[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1046
  • Last Modified:

System Restore infected winlogon windowsupdate86 virus

This system infected with IS2010 virus, malwares such as winlogon and windowsupdate86.
As the virus acts, disables task manager and system restore. As manuy tiimes I disable and delete winlogon and winupdate86 it reborn at system reboot. The virus pops up advertises for virus scanners for sale and hints prices etc. McAfee virus scanner finds the trojan, but can not kill. I could not scan the system in safe mode and system restore disable, cause in safe mode a blue screen prevent windows safe mode scan. Anyone has a solution? Please asap cause this for a security company. Thanks  experts ahead and worth a max points. I work on 2 days by now....
0
ZollieToth
Asked:
ZollieToth
3 Solutions
 
KyoshCommented:
You can make a BootCD (Windows Pre-Enviroment) from your existing windows CD.
See: http://www.nu2.nu/pebuilder/

From your PE-enviroment you can run a virus-scanner.
0
 
Mike LazarusAct! Evangelist - CRM ConsultantCommented:
1. Don't install the AV... run it from the CD
2. I've sometimes found that AdAware or SpyBot can kill these... try both, they are free. But you sometimes need to run several times to get rid of all the parts.
0
 
RatBoy1Commented:
Hello, Mcaffee wont do anything really.

Try installing malwarebytes and then do a full system scan for viruses.
http://download.cnet.com/3001-8022_4-10804572.html?spi=7ad8cd005838c8fc17a55b37f365d819


This will find any virus, trojan, spyware, adaware, mailware, ect.
Then it will remove and will usually require a restart.

If failing to install, start in safemode and install or try to disable the virus program if installed by renaming the .exe file.

Good luck.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
rpggamergirlCommented:
Are you able to bring up task manager via ALT, CTRL, DEL ?

Run either one of these to temporarily fix policies
1. You can download this zipfile, extract it, then rightclick on the "VArestorepolicies.inf" and select Install.
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

2. Or, FixPolicies.exe.
Please download FixPolicies.exe by Bill Castner and save it to your desktop.
http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe
Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.


Task manager, msconfig, and regedit
http://www.dougknox.com/xp/utils/xp_emerutils.htm





And run ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


0
 
ZollieTothAuthor Commented:
Thanks for Sage, Ratboy1, GLcomputing, Kyosh for the fast reply.
My previous procedures to unsuccessfully remove IS2010 virus winlogon and winupdate86:
Kill processes:
IS2010.exe 41.exe winlogon86.exe winupdate86.exe
-------------------------------- than
Delete registry values:
HKEY_CURRENT_USER\Software\IS2010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Security 2010"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "winupdate86.exe"
---------------------- than
Unregister DLLs:
winhelper86.dll
------------------------- than
Delete files:
IS2010.exe 41.exe winhelper86.dll winlogon86.exe winupdate86.exe Internet Security 2010.lnk
----------------------- than
Delete directories:
C:\s
C:\Program Files\InternetSecurity2010\
--------------------- reboot.
I tried system restart and task manager what was disabled by this virus.
Can't stop/start System Restore.
system restore was stopped after start, automatic or manual start - stopped.

McAfee popped and noted Vundo.gen.bw - torelire.dll at system32 folder, also found prefetched IS2010.exe , winlogon.exe and winupdate86.exe.
I tried to reinstall sr.inf from original Windows XP Pro CD, and reboot.
Just did not kill virus reborn at restart.
------------------------------ than i follow these instructions:
Winlogon.exe has become a favorite program for worm/virus writers to hide there payloads.
----------------------------- as known
Winlogon is the program responsible for user authentication in windows. This is the program that is responsible for showing you the windows logon dialog box.
----------------------------reasons
Here are some reasons why virus writes love to hide there worms in winlogon.exe:
Its an essential system process, so most people wont suspect that winlogon is the culprit.
Its not easy to kill winlogon.exe. And even if you do manage to kill the process, your machine will instantly crash, and will show you the blue screen.
Today we are going to discuss about removing winlogon virus, without shutting down the computer or using any kind of bootable disk.
---------------------------- Tools required
Sysinternals Process Explorer
Replacement File explorer like FreeCommander( optional )
--------------------------------Detection
The process is pretty easy actually. We are going to use Process explorer to list the DLLs loaded in winlogon.exe. You will see a list of DLLs that are currently loaded in winlogon.exe.
------------------than
Most of the valid DLLs will have proper description and company name. But if you are able to see some DLL with no description, no company name and some strange name, then its most probably a worm.
------------------>In order to make sure that this DLL is indeed a malware, we can double click the DLL name and check the strings within the DLLs.
---------------->See if there are some suspicious strings within the DLL. Strings like worm, password, or name of some suspicious website are sure shot indications that it is indeed a malware.
---------------->To be extra sure, you can search the Internet for the name of the DLL to make sure that the DLL in indeed malware.
---------------->Note: Click on screenshot for full size image.
---------------->Removal
Virus writer truly love hiding there malware withing winlogon, because in order to remove the malware, you will have to kill winlogon, which is not an easy task for most user.
However, you can follow these steps to kill winlogon and delete the malware:
Preparation:

- Its not possible to kill winlogon.exe usng windows task manager. So we are going to use excellent tool Sysinternals Process Explorer to kill winlogon.exe.

- Since this tutorial is for common computer users, I will not explain about deleting the malware using command prompt.You can download the excellent file explorer called FreeCommander to browse through the filesystem and delete the malware.Using FreeCommander is a lot easier than using the Command Prompt.
Procedure
1. Run FreeCommander so that we can browse and delete files.
2. Start Process Explorer and then kill Explorer.exe using it. We are killing explorer.exe because most of the time, explorer.exe is also infected. So we are killing it just to be sure&
3. Now its time to kill winlogon.exe. The process is pretty simple actually. All we have to do is, before killing winlogon.exe, we have to kill Smss.exe.
We have to do this because Smss.exe process monitors winlogon.exe and will shutdown the machine if it finds that winlogon is not running.
After killing Smss.exe, you can safely kill winlogon.exe.
4. After winlogon is gone, you can safely delete the malware. Since you have already killed explorer, you can use FreeCommander to browse the filesystem and delete the malware.

Did not remove the malware, without using any kind of bootable disk  
I may create Kyosh bootable CD, or all your advise tomorrow an let you know what worked.
Thanks all



0
 
rpggamergirlCommented:
Sometimes removing an infection while windows is not active can leave the user locked out or render the pc unbootable.


Did you try what I had suggested? it's much easier.
Any bad files that are left will be removed using ComboFix script function that's why we need to see the log also.
0
 
ZollieTothAuthor Commented:
Sage: rpggamergirl: :)
I am doing it right now... your procedure looks like works..
500 points babe :) sweet.
The system starts to function as should be.
Find3M is still working so I'll let you know in near future of the success.
Thanks again rpggamergirl: your help.
Zollie
0
 
ZollieTothAuthor Commented:
Ok here it goes.
I am running after combofix repaired the system and restarted McAfee virus scan full on this PC.
Just about starting all the IS2010 started and tried to scan the system.
I stopped and killed by Process explorer and monitored other false programs with glary utility's process manager.
smss.exe and winlogon.exe killed by process manager.
Stopped IS2010 running and now the system stable.
McAfee full system scan detected 0 items. 4370 files scanned and 0 detected, 0 fixed, 0 quarantined, 0 remaining.
I know the virus a trojan vundu.gen IS2010 somewhere hidden. I may try to rescan the system in safe mode and system restore disable condition..
I am sending you the combofix log below:
ComboFix 10-01-04.01 - SHale 01/08/2010  19:27:57.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2814.2414 [GMT -8:00]
Running from: c:\documents and settings\shale.PROTEC-ALARM\Desktop\Protec-virus-clean\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
 * Resident AV is active

.
The following files were disabled during the run:
c:\windows\system32\kbdsock.dll
c:\windows\system32\reposoku.dll


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\shale.PROTEC-ALARM\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
c:\windows\Install.txt
c:\windows\system32\11478.exe
c:\windows\system32\1150.exe
c:\windows\system32\11538.exe
c:\windows\system32\11840.exe
c:\windows\system32\11942.exe
c:\windows\system32\12052.exe
c:\windows\system32\12316.exe
c:\windows\system32\12382.exe
c:\windows\system32\12859.exe
c:\windows\system32\13290.exe
c:\windows\system32\13966.exe
c:\windows\system32\13977.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15006.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15350.exe
c:\windows\system32\15573.exe
c:\windows\system32\15574.exe
c:\windows\system32\15724.exe
c:\windows\system32\15890.exe
c:\windows\system32\16512.exe
c:\windows\system32\16541.exe
c:\windows\system32\16827.exe
c:\windows\system32\16941.exe
c:\windows\system32\16944.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\1842.exe
c:\windows\system32\18467.exe
c:\windows\system32\18636.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\18756.exe
c:\windows\system32\19072.exe
c:\windows\system32\19169.exe
c:\windows\system32\19264.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\20037.exe
c:\windows\system32\2082.exe
c:\windows\system32\21724.exe
c:\windows\system32\21726.exe
c:\windows\system32\22190.exe
c:\windows\system32\22355.exe
c:\windows\system32\22386.exe
c:\windows\system32\22648.exe
c:\windows\system32\22704.exe
c:\windows\system32\22929.exe
c:\windows\system32\2306.exe
c:\windows\system32\23281.exe
c:\windows\system32\23655.exe
c:\windows\system32\23805.exe
c:\windows\system32\23811.exe
c:\windows\system32\23986.exe
c:\windows\system32\24370.exe
c:\windows\system32\24464.exe
c:\windows\system32\24767.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26777.exe
c:\windows\system32\26924.exe
c:\windows\system32\26962.exe
c:\windows\system32\27350.exe
c:\windows\system32\27446.exe
c:\windows\system32\27529.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28703.exe
c:\windows\system32\28745.exe
c:\windows\system32\288.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30106.exe
c:\windows\system32\30333.exe
c:\windows\system32\3035.exe
c:\windows\system32\31101.exe
c:\windows\system32\31322.exe
c:\windows\system32\31673.exe
c:\windows\system32\32391.exe
c:\windows\system32\32439.exe
c:\windows\system32\32662.exe
c:\windows\system32\32757.exe
c:\windows\system32\3902.exe
c:\windows\system32\4031.exe
c:\windows\system32\41.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\4833.exe
c:\windows\system32\491.exe
c:\windows\system32\4966.exe
c:\windows\system32\5021.exe
c:\windows\system32\5097.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\5829.exe
c:\windows\system32\6270.exe
c:\windows\system32\6334.exe
c:\windows\system32\6729.exe
c:\windows\system32\6868.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\7711.exe
c:\windows\system32\778.exe
c:\windows\system32\8723.exe
c:\windows\system32\8942.exe
c:\windows\system32\9040.exe
c:\windows\system32\9161.exe
c:\windows\system32\9741.exe
c:\windows\system32\9894.exe
c:\windows\system32\9930.exe
c:\windows\system32\9961.exe
c:\windows\system32\AVR10.exe
c:\windows\system32\bszip.dll
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Templates\info.tmp
c:\windows\system32\drivers\hluzdj.sys
c:\windows\system32\flags.ini
c:\windows\system32\helper32.dll
c:\windows\system32\Iasv32.dll
c:\windows\system32\Install.txt
c:\windows\system32\Ipripv32.dll
c:\windows\system32\jazejumi.dll
c:\windows\system32\kbdsock.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\mshlps.dll
c:\windows\system32\rediwope.dll
c:\windows\system32\reposoku.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\uses32.dat
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winsts.sys
c:\windows\system32\winupdate86.exe
c:\windows\Tasks\acaxjvtj.job
c:\windows\Tasks\myjnptlw.job
c:\windows\Tasks\vptbcmhl.job
c:\windows\Temp\1959.exe

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
hxxp://82.98.231.102
.
original MBR restored successfully !
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_WINSTS
-------\Service_Iprip
-------\Service_winsts
-------\Legacy_hluzdj
-------\Service_hluzdj


(((((((((((((((((((((((((   Files Created from 2009-12-09 to 2010-01-09  )))))))))))))))))))))))))))))))
.

2010-01-09 02:55 . 2010-01-09 02:55      --------      d-----w-      C:\EmergencyUtils
2010-01-09 02:06 . 2010-01-09 03:46      1337856      ----a-w-      c:\windows\system32\IS15.exe
2010-01-09 02:06 . 1601-01-01 00:03      33792      --sha-w-      c:\windows\system32\winlogon32.exe
2010-01-09 02:06 . 1601-01-01 00:03      33792      --sha-w-      c:\windows\system32\smss32.exe
2010-01-08 00:12 . 2010-01-08 00:12      --------      d--h--w-      c:\windows\PIF
2010-01-07 22:01 . 2010-01-07 22:01      --------      d--h--w-      c:\windows\system32\GroupPolicy
2010-01-07 21:26 . 2010-01-07 21:26      --------      d-----w-      c:\windows\system32\NtmsData
2010-01-04 16:49 . 2009-12-31 19:28      95360      -c--a-w-      c:\windows\system32\dllcache\atapi.sys
2010-01-04 16:49 . 2009-12-31 19:28      95360      ----a-w-      c:\windows\system32\drivers\atapi.sys
2010-01-04 16:10 . 2009-08-14 20:37      256      ----a-w-      c:\documents and settings\HelpAssistant\pool.bin
2010-01-04 16:07 . 2010-01-04 16:07      --------      d-----w-      c:\documents and settings\HelpAssistant\.hd
2010-01-04 16:07 . 2010-01-04 16:07      --------      d-----w-      c:\documents and settings\HelpAssistant\.gimp-2.4
2010-01-01 20:52 . 2010-01-01 20:52      --------      d-----w-      C:\spoolerlogs
2009-12-18 22:13 . 2009-12-18 22:13      --------      d-----w-      c:\windows\system32\config\systemprofile\Application Data\SACore
2009-12-18 00:44 . 2009-12-18 00:44      --------      d-----w-      c:\documents and settings\shale.PROTEC-ALARM\Application Data\IObit
2009-12-18 00:44 . 2009-12-18 00:44      --------      d-----w-      c:\program files\IObit
2009-12-16 22:59 . 2009-12-16 22:59      --------      d-----w-      c:\program files\AskBarDis
2009-12-16 22:55 . 2009-12-31 05:03      --------      d-----w-      c:\program files\Glary Utilities
2009-12-15 19:05 . 2009-12-15 19:05      --------      d-----w-      c:\documents and settings\LocalService\Application Data\SACore
2009-12-15 08:45 . 2009-12-15 08:45      --------      d-----w-      c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-12-15 08:32 . 2009-11-05 00:54      40552      ----a-w-      c:\windows\system32\drivers\mfesmfk.sys
2009-12-15 08:32 . 2009-11-05 00:54      35272      ----a-w-      c:\windows\system32\drivers\mfebopk.sys
2009-12-15 08:32 . 2009-11-05 00:54      79816      ----a-w-      c:\windows\system32\drivers\mfeavfk.sys
2009-12-15 08:31 . 2009-07-16 20:32      120136      ----a-w-      c:\windows\system32\drivers\Mpfp.sys
2009-12-15 08:24 . 2009-12-15 08:31      --------      d-----w-      c:\program files\Common Files\McAfee
2009-12-15 08:24 . 2009-12-15 08:26      --------      d-----w-      c:\program files\McAfee.com
2009-12-15 08:23 . 2010-01-02 15:41      --------      d-----w-      c:\program files\McAfee
2009-12-15 08:16 . 2009-11-05 00:53      34248      ----a-w-      c:\windows\system32\drivers\mferkdk.sys
2009-12-15 07:54 . 2009-12-15 13:57      --------      d-----w-      c:\documents and settings\All Users\Application Data\McAfee
2009-12-15 07:12 . 2009-12-17 05:12      --------      d-----w-      c:\documents and settings\shale.PROTEC-ALARM\Application Data\GlarySoft
2009-12-15 07:05 . 2009-12-17 00:04      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2009-12-15 07:03 . 2009-12-15 07:03      --------      d-----w-      c:\documents and settings\shale.PROTEC-ALARM\Application Data\Simply Super Software
2009-12-14 16:02 . 2007-12-21 22:16      128      ----a-w-      c:\documents and settings\jtesori\Local Settings\Application Data\fusioncache.dat
2009-12-14 16:02 . 2007-12-17 23:59      28336      ----a-w-      c:\documents and settings\jtesori\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 03:46 . 2010-01-09 03:46      0      ----a-w-      c:\windows\system32\41.exe
2009-12-31 19:28 . 2010-01-04 16:49      95360      ----a-w-      c:\windows\system32\drivers\OLD600.tmp
2009-12-31 05:19 . 2009-03-17 17:39      --------      d-----w-      c:\program files\Yahoo!
2009-12-31 05:03 . 2009-12-31 05:03      657408      ----a-w-      c:\windows\isRS-000.tmp
2009-12-17 05:32 . 2008-12-18 16:50      --------      d-----w-      c:\program files\Common Files\Real
2009-12-17 05:11 . 2009-07-29 21:24      --------      d-----w-      c:\program files\Common Files\Apple
2009-12-17 04:54 . 2008-01-29 18:39      --------      d-----w-      c:\program files\Google
2009-12-17 04:39 . 2009-05-27 21:46      --------      d-----w-      c:\program files\Spybot - Search & Destroy
2009-12-17 04:38 . 2009-05-27 21:46      --------      d-----w-      c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-16 23:59 . 2009-05-27 21:37      --------      dc-h--w-      c:\documents and settings\All Users\Application Data\~0
2009-12-15 19:04 . 2008-11-25 18:51      256      ----a-w-      c:\windows\system32\pool.bin
2009-12-15 08:16 . 2009-03-25 15:31      --------      d-----w-      c:\documents and settings\All Users\Application Data\avg8
2009-12-15 07:44 . 2004-08-12 13:33      502272      ----a-w-      c:\windows\system32\winlogon.exe
2009-12-15 07:44 . 2004-08-12 13:33      502272      ----a-w-      c:\windows\system32\Owinlogon.exe
2009-12-15 07:44 . 2004-08-12 13:33      502272      ----a-w-      c:\windows\system32\OOwinlogon.exe
2009-12-14 15:50 . 2007-12-17 22:38      --------      d-----w-      c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-12 01:25 . 2008-04-10 18:51      --------      d-----w-      c:\documents and settings\shale.PROTEC-ALARM\Application Data\SIOL
2009-12-08 18:15 . 2008-06-11 22:04      --------      d-----w-      c:\documents and settings\shale.PROTEC-ALARM\Application Data\LimeWire
2009-11-23 23:32 . 2009-08-04 23:49      --------      d-----w-      c:\program files\QuickTime
2009-11-23 23:15 . 2009-09-09 22:46      --------      d-----w-      c:\program files\Safari
2009-11-05 00:54 . 2009-11-05 00:54      214664      ----a-w-      c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:46 . 2004-08-12 13:33      832512      ----a-w-      c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-12 13:19      78336      ----a-w-      c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-12 13:18      17408      ------w-      c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-12 13:30      75776      ----a-w-      c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-12 13:19      25088      ----a-w-      c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-12 13:19      263552      ----a-w-      c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-12 13:25      266752      ----a-w-      c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-12 13:27      112128      ----a-w-      c:\windows\system32\rastls.dll
2009-10-12 13:54 . 2004-08-12 13:26      69632      ----a-w-      c:\windows\system32\raschap.dll
2009-06-04 16:08 . 2009-06-01 18:52      122880      -c--a-w-      c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
1601-01-01 00:03 . 1601-01-01 00:03      24576      --sha-w-      c:\windows\system32\dapatudi.exe
1601-01-01 00:03 . 1601-01-01 00:03      61952      --sha-w-      c:\windows\system32\gezonawo.dll
1601-01-01 00:03 . 1601-01-01 00:03      45568      --sha-w-      c:\windows\system32\hivotugu.dll
1601-01-01 00:03 . 2010-01-09 02:06      33792      --sha-w-      c:\windows\system32\smss32.exe
1601-01-01 00:03 . 2010-01-09 02:06      33792      --sha-w-      c:\windows\system32\winlogon32.exe
1601-01-01 00:03 . 1601-01-01 00:03      39424      --sha-w-      c:\windows\system32\yiyigini.dll
1601-01-01 00:03 . 1601-01-01 00:03      33792      --sha-w-      c:\windows\system32\zapujevu.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-18 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-18 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickBooksDB19"="c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe" [2009-10-01 131072]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-10-28 1085704]
"smss32.exe"="c:\windows\system32\smss32.exe" [1601-01-01 33792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-10 984352]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\winlogon32.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^shale.PROTEC-ALARM^Start Menu^Programs^Startup^TimeLeft.lnk]
backup=c:\windows\pss\TimeLeft.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2009-11-20 21:51      2335880      ----a-w-      c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-06-05 07:38      615696      ----a-w-      c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-06-04 16:08      30192      ----a-w-      c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-02 20:13      133104      ----atw-      c:\documents and settings\shale.PROTEC-ALARM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22      3739648      ----a-w-      c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-08-26 19:23      236016      ----a-w-      c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSDPSRV"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager-092308-165331"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe"  -osboot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe"
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"Intuit SyncManager"=c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 8.5\\FileMaker Pro.exe"=
"c:\\Link\\link.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"5242:TCP"= 5242:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/15/2009 12:43 AM 93320]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [8/12/2004 5:21 AM 2304]
S4 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/1/2009 10:52 AM 30192]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
Contents of the 'Scheduled Tasks' folder

2009-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-01-09 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-12-16 00:35]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1534845417-1404171956-1721472937-1210Core.job
- c:\documents and settings\shale.PROTEC-ALARM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 20:13]

2010-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1534845417-1404171956-1721472937-1210UA.job
- c:\documents and settings\shale.PROTEC-ALARM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 20:13]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-15 20:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-15 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://protec-alarm.com/
TCP: {22C98990-D068-4533-926F-8A601AEF039D} = 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{26fbadde-5e27-4b31-aca4-de012a304743} - kosutega.dll
HKLM-Run-jikikamem - c:\windows\system32\reposoku.dll
HKLM-Run-jemowufoda - rediwope.dll
SharedTaskScheduler-{a59a93fe-d244-4cbf-a0a4-22ebe81c3241} - (no file)
SharedTaskScheduler-{da1807ee-5101-4852-b549-27cf69287eb9} - (no file)
SharedTaskScheduler-{815577b0-70b4-4bc4-8173-92e42926eba2} - (no file)
SharedTaskScheduler-{af3c4fb6-c4eb-4fa8-993a-04fa1e92d25e} - (no file)
SharedTaskScheduler-{8894e4b5-75bc-42d3-813f-92c1ed587482} - (no file)
SharedTaskScheduler-{b5e25191-d032-4960-b904-53b92ceff190} - (no file)
SharedTaskScheduler-{992bb9eb-c6d3-41f4-9559-7aded9131d45} - (no file)
SharedTaskScheduler-{709f07fb-291e-4ba0-9209-1d5c58dcc47d} - (no file)
SharedTaskScheduler-{75ec6d84-0bf0-464a-ba86-2b405b279750} - c:\windows\system32\reposoku.dll
SSODL-rowuwibig-{709f07fb-291e-4ba0-9209-1d5c58dcc47d} - (no file)
SSODL-wilopuvew-{75ec6d84-0bf0-464a-ba86-2b405b279750} - c:\windows\system32\reposoku.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 19:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  


c:\windows\system32\41.exe 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1534845417-1404171956-1721472937-1210\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5E76EDB3-0682-D210-81DD-574259D13A89}*]
"mapialgadlelinbimfjhpchheg"=hex:69,61,67,6a,67,69,6b,61,69,68,64,6a,61,63,6d,
   67,62,65,00,00
"najikhgebgkhebbchfgklppjfncl"=hex:69,61,67,6a,67,69,6b,61,69,68,64,6a,61,63,
   6d,67,62,65,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2552)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\progra~1\GLARYU~1\CONTEX~1.DLL
c:\progra~1\GLARYU~1\vcl70.bpl
c:\windows\system32\browselc.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\windows\SoftwareDistribution\Download\fa06e29c141c84f43a95ba02f93d3774\update\update.exe
.
**************************************************************************
.
Completion time: 2010-01-08  19:59:17 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-09 03:59
Pre-Run: 89,654,956,032 bytes free
Post-Run: 89,644,048,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DA6891C639771A4565343BDFF1851C55
0
 
ZollieTothAuthor Commented:
Malwarebytes anti-malware found 18 ojects infected..
Removed all. However the system does not restart regular way.
Cold reboot needed.
Malwarebytes' Anti-Malware 1.44
Database version: 3524
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/8/2010 8:39:36 PM
mbam-log-2010-01-08 (20-39-36).txt

Scan type: Quick Scan
Objects scanned: 149883
Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22c98990-d068-4533-926f-8a601aef039d}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gezonawo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hivotugu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yiyigini.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dapatudi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ndisdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bwsb.gio (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\0Q65F46W\dfghfghgfj[1].dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\B7XN5GVY\dfghfghgfj[1].dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\shale.PROTEC-ALARM\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
0
 
ZollieTothAuthor Commented:
Well, Thank you all, rpggamergirl: you reset this system, and RatBoy1 your malware software did the job.
I disable system restore and run a full Malwarebytes Anti-Malware Scan of the C:\ drive.
Looks like got rid of this ugly stubborn IS2010 virus.

Thank you experts-exchange.
ZollieToth
0
 
ZollieTothAuthor Commented:
I am computer dianosaur from the past but this Internet Security 2010 virus made me swet. I am sure a lots of folks suffering from this spammed nightmare IS2010
The solution is given to us from RatBoy1, and rpggamergirl "Sage"
Thank you!
0
 
rpggamergirlCommented:
While I was preparing the script below for Combofix to run (all the bad files, driver and reg entries) and ready to post you posted the result of MalwareBytes.

Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\IS15.exe
c:\windows\system32\winlogon32.exe
c:\windows\system32\smss32.exe
c:\windows\system32\41.exe
c:\windows\system32\drivers\OLD600.tmp
c:\windows\system32\dapatudi.exe
c:\windows\system32\gezonawo.dll
c:\windows\system32\hivotugu.dll
c:\windows\system32\smss32.exe
c:\windows\system32\winlogon32.exe
c:\windows\system32\yiyigini.dll
c:\windows\system32\zapujevu.exe

Rootkit::
c:\windows\system32\ndisdrv.sys

Driver::
ndisdrv

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"smss32.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

Regnull:
[HKEY_USERS\S-1-5-21-1534845417-1404171956-1721472937-1210\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5E76EDB3-0682-D210-81DD-574259D13A89}*]

------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.  
0
 
rpggamergirlCommented:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

Just doublecheck to make sure that the value of userinit under winlogon points to userinit.exe and not to winlogon32.exe
.

0
 
rpggamergirlCommented:
I see, the system have some not recommended programs... I would uninstall at least the "Advanced SystemCare 3"
Any products from IOBit I would not recommend as you might already know IOBit is a company with bad repute.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now