Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need help


  • This topic is locked This topic is locked
13 replies to this topic

#1 relix

relix

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 10 February 2009 - 04:16 AM

A moderator directed me to post in this section, from the Am I Infected? section, so here i am. Referred here from: http://www.bleepingcomputer.com/forums/t/199759/cant-access-my-computer-through-start-menu/ ~ OB

As title says, I can't access my computer through start menu, desktop, or by clicking run>browse. When i click on 'My Computer', it merely shows the flashing shining its light from left to right as an indication of loading (sorry i'm a computer n00b so I do not know what its called). It just shows this, and nothing else. However, I can still access my C and D drives by using 'Run'. I do not know whether my computer is still infected, because i did run a scan using 'Malwarebytes' Anti-malware'.
and it showed 0 items infected (will be explained further), however still am getting this problem as the title topic says. Let me now explain in detail about my problem.

About a few weeks ago, I encountered the problem whereby double clicking on my C drive couldn't open it. However i could access it using Right click>Explore. The option of Right click>Open on my C drives give me an access denied error, even though i'm using an administrator account. I browsed google, and found out that this problem was related to some Hack by Godzilla thingy. I thought that this problem was rather miniature, as there were many step-by-step guides on how to remove this problem. However thing is, a lot of this guides didn't help at all. For example they told us to run 'regedit', and search for some file called MS32(something), and delete it. I couldn't find this file.


About a few weeks ago, upon more browsing, I read some members comments. They said to start 'run', and type this inside 'regsvr32 /i shell32.dll' , and press ok. Many other member said that it work, so I tried it out. The pop-up saying that (something)(something) succeeded. I was glad, however when i restarted my computer, came back, this was when I couldn't access my computer through start menu or desktop at all.

You can check out my MBAM logs at this thread : MBAM logs


I have tried to scan the computer with Dr. Web Cure IT (the free version) in both normal and safe mode, however it did not work for me as the scan always stopped at a file called drw00003.tmp inside my Local Settings>Temp folder. I left the scan at more than 3 hours, and it was still scanning this file.


Now here is my DDS log :


DDS (Ver_09-02-01.01) - NTFSx86
Run by Nazzo at 17:01:12.31 on Tue 02/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2304 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\windows\explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\RecvMessage.exe
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Documents and Settings\Nazzo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Internet Download Manager 5.14\Internet Download Manager\IDMan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\G.O.M\GCSVR.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Download Manager 5.14\Internet Download Manager\IEMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nazzo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sg.yahoo.com/
uInternet Settings,ProxyOverride = local
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
mWinlogon: UIHost=vistaui.exe
uWinlogon: Shell=c:\windows\explorer.exe
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager 5.14\internet download manager\IDMIECC.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [LClock] c:\program files\lclock\LClock.exe
uRun: [ViStart] c:\program files\vistart\ViStart.exe
uRun: [ViOrb] c:\program files\viorb\ViOrb.exe
uRun: [Google Update] "c:\documents and settings\nazzo\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [IDMan] c:\program files\internet download manager 5.14\internet download manager\IDMan.exe /onboot
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST]
mRun: [tray3] c:\windows\system32\RecvMessage.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Device Detector] DevDetect.exe -autorun
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\nazzo\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg111 configuration utility\WG111CFG.exe
IE: Download all links with IDM - c:\program files\internet download manager 5.14\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager 5.14\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager 5.14\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\windows\system32\idmmbc.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nazzo\applic~1\mozilla\firefox\profiles\i94mhceo.default\
FF - component: c:\documents and settings\nazzo\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\mozilla firefox\components\CheckTudouVa.dll
FF - plugin: c:\documents and settings\nazzo\application data\mozilla\firefox\profiles\i94mhceo.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\nazzo\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R2 COM Service;COM Service;c:\program files\gigabyte\g.o.m\GCSVR.exe [2008-8-18 16384]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-1-8 55136]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-8-18 8960]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-8-18 11264]
S0 yvhr;yvhr;c:\windows\system32\drivers\yozexjez.sys --> c:\windows\system32\drivers\yozexjez.sys [?]
S2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-8-18 80392]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2008-12-8 533344]
S3 getPlusŪ Helper;getPlusŪ Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-10-5 33752]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2008-8-18 24944]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-8-18 16640]
S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva201;XDva201;\??\c:\windows\system32\xdva201.sys --> c:\windows\system32\XDva201.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\xdva224.sys --> c:\windows\system32\XDva224.sys [?]
S4 Atapigpa;Atapigpa; [x]

