Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

May have Anti Virus XP Pro 2009--trouble clearing it


  • This topic is locked This topic is locked
10 replies to this topic

#1 Guest_z2009_*

Guest_z2009_*

  • Guests
  • OFFLINE
  •  

Posted 11 February 2009 - 08:16 PM

Like many others I see here, I'm certain I was infected with maleware when my son clicked on a link in MSN Messenger.

It took over my desktop control, added a warning statement about trojans, caused me to lose my task manager permission, occasionally opened a fictitious Anti Virus XP Pro 2009 webpage, and opened up a "My Documents" folder without my consent periodically. I have tried to remove it with Avast, AVG and Malware Bites (or whatever that is called). Some of the symptoms have disappeared, but a few such as no control over my task manager remain. I haven't done anything with my System Restore yet--I'm too afraid it will add it there, if it hasn't already.

Please help!

Here's my DDS logs...


DDS (Ver_09-02-01.01) - NTFSx86
Run by Zora Turner at 19:55:25.82 on Wed 02/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.37 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1229 [VPS 090211-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\V0230Mon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Zora Turner\Local Settings\Temporary Internet Files\Content.IE5\E7K22B83\dds[1].scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uInternet Settings,ProxyServer = 192.168.1.1:8080
mWinlogon: Userinit=userinit.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7e853d72-626a-48ec-a868-ba8d5e23e045} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {a23ca8a9-47d8-4db1-ae46-0aa018cc576e} - c:\windows\system32\wvUkLBuV.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [WebCamRT.exe]
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [igndlm.exe] c:\program files\ign\download manager\DLM.exe /windowsstart /startifwork
uRun: [Creative Live! Cam Manager] "c:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe"
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
uRun: [Jnskdfmf9eldfd] c:\docume~1\zoratu~1\locals~1\temp\csrssc.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [StandardInstall]
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [drkly16j] rundll32.exe drkly16j.dll,ServiceCheck
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [AVFX Engine] c:\program files\creative\creative live! cam\videofx\StartFX.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Windows UDP Control Center] fxstaller.exe
mRun: [Microsoft Update] TASKMGZ.EXE
mRun: [Framework Windows] frmwrk32.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\jordan\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe
IE: {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} - hxxp://67.15.101.3/g_bin/eng/roulette_2_0_0_25.cab
DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://www.streamplug.com/StreamPlug/beta/SP.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by126w.bay126.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} - hxxp://67.15.101.3/g_bin/eng/poker_2_0_0_45.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {cafeefac-0016-0000-0007-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {ECEAD8AE-01D6-11D5-9A39-0080C8D85044} - hxxp://67.15.101.3/g_bin/eng/slots80_2_0_0_33.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: wvuklbuv - wvUkLBuV.dll
AppInit_DLLs: svscqd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
SEH: {a23ca8a9-47d8-4db1-ae46-0aa018cc576e} - c:\windows\system32\wvUkLBuV.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zoratu~1\applic~1\mozilla\firefox\profiles\ffybwctr.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-20 78416]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-10 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-10 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-10 107272]
R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-20 20560]
R2 avast! antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-20 147640]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-10 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-10 298264]
S1 e7996a1b;e7996a1b;c:\windows\system32\drivers\e7996a1b.sys [2008-8-1 0]
S2 EMSLink;EMS Inter-Link driver V3.0;c:\windows\system32\drivers\EM3Link.sys [2005-2-22 6176]
S3 avast! mail scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-20 250040]
S3 avast! web scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-20 348344]
S3 ewdmaudn;ewdmaudn;c:\docume~1\zoratu~1\locals~1\temp\ewdmaudn.sys [2002-4-29 31744]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-11 38496]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2004-3-22 31872]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2006-3-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2006-9-29 500480]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-11 10:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-11 10:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 21:55 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-10 21:45 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-10 21:45 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-10 21:45 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-10 21:44 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-10 21:44 <DIR> --d----- c:\docume~1\zoratu~1\applic~1\AVGTOOLBAR
2009-02-10 21:43 <DIR> --d----- c:\program files\AVG
2009-02-10 21:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-09 21:54 529 a------- c:\windows\system32\winlogon2.exe
2009-02-09 17:50 479 a------- c:\windows\system32\win32hlp.cnf
2009-02-09 17:18 1 a------- c:\windows\system32\uniq.tll
2009-02-09 17:18 1,025 a------- C:\wbdz.exe
2009-02-09 16:33 208 a------- C:\new.exe
2009-02-09 12:54 <DIR> --d----- c:\windows\system32\kazaabackupfiles
2009-02-09 10:43 5,449 a------- C:\hizzz.exe
2009-02-09 01:28 0 a------- c:\windows\system32\drivers\seneka.sys
2009-02-08 21:21 59 a------- c:\windows\system32\senekagiuirrfu.dat
2009-02-08 21:20 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-02-08 21:20 <DIR> --d----- c:\program files\Norton Security Scan
2009-02-08 21:16 15,785 a------- c:\windows\system32\senekabvdovpbe.dat
2009-02-08 20:00 48,690 ---shr-- c:\windows\fxstaller.exe
2009-02-08 13:51 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-08 13:51 1,409 a------- c:\windows\QTFont.for
2009-02-05 20:17 <DIR> --d----- c:\docume~1\zoratu~1\applic~1\GetRightToGo

==================== Find3M ====================

2009-02-09 22:16 155,116 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-02-06 08:08 45,754 a------- c:\docume~1\zoratu~1\applic~1\wklnhst.dat
2009-02-05 17:31 34 a------- c:\documents and settings\zora turner\jagex_runescape_preferences.dat
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-04-28 22:35 65,456 a------- c:\docume~1\zoratu~1\applic~1\GDIPFONTCACHEV1.DAT
2006-02-02 22:12 774,144 a------- c:\program files\RngInterstitial.dll
2005-09-22 18:28 446 a------- c:\program files\INSTALL.LOG
2008-08-19 12:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 19:56:59.43 ===============

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  

Posted 12 February 2009 - 01:44 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Guest_z2009_*

Guest_z2009_*

  • Guests
  • OFFLINE
  •  

Posted 12 February 2009 - 11:15 AM

Okay I have disabled programs suggested and ran the Combo Fix--I should mention for some reason the "geeks to go" version did not run and said some of its files were corrupted. I used Bleeping Computers link to Combo Fix instead and the logs are pasted below. Thanks for your assistance so far. I notice I have use of task manager again (but haven't altered anything). Here's the Combo Fix logs:



ComboFix 09-02-11.03 - Zora Turner 2009-02-12 10:25:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.152 [GMT -5:00]
Running from: c:\documents and settings\Zora Turner\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1229 [VPS 090212-0] *On-access scanning disabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Zora Turner\Desktop\Download programs.url
c:\documents and settings\Zora Turner\Desktop\Games.url
c:\documents and settings\Zora Turner\Desktop\notepad.exe
c:\documents and settings\Zora Turner\Desktop\Translator.url
c:\documents and settings\Zora Turner\Desktop\Videos.url
c:\documents and settings\Zora Turner\Favorites\Download programs.url
c:\documents and settings\Zora Turner\Favorites\Games.url
c:\documents and settings\Zora Turner\Favorites\Translator.url
c:\documents and settings\Zora Turner\Favorites\Videos.url
c:\documents and settings\Zora Turner\Start Menu\Programs\Download programs.url
c:\documents and settings\Zora Turner\Start Menu\Programs\Games.url
c:\documents and settings\Zora Turner\Start Menu\Programs\Translator.url
c:\documents and settings\Zora Turner\Start Menu\Programs\Videos.url
c:\program files\INSTALL.LOG
c:\windows\fxstaller.exe
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\init32.exe
c:\windows\system32\kazaabackupfiles
c:\windows\system32\senekabvdovpbe.dat
c:\windows\system32\senekagiuirrfu.dat
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winlogon2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SENEKA
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-11 10:32 . 2009-02-11 10:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 10:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-11 10:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-10 21:55 . 2009-02-12 09:08 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-10 21:45 . 2009-02-10 21:45 325,128 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-02-10 21:45 . 2009-02-10 21:45 107,272 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-02-10 21:45 . 2009-02-10 21:45 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-02-10 21:44 . 2009-02-12 09:55 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-02-10 21:44 . 2009-02-11 09:00 <DIR> d-------- c:\documents and settings\Zora Turner\Application Data\AVGTOOLBAR
2009-02-10 21:43 . 2009-02-10 21:43 <DIR> d-------- c:\program files\AVG
2009-02-10 21:43 . 2009-02-11 09:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-09 17:18 . 2009-02-09 17:18 1,025 --a------ C:\wbdz.exe
2009-02-09 16:33 . 2009-02-09 16:33 208 --a------ C:\new.exe
2009-02-09 10:43 . 2009-02-09 13:04 5,449 --a------ C:\hizzz.exe
2009-02-08 21:20 . 2009-02-09 20:47 <DIR> d-------- c:\program files\Norton Security Scan
2009-02-08 21:20 . 2009-02-09 20:59 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-02-08 13:51 . 2009-02-08 13:51 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-08 13:51 . 2009-02-08 13:51 1,409 --a------ c:\windows\QTFont.for
2009-02-05 20:17 . 2009-02-06 17:52 <DIR> d-------- c:\documents and settings\Zora Turner\Application Data\GetRightToGo
2009-01-23 15:04 . 2009-01-23 15:09 <DIR> d-------- c:\documents and settings\Temporary\Application Data\muvee Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 15:48 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-02-06 13:08 45,754 ----a-w c:\documents and settings\Zora Turner\Application Data\wklnhst.dat
2009-02-05 22:31 34 ----a-w c:\documents and settings\Zora Turner\jagex_runescape_preferences.dat
2009-02-04 21:54 34 ----a-w c:\documents and settings\Temporary\jagex_runescape_preferences.dat
2009-01-25 14:33 --------- d-----w c:\program files\Google
2009-01-23 19:17 --------- d-----w c:\program files\LimeWire
2009-01-20 22:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-11 12:11 42 ----a-w c:\documents and settings\Temporary\Application Data\wklnhst.dat
2008-04-29 03:35 65,456 ----a-w c:\documents and settings\Zora Turner\Application Data\GDIPFONTCACHEV1.DAT
2007-02-25 20:13 142 ----a-w c:\documents and settings\kidsadmin\Application Data\wklnhst.dat
2006-02-03 03:12 774,144 ----a-w c:\program files\RngInterstitial.dll
2009-02-11 23:53 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-11 23:53 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-11 23:53 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-11 23:54 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-11 23:54 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-19 17:15 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-05-31 143360]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 50688]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 473928]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-25 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-02 257088]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-10 1601304]

c:\documents and settings\Jordan\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2007-01-29 122880]

c:\documents and settings\Temporary\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2007-01-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-03-31 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-11-26 1073152]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-10 21:45 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=svscqd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"vidc.iv32"= c:\windows\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire1\\LimeWire.exe"=
"c:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Games\\Diablo\\Spawn\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:Z

R1 aswsp;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2008-08-20 78416]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-02-10 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-02-10 107272]
R2 aswfsblk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2008-08-20 20560]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-10 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-10 298264]
S1 e7996a1b;e7996a1b;c:\windows\SYSTEM32\DRIVERS\e7996a1b.sys [2008-08-01 0]
S2 EMSLink;EMS Inter-Link driver V3.0;c:\windows\SYSTEM32\DRIVERS\EM3Link.sys [2005-02-22 6176]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\ZORATU~1\LOCALS~1\Temp\ewdmaudn.sys --> c:\docume~1\ZORATU~1\LOCALS~1\Temp\ewdmaudn.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [2009-02-11 38496]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\SYSTEM32\DRIVERS\OVCE.sys [2004-03-22 31872]
S3 V0230Vfx;V0230Vfx;c:\windows\SYSTEM32\DRIVERS\V0230Vfx.sys [2006-03-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\SYSTEM32\DRIVERS\V0230VID.sys [2006-09-29 500480]

--- Other Services/Drivers In Memory ---

*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-11 c:\windows\Tasks\Norton Security Scan for Temporary.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{a23ca8a9-47d8-4db1-ae46-0aa018cc576e} - c:\windows\system32\wvUkLBuV.dll
HKCU-Run-Free Download Manager - c:\program files\Free Download Manager\fdm.exe
HKCU-Run-WebCamRT.exe - (no file)
HKLM-Run-StandardInstall - (no file)
HKLM-Run-drkly16j - drkly16j.dll
ShellExecuteHooks-{A23CA8A9-47D8-4DB1-AE46-0AA018CC576E} - c:\windows\system32\wvUkLBuV.dll
Notify-wvuklbuv - wvUkLBuV.dll


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uInternet Settings,ProxyServer = 192.168.1.1:8080
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Jordan\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} - hxxp://67.15.101.3/g_bin/eng/roulette_2_0_0_25.cab
DPF: {ECEAD8AE-01D6-11D5-9A39-0080C8D85044} - hxxp://67.15.101.3/g_bin/eng/slots80_2_0_0_33.cab
FF - ProfilePath - c:\documents and settings\Zora Turner\Application Data\Mozilla\Firefox\Profiles\ffybwctr.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 10:48:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-69087924-417629898-1209147006-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\DRIVERS\KodakCCS.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-02-12 11:05:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 16:04:32

Pre-Run: 36,023,300,096 bytes free
Post-Run: 36,673,130,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

258 --- E O F --- 2009-02-11 23:05:06

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 February 2009 - 12:34 PM

Please visit this site and upload below file.. At the comment section, just say "fenzodahl512 asked to upload the file"

C:\wbdz.exe
C:\new.exe
C:\hizzz.exe




Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\StubInstaller.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.





