Tazebama.dll

S

scorpionmark

New Member
This virus is a NASTY one. Has anyone figured out how to remove tazebama.dll virus? I've tried pretty much everything outside of reimaging the pc. I've also tried tracing the infection down in the registry and removing but there is still something hiding that keeps this virus alive. I've also tried all sorts of virus scanners and online scanners with no luck removing the virus. The scanners detect the virus but can't remove it. I would like to try and find a fix in case this happens again.:eek:

thanks for the input
 
You never did say what programs you used. However, please do the following so we can see whats on your system.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware


Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
 
Gathering Info

Hi johnb35

Thanks for responding. So far I've used malwarebytes, superantispyware, unhackme, eset, housecall, and stopzilla. I'll get the logs from malwarebytes and post it a little later on today.

thanks
 
If you have used malwarebytes already I still want to see the logs from malwarebytes and hijackthis but also need you to download and run this procedure on the machine as well.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Here are the log files you asked for, the computer is running a lot faster and seems to be working well but, it's still picking up the Tazebama virus.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:23:11 PM, on 12/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
D:\PStart.exe
D:\portable_toolkit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {CCB69577-088B-4004-9ED8-FF5BCC83A039} - C:\PROGRA~1\REBATE~1\RebateI.dll
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O18 - Protocol: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - C:\PROGRA~1\REBATE~1\RebateI.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5894 bytes

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5422

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/30/2010 12:21:19 PM
mbam-log-2010-12-30 (12-21-11).txt

Scan type: Quick scan
Objects scanned: 136239
Time elapsed: 1 minute(s), 47 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\documents and settings\tazebama.dl_ (Worm.Mabezat) -> 1336 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\tazebama.dll (Worm.Mabezat) -> No action taken.
c:\documents and settings\hook.dl_ (Worm.Mabezat) -> No action taken.
c:\documents and settings\tazebama.dl_ (Worm.Mabezat) -> No action taken.
c:\zPharaoh.exe (Worm.Mabezat) -> No action taken.

ComboFix 10-12-29.04 - Owner 12/30/2010 12:07:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1665 [GMT -6:00]
Running from: E:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings.\hook.dl_
c:\documents and settings.\tazebama.dl_
c:\documents and settings.\tazebama.dll
c:\documents and settings\Owner\Application Data\chrtmp
c:\documents and settings\Owner\Application Data\tazebama
c:\documents and settings\Owner\Application Data\tazebama\tazebama.log
c:\documents and settings\Owner\Application Data\tazebama\zPharaoh.dat
c:\documents and settings\Owner\My Documents\cc_20101228_143317.reg
c:\documents and settings\Owner\My Documents\cc_20101229_133133.reg
c:\program files\Common Files\Uninstall
C:\zPharaoh.exe

Infected copy of c:\windows\system32\mspaint.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspaint.exe

Infected copy of c:\windows\system32\mstsc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mstsc.exe

Infected copy of c:\windows\system32\ntbackup.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntbackup.exe

Infected copy of c:\windows\system32\sndrec32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndrec32.exe

Infected copy of c:\windows\system32\sndvol32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndvol32.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-30 )))))))))))))))))))))))))))))))
.

