.dll moved successfully.
    C:\WINDOWS\System32\wahofune.dll moved successfully.
    C:\WINDOWS\System32\bakovoti.dll moved successfully.
    C:\WINDOWS\System32\nogorike.dll moved successfully.
    C:\WINDOWS\System32\wosarako.dll moved successfully.
    C:\WINDOWS\System32\hiyanuhe.dll moved successfully.
    C:\WINDOWS\System32\kosilalo.dll moved successfully.
    C:\WINDOWS\System32\niniyifu.dll moved successfully.
    C:\WINDOWS\System32\rujamika.dll moved successfully.
    C:\WINDOWS\System32\pikunuri.dll moved successfully.
    C:\WINDOWS\System32\rupegivo.dll moved successfully.
    C:\WINDOWS\System32\yayebare.dll moved successfully.
    C:\WINDOWS\System32\vusilina.dll moved successfully.
    C:\WINDOWS\System32\wotitiha.dll moved successfully.
    C:\WINDOWS\System32\kumenelo.dll moved successfully.
    C:\WINDOWS\System32\nivunaso.dll moved successfully.
    C:\WINDOWS\System32\wibuwigo.dll moved successfully.
    C:\WINDOWS\System32\todivuno.dll moved successfully.
    C:\WINDOWS\System32\duwifadu.dll moved successfully.
    C:\WINDOWS\System32\wapateve.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 82296 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 49152 bytes

    User: joseph fortier
    ->Temp folder emptied: 109531116 bytes
    ->Temporary Internet Files folder emptied: 127136342 bytes
    ->Java cache emptied: 5530471 bytes
    ->Flash cache emptied: 53697 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 98232 bytes
    ->Flash cache emptied: 434 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 135884315 bytes
    ->Java cache emptied: 39011 bytes
    ->Flash cache emptied: 20659 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 39097 bytes
    %systemroot%\System32 .tmp files removed: 200721 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 15680760 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1253074 bytes
    RecycleBin emptied: 302111633 bytes

    Total Files Cleaned = 665.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully
    Error: Unable to interpret <Return to OTL, right > in the current context!

    OTL by OldTimer - Version 3.2.4.1 log created on 05062010_202208

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\joseph fortier\Local Settings\Temp\~DFDE11.tmp not found!
    File\Folder C:\Documents and Settings\joseph fortier\Local Settings\Temp\~DFDE2D.tmp not found!
    File\Folder C:\Documents and Settings\joseph fortier\Local Settings\Temp\~DFDF16.tmp not found!
    File\Folder C:\Documents and Settings\joseph fortier\Local Settings\Temp\~DFDF81.tmp not found!
    File\Folder C:\Documents and Settings\joseph fortier\Local Settings\Temp\~DFE116.tmp not found!
    File\Folder C:\Documents and Settings\joseph fortier\Local Settings\Temp\~DFE17D.tmp not found!
    C:\Documents and Settings\joseph fortier\Local Settings\Temporary Internet Files\Content.IE5\L7FJPU24\921156-starts-w-rundll-mezugudo-i[1].html moved successfully.
    C:\Documents and Settings\joseph fortier\Local Settings\Temporary Internet Files\Content.IE5\L7FJPU24\sh16[1].html moved successfully.
    C:\Documents and Settings\joseph fortier\Local Settings\Temporary Internet Files\Content.IE5\KEHRJ4ED\ads[10].htm moved successfully.
    C:\Documents and Settings\joseph fortier\Local Settings\Temporary Internet Files\Content.IE5\KEHRJ4ED\ads[11].htm moved successfully.
    C:\Documents and Settings\joseph fortier\Local Settings\Temporary Internet Files\Content.IE5\KEHRJ4ED\ads[9].htm moved successfully.
    C:\Documents and Settings\joseph fortier\Local Settings\Temporary Internet Files\Content.IE5\0ZA8G6G0\ads[6].htm moved successfully.
    C:\Documents and Settings\joseph fortier\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    File\Folder C:\WINDOWS\temp\hsperfdata_SYSTEM\1240 not found!
    C:\WINDOWS\temp\fla1B.tmp moved successfully.
    C:\WINDOWS\temp\fla50.tmp moved successfully.

    Registry entries deleted on Reboot...
     
  7. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    thank you so far, i will do the malware next, BTW, mezugo error message still show up.
     
  8. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    this is the malware log
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4073

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/6/2010 9:00:57 PM
    mbam-log-2010-05-06 (21-00-57).txt

    Scan type: Quick scan
    Objects scanned: 124766
    Time elapsed: 10 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 5
    Registry Values Infected: 4
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\system32\pazoloni.dll (Trojan.Vundo.H) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{01783d96-43d9-41b7-ab36-029bcb357a52} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gutelewuw (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{01783d96-43d9-41b7-ab36-029bcb357a52} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\boguputiw (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pifahegawu (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\pazoloni.dll -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\pazoloni.dll -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\badetevo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nodirara.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\pazoloni.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\tesimuki.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
     
  9. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    F-Secure Online Scanner is next.
     
  10. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    the scanner rpt
    Scanning Report
    Friday, May 7, 2010 21:42:37 - 20:16:11
    Computer name: HOME
    Scanning type: Quick scan
    Target: System


    --------------------------------------------------------------------------------

    9 malware found
    TrackingCookie.Adinterax (spyware)
    System (Disinfected)
    TrackingCookie.Advertising (spyware)
    System (Disinfected)
    TrackingCookie.Atdmt (spyware)
    System (Disinfected)
    TrackingCookie.Doubleclick (spyware)
    System (Disinfected)
    TrackingCookie.Revsci (spyware)
    System (Disinfected)
    TrackingCookie.Adbrite (spyware)
    System (Disinfected)
    TrackingCookie.Mediaplex (spyware)
    System (Disinfected)
    TrackingCookie.Atwola (spyware)
    System (Disinfected)
    TrackingCookie.Yieldmanager (spyware)
    System (Disinfected)

    --------------------------------------------------------------------------------

    Statistics
    Scanned:
    Files: 3079
    System: 3079
    Not scanned: 0
    Actions:
    Disinfected: 9
    Renamed: 0
    Deleted: 0
    Not cleaned: 0
    Submitted: 0

    --------------------------------------------------------------------------------

    Options
    Scanning engines:

    --------------------------------------------------------------------------------

    Copyright © 1998-2009 Product support | Send virus sample to F-Secure
    F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
     
  11. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    let me know what to do next
     
  12. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    How is the computer doing?
     
  13. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    It gotten better, before it was directing me to different website, it hasn't done that recently. I still get that rundle -mezugudo when it restarts
     
  14. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
        -----------------------------------------------------------​
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      -----------------------------------------------------------​
    4. Double click on combofix.exe & follow the prompts.
    5. Install the Recovery Console if prompted.
    6. When finished, it will produce a report for you.
    7. Please post the "C:\ComboFix.txt" .
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Run Hijackthis and post a fresh report.
     
  15. stingray_on

    stingray_on Thread Starter

    Joined:
    Jul 20, 2002
    Messages:
    144
    i just restarted and the mezudo error message didnt show up , i stand corrected
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/921156

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice