Needing help with removing fake Microsoft Anti-virus 2009

As of yesterday I started receiving what looked like updates from Microsoft advising me to run a new Anti-virus 2009 program. Even though I clicked on Cancel, it sent me to a new page & proceeded to tell me I had numerous malware, spyware, viruses, etc. I X'd out of that screen, too, but the messages keep popping up on both IE and Firefox every time I open a new window or go to a new site.

In my newbiness I found another thread that had addressed this: http://forums.afterdawn.com/thread_jump.cfm/718663/4387084-925999

and had started the process of trying to clean things up, but was advised to start a new thread. Any & all help with exorcising this bugger from my computer is greatly appreciated & my apologies for posting in the wrong area.

 

These are the logs from the actions I've taken thus far:

Here's the Malware Log:

Malwarebytes' Anti-Malware 1.30
Database version: 1424
Windows 5.1.2600 Service Pack 3

11/26/2008 7:01:16 AM
mbam-log-2008-11-26 (07-01-16).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 114041
Time elapsed: 39 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yunudido.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\roguhono.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\balozufe.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\dijuvazi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bepanoto.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5df7890c-9294-4e7b-b961-29cc4906d185} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5df7890c-9294-4e7b-b961-29cc4906d185} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5df7890c-9294-4e7b-b961-29cc4906d185} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\320d18a1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rirawapola (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm313e2b3d (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\dijuvazi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\dijuvazi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\bepanoto.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\bepanoto.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\bepanoto.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yunudido.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odidunuy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\balozufe.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\roguhono.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\dijuvazi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bepanoto.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dosoyahe.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nukiyofi.dll (Trojan.Vundo) -> Delete on reboot.

and the Combo-Fix

ComboFix 08-11-26.03 - Laura 2008-11-26 11:01:19.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1036 [GMT -5:00]
Running from: c:\documents and settings\Laura\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Laura\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Laura\LOCALS~1\Temp\tmp2.tmp
c:\windows\IE4 Error Log.txt
c:\windows\system32\autorun.ini
c:\windows\system32\ifoyikun.ini

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 07:09 . 2008-11-26 07:09 <DIR> d--hs---- C:\FOUND.029
2008-11-26 06:15 . 2008-11-26 06:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-26 06:15 . 2008-11-26 06:15 <DIR> d-------- c:\documents and settings\Laura\Application Data\Malwarebytes
2008-11-26 06:15 . 2008-11-26 06:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 06:15 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-26 06:15 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-25 23:03 . 2008-11-25 23:03 <DIR> d--hs---- C:\FOUND.028
2008-11-17 21:45 . 2008-11-17 21:45 <DIR> d--hs---- C:\FOUND.027
2008-11-11 14:58 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 14:57 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-10-27 21:48 . 2008-08-14 06:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-27 21:48 . 2008-08-14 06:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-27 21:48 . 2008-08-14 05:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-27 21:48 . 2008-08-14 05:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-27 21:48 . 2008-09-15 08:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-27 21:48 . 2008-10-15 12:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-27 21:48 . 2008-09-08 06:41 333,824 --------- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 06:52 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 13:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-27 09:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-02-13 20:02 4,947 ----a-w c:\program files\BBVReadme.txt
2008-02-13 19:50 212,992 ----a-w c:\program files\BBViewer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"CTSysVol"="c:\program files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-07 718704]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"Corel Photo Downloader"="c:\program files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe" [2007-02-06 478800]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 c:\windows\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 c:\windows\AGRSMMSG.exe]
"SiSPower"="SiSPower.dll" [2005-02-25 c:\windows\system32\SiSPower.dll]
"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-08 c:\windows\system32\sbusbdll.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-03-07 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\dosoyahe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-01-25 149864]
R3 int15.sys;int15.sys;\??\c:\program files\acer\eRecovery\int15.sys [2006-03-19 69632]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;c:\windows\system32\DRIVERS\sisnicxp.sys [1980-01-01 32768]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\DRIVERS\sbusb.sys [2006-11-22 1643648]

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Laura.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Laura\Application Data\Mozilla\Firefox\Profiles\0sm864cn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 11:02:16
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-26 11:02:39
ComboFix-quarantined-files.txt 2008-11-26 16:02:38

Pre-Run: 27,494,875,136 bytes free
Post-Run: 29,070,229,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

149 --- E O F --- 2008-11-12 06:31:44

Also, that "FAT 32" has been causing me problems for a while (computer shuts down whenever it damn well feels like it; typically when I'm watching a tv show or clip of something online), do you think this was related? Just curious.

Best,
Laura

 

Hey Laura

Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.

Rename HijackThis(.exe) to scanner(.exe).

Next, run scanner(.exe). A window will pop up.

• Click on the button which says Main Menu, then Do a system scan and save a logfile.
• Please wait for the scan to be completed.
• After the scan has completed, a text window will pop up. Please post the contents of this window here.

This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.

NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.

FAT 32 is a filesystem, not a problem. Generally, NTFS is the recommended file system (the way files are placed on your hard disk), but FAT32 has its advantages as well. It most probably has absolutely nothing to do with your shutting down problem.

What problems do you have left?

Best Regards

 

I used Rootkitrevel and found these information. But I don't know what to do with them! Please help!


I'm infected with AV2009!

HKU\S-1-5-21-73586283-329068152-725345543-1004\Software\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath 9/1/2008 2:28 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 8/31/2008 6:53 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/31/2008 6:53 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata 11/24/2008 7:25 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\TDSS 11/24/2008 10:42 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys 11/28/2008 3:28 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys 11/29/2008 8:21 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys 11/29/2008 8:34 PM 0 bytes Hidden from Windows API.
C: 0 bytes Error mounting volume
D: 0 bytes Error mounting volume

 

Hi kw,

I've learned from experience that you should read the sticky at the top of the posts for this section, do what it says, & then start a new thread. The advice I've received has been very helpful, so good luck!!!

 

Yes kw200, please open a new thread.