2010-12-30 18:12 . 2010-12-30 18:13 -------- d-----w- c:\documents and settings\Owner\Application Data\tazebama
2010-12-30 18:02 . 2010-12-30 18:12 160895 ----a-w- c:\documents and settings\hook.dl_
2010-12-30 18:01 . 2010-12-30 18:12 32768 ----a-w- c:\documents and settings\tazebama.dll
2010-12-30 17:55 . 2010-12-30 18:12 160895 ----a-w- c:\documents and settings\tazebama.dl_
2010-12-30 17:53 . 2010-12-30 17:55 102400 ----a-w- c:\windows\RegBootClean.exe
2010-12-30 13:25 . 2010-12-30 13:25 -------- d-----w- c:\documents and settings\Owner\log
2010-12-30 13:25 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-12-30 13:19 . 2010-12-30 13:19 -------- d-----w- c:\program files\CCleaner
2010-12-30 02:08 . 2010-12-30 02:08 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-12-30 02:02 . 2010-12-30 02:02 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-12-30 02:02 . 2010-12-30 02:02 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-12-30 02:02 . 2010-12-30 02:02 2 --shatr- c:\windows\winstart.bat
2010-12-30 02:02 . 2010-12-27 18:00 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-12-30 02:02 . 2010-12-30 03:04 -------- d-----w- c:\program files\UnHackMe
2010-12-30 00:04 . 2010-12-30 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-12-29 21:04 . 2010-12-29 21:53 -------- d-----w- c:\documents and settings\Owner\.bh_gui
2010-12-29 21:03 . 2010-12-29 21:03 -------- d-----w- c:\documents and settings\Owner\Application Data\SRI
2010-12-29 21:02 . 2010-12-30 03:04 -------- d-----w- c:\program files\WinPcap
2010-12-29 20:25 . 2010-12-29 20:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-12-29 19:50 . 2010-12-29 19:50 -------- d-----w- c:\documents and settings\Owner\Application Data\.clamwin
2010-12-29 19:09 . 2010-12-29 19:09 -------- d---a-w- C:\.Trash-1000
2010-12-29 18:10 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-29 18:09 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-29 18:07 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-29 18:07 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-29 18:07 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-29 18:04 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-29 00:31 . 2010-12-29 00:36 -------- d-----w- c:\program files\WhatsRunning
2010-12-29 00:25 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 00:25 . 2010-12-30 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-29 00:25 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-28 20:44 . 2010-12-28 20:44 -------- d-----w- C:\!KillBox
2010-12-28 20:26 . 2010-12-29 20:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall
2010-12-28 20:26 . 2010-12-28 20:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Thinstall
2010-12-28 17:32 . 2010-12-28 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-28 17:32 . 2010-12-30 03:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-28 17:32 . 2010-12-28 17:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-12-28 17:32 . 2010-12-28 17:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-12-28 15:05 . 2010-12-29 06:25 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-12-03 18:57 . 2010-12-03 18:57 191 ----a-w- c:\documents and settings\Owner\Application Data\Microsoft\gb_40125.bat
2010-12-01 02:40 . 2010-12-01 02:40 -------- d-----w- c:\documents and settings\SYSTEM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-30 18:13 . 2010-12-30 18:12 161765 --sh--r- C:\zPharaoh.exe
2010-11-18 18:12 . 2009-09-27 22:46 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-12 13:21 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-12 13:20 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-12 13:19 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2009-09-27 22:46 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-09-27 22:46 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-09-27 22:46 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCB69577-088B-4004-9ED8-FF5BCC83A039}]
2010-01-28 13:54 807928 ----a-w- c:\progra~1\REBATE~1\RebateI.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-30 2175583]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2010-12-30 756871]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2010-12-30 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-12-30 31072]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-12-30 1286608]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-12-30 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-12-30 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/29/2010 5:07 PM 217032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/21/2009 3:35 PM 20160]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 2:22 PM 34064]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [12/29/2010 8:02 PM 35816]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [12/29/2010 8:08 PM 24416]
S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\Safe Returner\RegKernelHelp.sys --> c:\program files\Safe Returner\RegKernelHelp.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-12-01 c:\windows\Tasks\hpwebreg_xxxxxxxxxx.job
- c:\program files\HP\HP Deskjet 2050 J510 series\Bin\hpwebreg.exe [2010-02-02 17:56]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\progra~1\REBATE~1\RebateI.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-DW6 - (no file)
HKCU-Run-Vmaturow - c:\windows\bjgeacl.dll
HKLM-Run-NWEReboot - (no file)
HKU-Default-Run-Vmaturow - c:\windows\bjgeacl.dll
AddRemove-{F3759A9F-7AFA-4FB4-8DF1-53F26B979DEE} - c:\program files\InstallShield Installation Information\{F3759A9F-7AFA-4FB4-8DF1-53F26B979DEE}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 12:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\documents and settings\tazebama.dl_
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-30 12:16:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-30 18:16

Pre-Run: 61,605,662,720 bytes free
Post-Run: 62,691,106,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0132EC4FCB316C35C0ED14E14E5A4839
 
Please place combofix on your desktop so we can perform the following procedure.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
File::

c:\documents and settings\hook.dl_
c:\documents and settings\tazebama.dll
c:\documents and settings\tazebama.dl_

Folder::

c:\documents and settings\Owner\Application Data\tazebama


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
 
I also ran F-Secure disk over night, seems like it may have got most of it. Still seeing Mazebat.

ComboFix 10-12-30.03 - Owner 12/31/2010 11:59:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1604 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\hook.dl_"
"c:\documents and settings\tazebama.dl_"
"c:\documents and settings\tazebama.dll"
.

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))))
.

2010-12-31 00:00 . 2010-12-31 00:00 -------- d-----w- c:\windows\LastGood
2010-12-31 00:00 . 2010-12-31 00:00 -------- d-----w- c:\program files\ESET
2010-12-30 17:53 . 2010-12-30 17:55 102400 ----a-w- c:\windows\RegBootClean.exe
2010-12-30 13:25 . 2010-12-30 13:25 -------- d-----w- c:\documents and settings\Owner\log
2010-12-30 13:25 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-12-30 13:19 . 2010-12-30 13:19 -------- d-----w- c:\program files\CCleaner
2010-12-30 02:02 . 2010-12-30 02:02 2 --shatr- c:\windows\winstart.bat
2010-12-30 02:02 . 2010-12-27 18:00 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-12-30 00:04 . 2010-12-30 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-12-29 21:03 . 2010-12-29 21:03 -------- d-----w- c:\documents and settings\Owner\Application Data\SRI
2010-12-29 21:02 . 2010-12-30 03:04 -------- d-----w- c:\program files\WinPcap
2010-12-29 20:25 . 2010-12-29 20:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-12-29 19:50 . 2010-12-29 19:50 -------- d-----w- c:\documents and settings\Owner\Application Data\.clamwin
2010-12-29 18:10 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-29 18:09 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-29 18:07 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-29 18:07 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-29 18:07 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-29 18:04 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-29 00:25 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 00:25 . 2010-12-30 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-29 00:25 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-28 20:44 . 2010-12-28 20:44 -------- d-----w- C:\!KillBox
2010-12-28 20:26 . 2010-12-30 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall
2010-12-28 20:26 . 2010-12-28 20:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Thinstall
2010-12-28 17:32 . 2010-12-28 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-28 17:32 . 2010-12-30 20:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-28 17:32 . 2010-12-28 17:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-12-28 15:05 . 2010-12-29 06:25 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-12-03 18:57 . 2010-12-03 18:57 191 ----a-w- c:\documents and settings\Owner\Application Data\Microsoft\gb_40125.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-09-27 22:46 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-12 13:21 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-12 13:20 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-12 13:19 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2009-09-27 22:46 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-09-27 22:46 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-09-27 22:46 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCB69577-088B-4004-9ED8-FF5BCC83A039}]
2010-01-28 13:54 807928 ----a-w- c:\progra~1\REBATE~1\RebateI.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2010-12-30 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-12-30 31072]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-12-30 1286608]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-12-30 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-12-30 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/29/2010 5:07 PM 217032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/21/2009 3:35 PM 20160]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 2:22 PM 34064]
S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\Safe Returner\RegKernelHelp.sys --> c:\program files\Safe Returner\RegKernelHelp.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\progra~1\REBATE~1\RebateI.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-31 12:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1948)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-31 12:03:51
ComboFix-quarantined-files.txt 2010-12-31 18:03
ComboFix2.txt 2010-12-30 18:16

Pre-Run: 63,331,741,696 bytes free
Post-Run: 63,357,280,256 bytes free

- - End Of File - - F19747508B527BBA73AFC11881745CA1
 
Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates, install and then start scanning your system.
When the scan is done, push list of found threats
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply.
If no threats are found then it won't produce a log.
 
ESET Scan

I tried running ESET as directed but it did not find the threats. BUT, I think I got it removed. I got updates again for malwarebytes and ran it again in "safe" mode. From there, when I went back to remove the folder which had the infected files, I was allowed to do so. Previously when I removed this folder and rebooted, it would reappear.

This seemed to open the door for me. I ran about three more scans which found more infections that were able to be removed as well. For the past two days all scans have come up clean and the pc seems to be doing well.

I'll report back in a couple of days.:good:
 
You must log in or register to reply here.
Back
Top