=============== Created Last 30 ================

2009-02-10 14:08 32,368 a------- c:\windows\system32\jcsball.dat
2009-02-10 14:08 15,191 a------- c:\windows\system32\jcsb.new
2009-02-10 14:08 12,935 a------- c:\windows\system32\jerror.dat
2009-02-07 18:35 --d----- c:\program files\Gpotato
2009-02-06 18:43 --d----- c:\program files\Autorun Eater
2009-02-06 17:44 1,152 a------- c:\windows\system32\windrv.sys
2009-02-06 17:42 --d----- c:\program files\common files\Download Manager
2009-02-05 18:23 --d----- c:\documents and settings\nazzo\DoctorWeb
2009-02-02 23:35 31 a------- c:\windows\GunzLauncher.INI
2009-02-02 16:54 --d----- c:\program files\Internet Download Manager 5.14
2009-02-01 00:39 --d----- c:\docume~1\nazzo\applic~1\Malwarebytes
2009-02-01 00:39 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-01 00:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-01 00:38 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-01 00:38 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 21:01 --d----- c:\program files\Left 4 Dead
2009-01-22 22:39 206,256 a------- c:\windows\system32\idmmbc.dll
2009-01-22 14:42 --d----- c:\docume~1\nazzo\applic~1\Tibia
2009-01-20 20:11 --d----- c:\documents and settings\nazzo\Temp
2009-01-20 15:34 0 a------- c:\windows\system32\wme
2009-01-14 16:28 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-01-14 16:28 --d----- c:\program files\Hamachi

==================== Find3M ====================

2009-02-10 14:08 16,608 a------- c:\windows\gdrv.sys
2008-12-18 20:43 2,686 a----r-- c:\windows\scs93EA.tmp
2008-12-15 21:48 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-08 20:04 98,304 a----r-- c:\windows\system32CmdLineExt.dll
2008-12-04 22:55 307,560 a----r-- c:\windows\WLXPGSS.SCR
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-22 05:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-22 05:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-08-18 11:01 8 ---shr-- c:\windows\system32\6306FC3DB5.sys
2005-07-14 12:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 15:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2008-08-18 11:02 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2005-02-28 13:16 240,128 a--shr-- c:\windows\system32\x.264.exe

============= FINISH: 17:01:40.68 ===============

Attached Files


Edited by Orange Blossom, 10 February 2009 - 08:00 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:23 PM

Posted 17 February 2009 - 01:09 PM

Hi,

If you still need help with this post a fresh dds report, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 relix

relix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 18 February 2009 - 02:05 AM

Yep, here you go:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Nazzo at 15:02:17.43 on Wed 02/18/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2346 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\windows\explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\G.O.M\GCSVR.EXE
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Nazzo\My Documents\My Videos\Games\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sg.yahoo.com/
uInternet Settings,ProxyOverride = local
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
mWinlogon: UIHost=vistaui.exe
uWinlogon: Shell=c:\windows\explorer.exe
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
StartupFolder: c:\docume~1\nazzo\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg111 configuration utility\WG111CFG.exe
IE: Download all links with IDM - c:\program files\internet download manager 5.14\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager 5.14\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager 5.14\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\windows\system32\idmmbc.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nazzo\applic~1\mozilla\firefox\profiles\i94mhceo.default\
FF - prefs.js: browser.startup.homepage - hxxp://sg.yahoo.com/
FF - component: c:\documents and settings\nazzo\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\mozilla firefox\components\CheckTudouVa.dll
FF - plugin: c:\documents and settings\nazzo\application data\mozilla\firefox\profiles\i94mhceo.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\nazzo\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R2 COM Service;COM Service;c:\program files\gigabyte\g.o.m\GCSVR.exe [2008-8-18 16384]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-1-8 55136]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-8-18 80392]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-8-18 8960]
S0 yvhr;yvhr;c:\windows\system32\drivers\yozexjez.sys --> c:\windows\system32\drivers\yozexjez.sys [?]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-8-18 11264]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2008-12-8 533344]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-10-5 33752]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2008-8-18 24944]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-8-18 16640]
S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva201;XDva201;\??\c:\windows\system32\xdva201.sys --> c:\windows\system32\XDva201.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\xdva224.sys --> c:\windows\system32\XDva224.sys [?]
S4 Atapigpa;Atapigpa; [x]

=============== Created Last 30 ================

2009-02-18 14:29 31,874 a------- c:\windows\system32\jcsball.dat
2009-02-18 14:29 15,305 a------- c:\windows\system32\jcsb.new
2009-02-18 14:29 13,088 a------- c:\windows\system32\jerror.dat
2009-02-16 17:50 17,876 a---h--- c:\windows\system32\wcdrtc32.dl_
2009-02-16 17:50 25,600 a------- c:\windows\system32\wcdrtc32.dll
2009-02-16 17:50 <DIR> --d----- c:\windows\system32\%systemroot%
2009-02-16 17:49 <DIR> --d----- c:\program files\PokemonOnline
2009-02-14 21:49 <DIR> --d----- c:\docume~1\nazzo\applic~1\Uniblue
2009-02-13 03:05 <DIR> --d----- c:\documents and settings\nazzo\.thumbnails
2009-02-13 01:30 <DIR> --d----- c:\documents and settings\nazzo\.gimp-2.6
2009-02-13 01:30 <DIR> --d----- c:\documents and settings\nazzo\.gegl-0.0
2009-02-13 01:29 <DIR> --d----- c:\program files\GIMP-2.0
2009-02-06 18:43 <DIR> --d----- c:\program files\Autorun Eater
2009-02-06 17:44 1,152 a------- c:\windows\system32\windrv.sys
2009-02-06 17:42 <DIR> --d----- c:\program files\common files\Download Manager
2009-02-05 18:23 <DIR> --d----- c:\documents and settings\nazzo\DoctorWeb
2009-02-02 23:35 31 a------- c:\windows\GunzLauncher.INI
2009-02-02 16:54 <DIR> --d----- c:\program files\Internet Download Manager 5.14
2009-02-01 00:39 <DIR> --d----- c:\docume~1\nazzo\applic~1\Malwarebytes
2009-02-01 00:39 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-01 00:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-01 00:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-01 00:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 21:01 <DIR> --d----- c:\program files\Left 4 Dead
2009-01-22 22:39 206,256 a------- c:\windows\system32\idmmbc.dll
2009-01-22 14:42 <DIR> --d----- c:\docume~1\nazzo\applic~1\Tibia
2009-01-20 20:11 <DIR> --d----- c:\documents and settings\nazzo\Temp
2009-01-20 15:34 0 a------- c:\windows\system32\wme

==================== Find3M ====================

2009-02-18 14:29 16,608 a------- c:\windows\gdrv.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\SET2D9.tmp
2009-01-14 16:28 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2008-12-22 05:46 351,744 a------- c:\windows\system32\avisynth.dll
2008-12-18 20:43 2,686 a----r-- c:\windows\scs93EA.tmp
2008-12-15 21:48 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-08 20:04 98,304 a----r-- c:\windows\system32CmdLineExt.dll
2008-12-04 22:55 307,560 a----r-- c:\windows\WLXPGSS.SCR
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-22 05:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-22 05:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-08-18 11:01 8 ---shr-- c:\windows\system32\6306FC3DB5.sys
2005-07-14 12:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 15:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2008-08-18 11:02 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2005-02-28 13:16 240,128 a--shr-- c:\windows\system32\x.264.exe

============= FINISH: 15:02:21.82 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:23 PM

Posted 18 February 2009 - 10:25 AM

Hi again,


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New DDS log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 relix

relix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 19 February 2009 - 12:15 PM

I did the steps carefully. Here's the log. Thank you very much for your help.

ComboFix 09-02-18.01 - Nazzo 2009-02-20 0:57:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2526 [GMT 8:00]
Running from: c:\documents and settings\Nazzo\My Documents\Downloads\Programs\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Setup Wizard
c:\documents and settings\All Users\Start Menu\Programs\Setup Wizard\SetupWizard.lnk
c:\documents and settings\All Users\Start Menu\Programs\Setup Wizard\Uninstall SetupWizard.lnk
c:\documents and settings\Nazzo\Local Settings\Temporary Internet Files\sph264.dll
c:\documents and settings\Nazzo\Local Settings\Temporary Internet Files\spmpeg4.dll
c:\documents and settings\Nazzo\Local Settings\Temporary Internet Files\sptheo.dll
c:\documents and settings\Nazzo\Local Settings\Temporary Internet Files\StreamPlug.dll
c:\windows\system32\gmail.dll
c:\windows\Temp\scsE.tmp
c:\windows\Temp\scsF.tmp
D:\resycled

.
((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-17 01:21 . 2009-02-17 01:52 <DIR> d-------- c:\documents and settings\Guest\Application Data\gtk-2.0
2009-02-17 01:21 . 2009-02-17 01:21 <DIR> d-------- c:\documents and settings\Guest\.thumbnails
2009-02-17 01:19 . 2009-02-17 01:52 <DIR> d-------- c:\documents and settings\Guest\.gimp-2.6
2009-02-17 01:19 . 2009-02-17 01:19 <DIR> d-------- c:\documents and settings\Guest\.gegl-0.0
2009-02-16 17:50 . 2009-02-16 17:50 <DIR> d-------- c:\windows\system32\%systemroot%
2009-02-16 17:50 . 2009-02-20 01:03 25,600 --a------ c:\windows\system32\wcdrtc32.dll
2009-02-16 17:50 . 2009-02-20 01:05 17,876 --ah----- c:\windows\system32\wcdrtc32.dl_
2009-02-16 17:49 . 2009-02-16 17:56 <DIR> d-------- c:\program files\PokemonOnline
2009-02-16 03:00 . 2009-02-16 03:00 <DIR> d-------- c:\documents and settings\Guest\Application Data\Skype
2009-02-14 21:49 . 2009-02-14 21:49 <DIR> d-------- c:\documents and settings\Nazzo\Application Data\Uniblue
2009-02-13 03:05 . 2009-02-13 03:05 <DIR> d-------- c:\documents and settings\Nazzo\.thumbnails
2009-02-13 01:36 . 2009-02-16 20:02 <DIR> d-------- c:\documents and settings\Nazzo\Application Data\gtk-2.0
2009-02-13 01:30 . 2009-02-16 20:02 <DIR> d-------- c:\documents and settings\Nazzo\.gimp-2.6
2009-02-13 01:30 . 2009-02-13 01:30 <DIR> d-------- c:\documents and settings\Nazzo\.gegl-0.0
2009-02-13 01:29 . 2009-02-13 01:29 <DIR> d-------- c:\program files\GIMP-2.0
2009-02-06 18:43 . 2009-02-06 19:42 <DIR> d-------- c:\program files\Autorun Eater
2009-02-06 17:44 . 2009-02-06 17:44 1,152 --a------ c:\windows\system32\windrv.sys
2009-02-06 17:42 . 2009-02-06 17:42 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-02-05 18:23 . 2009-02-05 18:23 <DIR> d-------- c:\documents and settings\Nazzo\DoctorWeb
2009-02-05 18:19 . 2009-02-05 18:19 <DIR> d-------- c:\documents and settings\Administrator
2009-02-02 23:35 . 2009-02-03 15:52 31 --a------ c:\windows\GunzLauncher.INI
2009-02-02 16:54 . 2009-02-02 16:54 <DIR> d-------- c:\program files\Internet Download Manager 5.14
2009-02-01 00:39 . 2009-02-01 00:39 <DIR> d-------- c:\documents and settings\Nazzo\Application Data\Malwarebytes
2009-02-01 00:39 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-01 00:38 . 2009-02-01 00:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-01 00:38 . 2009-02-01 00:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-01 00:38 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 18:12 . 2009-02-17 00:35 <DIR> d-------- c:\documents and settings\Guest\Tracing
2009-01-25 21:01 . 2009-01-25 21:07 <DIR> d-------- c:\program files\Left 4 Dead
2009-01-22 22:39 . 2009-01-22 22:49 206,256 --a------ c:\windows\system32\idmmbc.dll
2009-01-22 14:42 . 2009-01-22 14:42 <DIR> d-------- c:\documents and settings\Nazzo\Application Data\Tibia
2009-01-20 20:11 . 2009-01-20 20:11 <DIR> d-------- c:\documents and settings\Nazzo\Temp
2009-01-20 15:34 . 2009-01-20 15:34 0 --a------ c:\windows\system32\wme

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 17:05 16,608 ----a-w c:\windows\gdrv.sys
2009-02-19 16:57 --------- d-----w c:\documents and settings\Nazzo\Application Data\DMCache
2009-02-19 16:39 --------- d-----w c:\program files\Garena
2009-02-19 09:12 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-18 17:00 --------- d-----w c:\documents and settings\Nazzo\Application Data\Skype
2009-02-18 06:59 --------- d-----w c:\documents and settings\Nazzo\Application Data\skypePM
2009-02-17 10:29 --------- d-----w c:\documents and settings\Nazzo\Application Data\Azureus
2009-02-17 10:28 --------- d-----w c:\program files\Vuze
2009-02-16 05:58 --------- d-----w c:\program files\ViStart
2009-02-15 06:05 --------- d-----w c:\documents and settings\Nazzo\Application Data\HPAppData
2009-02-13 17:59 --------- d-----w c:\program files\AviSynth 2.5
2009-02-11 11:39 --------- d-----w c:\program files\Messenger Plus! Live
2009-02-11 08:43 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-07 06:36 --------- d-----w c:\documents and settings\Nazzo\Application Data\LimeWire
2009-02-02 09:32 --------- d-----w c:\program files\SystemRequirementsLab
2009-02-02 09:32 --------- d-----w c:\documents and settings\Nazzo\Application Data\SystemRequirementsLab
2009-02-02 09:07 --------- d-----w c:\documents and settings\Nazzo\Application Data\IDM
2009-01-21 05:40 --------- d-----w c:\documents and settings\Nazzo\Application Data\Hamachi
2009-01-16 10:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-14 12:56 --------- d-----w c:\program files\Warcraft III
2009-01-14 08:28 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-01-14 08:28 --------- d-----w c:\program files\Hamachi
2009-01-13 12:24 --------- d-----w c:\program files\Steam
2009-01-13 09:18 --------- d-----w c:\documents and settings\Nazzo\Application Data\mIRC
2009-01-08 15:47 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-08 15:46 --------- d-----w c:\program files\Windows Live
2009-01-08 15:46 --------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-01-08 15:46 --------- d-----w c:\program files\Microsoft
2009-01-08 15:43 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-08 15:36 --------- d-----w c:\program files\Common Files\Windows Live
2008-12-29 10:54 --------- d-----w c:\program files\Common Files\DirectX
2008-12-26 20:13 --------- d-----w c:\program files\pspvc
2008-12-26 20:00 --------- d-----w c:\documents and settings\Nazzo\Application Data\Moyea
2008-12-18 12:43 2,686 ----a-r c:\windows\scs93EA.tmp
2008-12-08 12:04 98,304 ----a-r c:\windows\system32CmdLineExt.dll
2008-12-04 14:55 307,560 ----a-r c:\windows\WLXPGSS.SCR
2008-07-04 02:33 24,576 ----a-w c:\program files\mozilla firefox\components\CheckTudouVa.dll
2008-08-18 03:01 8 --sh--r c:\windows\system32\6306FC3DB5.sys
2005-07-14 04:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r c:\windows\system32\cygz.dll
2008-08-18 03:02 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
2005-02-28 05:16 240,128 --sha-r c:\windows\system32\x.264.exe
.

------- Sigcheck -------

2007-06-13 18:23 1423360 e4368d08c22012b357bef3ba239ac667 c:\windows\explorer.exe
2007-06-13 19:26 1053696 38b28f02aef0b18c3fc147c8517b305a c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 00:56 1052672 089f43978ae1d5b1a073537e082a2123 c:\windows\$NtUninstallKB938828$\explorer.exe
2004-08-04 00:56 1052672 17577f88e2b52dbf2ef519f865bc0f5d c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-14 08:12 1054208 d3dd65ee02a40af7b3fa0c490b0aa28c c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
2007-06-13 18:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\system32\dllcache\explorer.exe
2007-06-13 18:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\Nazzo\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-19 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-14 134144]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2008-08-18 1056864]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="c:\windows\explorer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\RecvMessage.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\RunUpd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\GBTUpd.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\GIGABYTE\\EnergySaver\\run.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Documents and Settings\\Nazzo\\My Documents\\Downloads\\t]Left_4_Dead_FullRip_Skullptura.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Nazzo\\My Documents\\My Videos\\Games\\Left.4.Dead.Full-Rip.Skullptura\\Left.4.Dead.Full-Rip.Skullptura\\Left 4 Dead\\left4dead.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 COM Service;COM Service;c:\program files\GIGABYTE\G.O.M\GCSVR.exe [2008-08-18 16384]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-01-08 55136]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2008-08-18 80392]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-08-18 8960]
S0 yvhr;yvhr;c:\windows\system32\drivers\yozexjez.sys --> c:\windows\system32\drivers\yozexjez.sys [?]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-08-18 11264]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-05 33752]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2008-08-18 24944]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-08-18 16640]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva201;XDva201;\??\c:\windows\system32\XDva201.sys --> c:\windows\system32\XDva201.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S4 Atapigpa;Atapigpa; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PCANDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:
\Shell\Open\command - d:\resycled\ntldr.com d:
.
Contents of the 'Scheduled Tasks' folder

2009-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-651377827-839522115-1004.job
- c:\documents and settings\Nazzo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 16:09]
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://sg.yahoo.com/
uInternet Settings,ProxyOverride = local
IE: Download all links with IDM - c:\program files\Internet Download Manager 5.14\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager 5.14\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager 5.14\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\idmmbc.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Nazzo\Application Data\Mozilla\Firefox\Profiles\i94mhceo.default\
FF - prefs.js: browser.startup.homepage - hxxp://sg.yahoo.com/
FF - component: c:\documents and settings\Nazzo\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Nazzo\Application Data\Mozilla\Firefox\Profiles\i94mhceo.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Nazzo\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 01:05:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\jcsb.new 15290 bytes
c:\windows\system32\jcsball.dat 31720 bytes
c:\windows\system32\jerror.dat

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-651377827-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1214440339-651377827-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:10,ec,33,92,bf,e5,cd,ff,d3,5b,de,bb,9a,8e,1f,ba,55,17,34,17,55,3e,0c,
fa,61,fa,0c,86,cf,d8,f0,15,62,27,50,dc,7e,7c,42,40,c4,67,e9,dc,d3,02,c9,3c,\
"??"=hex:c3,c1,bb,e1,61,7d,07,bc,ce,72,ac,80,b3,7c,a7,7e

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3dbe15b6-65df-4cfa-87b8-1c0a2bedb4ca}]
@Denied: (Full) (Everyone)
"Model"=dword:0000002f
"Therad"=dword:0000000f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):0d,00,19,1f,19,ea,eb,fe,ec,c3,60,c5,1c,9b,ec,e2,18,e2,11,96,26,
07,74,00,f5,8b,0d,f6,4d,1b,51,25,1f,f1,4a,f5,db,0f,b7,4e,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):cf,b7,b5,55,61,26,d5,de,d3,c7,b6,cd,1a,d0,db,c2,c9,a2,41,5a,f6,
0a,fc,55,e5,bb,36,1e,a8,df,62,6b,d1,51,f6,de,ae,df,4b,7a,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{fcac0ec2-3053-4ba7-bb19-2a57391e871e}]
@Denied: (Full) (Everyone)
"Model"=dword:00000001
"Therad"=dword:0000001b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\idmmbc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\snmp.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-02-20 1:12:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-19 17:11:59

Pre-Run: 3,572,764,672 bytes free
Post-Run: 7,819,468,800 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=18 Default=18 Failed=17 LastKnownGood=19 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
293 --- E O F --- 2009-02-12 19:01:15

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:23 PM

Posted 19 February 2009 - 01:46 PM

Hi

Sorry to bring you bad news but your system is infected with Sality file infector. That means only way out of this is to do a reformat :thumbup2: Also, if you have used any removable usb drives with this system then those drives must be reformatted too since Sality spreads on those. If you plug this way infected usb drive in clean system that gets infected as well.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 relix

relix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 21 February 2009 - 07:50 AM

Oh okay. Well i was well prepared for that, seeing that my computer already has a lot of junk, when i was browsing through all my files. One question though, since the sality virus only spreads on .exe files, i can still keep stuff like pictures, videos, and text documents? Meaning that all my games has to go, including executable files?

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:23 PM

Posted 21 February 2009 - 10:22 AM

Actually Sality infects much more than just exe file types. It infects all scr files and web site file types (htm, asp etc) too and archive files that have those file types inside.. Sality is network aware meaning that it can infect other systems if connected in same network. Removable usb drives are not save either - also those get infected.


You may use external usb drive for backuping after you've first made sure it doesn't carry Sality.

1. Download Flash_Disinfector and save it to your Desktop of your clean system.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.

After that run Kaspersky Online Scanner on clean machine to check your USB drive.

If Kaspersky doesn't find anything bad on USB drive then you can use it to backup stuff from infected system keeping in mind that these filetypes are not allowed:
-.exe
-.scr
-all web page files (.htm, .html, .asp, .aspx etc.)
-archive files (.zip & .rar) with any of above mentioned file types

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 relix

relix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 24 February 2009 - 02:35 AM

Regarding the part you said about Sality is net-aware, does it means if I have 2 home computers ( one infected and one not ), the non-infected one is prone to Sality infection when both are connected to the internet at the same time?

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:23 PM

Posted 24 February 2009 - 03:53 AM

Hi

If those two system are in same local network and can see each other then there's a risk, especially if your other system hasn't up-to-date antivirus protection running.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 relix

relix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 28 February 2009 - 09:53 AM

Okay, thank you very much.

I have not reformatted my computer due to the fact that I am very busy with work and there are a lot of stuff that I have to backup, however it is almost done(about 90%)

Do I post here again after I have reformatted my computer? Thanks a lot.

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:23 PM

Posted 28 February 2009 - 12:28 PM

Hi

Yes, you may post so I know when we can close the topic :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:23 PM

Posted 05 March 2009 - 03:58 PM

Hi

Did you have success with the reformatting task?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:23 PM

Posted 12 March 2009 - 01:59 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users