1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
e7996a1b
ewdmaudn

File::
C:\wbdz.exe
C:\new.exe
C:\hizzz.exe
c:\windows\SYSTEM32\DRIVERS\e7996a1b.sys
C:\Documents and Settings\Zora Turner\Local Settings\temp\ewdmaudn.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

RegNull::
[HKEY_USERS\S-1-5-21-69087924-417629898-1209147006-1007\Software\Microsoft\SystemCertificates\AddressBook*]

RegLock::
[HKEY_USERS\S-1-5-21-69087924-417629898-1209147006-1007\Software\Microsoft\SystemCertificates\AddressBook*]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • VirScan.org report.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Guest_z2009_*

Guest_z2009_*

  • Guests
  • OFFLINE
  •  

Posted 13 February 2009 - 08:05 AM

After copying the virus scan log over to Combo-fix, Combo-fix ran and did need to restart my computer. After restart my avast turned itself back on, and Combo-fix advised me to shut it off. I did so. Combo-fix didn't produce a report however. When I tried double clicking on it again it asked me to save it as a different name. I wasn't sure what would happen then, so I went to the link in your first message and ran Combo fix from there (new). Then I saved it as Combo fix without the hyphen since it wouldn't let me save it with the same hypenated name as my first log.

I don't know if any of this makes a difference, but thought I'd share it with you anyway.

Here the two logs you requested in last message....

VirSCAN.org Scanned Report :
Scanned time : 2009/01/29 22:44:24 (CST)
Scanner results: All Scanners reported not find malware!
File Name : StubInstaller.exe
File Size : 700416 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e2e6b01d43c2555b1be3f46d8297d409
SHA1 : 1c34be3da6e0f3dd64a9aa6d3aebb40e6a7b8b93
Online report : http://virscan.org/report/058301faefeb9695...64fc6aa1ee.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20090128170451 2009-01-28 2.85 -
AhnLab V3 2009.01.30.00 2009.01.30 2009-01-30 1.54 -
AntiVir 7.9.0.60 7.1.1.203 2009-01-29 1.94 -
Antiy 2.0.18 20090118.2063925 2009-01-18 0.02 -
Authentium 5.1.1 200901292201 2009-01-29 1.14 -
AVAST! 3.0.1 090129-0 2009-01-29 0.00 -
AVG 7.5.52.442 270.10.15/1924 2009-01-29 1.87 -
BitDefender 7.81008.2620479 7.23388 2009-01-30 2.47 -
CA (VET) 9.0.0.143 31.6.6335 2009-01-30 5.80 -
ClamAV 0.94.2 8920 2009-01-30 0.13 -
Comodo 3.0 952 2009-01-29 0.94 -
CP Secure 1.1.0.715 2009.01.29 2009-01-29 6.92 -
Dr.Web 4.44.0.9170 2009.01.30 2009-01-30 4.17 -
F-Prot 4.4.4.56 20090129 2009-01-29 1.13 -
F-Secure 5.51.6100 2009.01.30.01 2009-01-30 4.53 -
Fortinet 2.81-3.117 9.979 2009-01-29 0.45 -
GData 19.2644/19.202 20090130 2009-01-30 6.08 -
ViRobot 20090129 2009.01.29 2009-01-29 0.41 -
Ikarus T3.1.01.45 2009.01.30.72231 2009-01-30 3.85 -
JiangMin 11.0.706 2009.01.29 2009-01-29 2.95 -
Kaspersky 5.5.10 2009.01.30 2009-01-30 0.09 -
KingSoft 2008.9.8.18 2009.1.30.9 2009-01-30 0.61 -
McAfee 5.3.00 5510 2009-01-29 3.00 -
Microsoft 1.4205 2009.01.29 2009-01-29 7.35 -
mks_vir 2.01 2009.01.29 2009-01-29 2.79 -
Norman 5.93.01 5.93.00 2009-01-20 6.87 -
Panda 9.05.01 2009.01.29 2009-01-29 3.38 -
Trend Micro 8.700-1004 5.806.01 2009-01-29 0.04 -
Quick Heal 10.00 2009.01.30 2009-01-30 1.04 -
Rising 20.0 21.14.40.00 2009-01-30 0.84 -
Sophos 2.83.3 4.38 2009-01-30 2.28 -
Sunbelt 4786 4786 2009-01-28 0.84 -
Symantec 1.3.0.24 20090129.003 2009-01-29 0.25 -
nProtect 20090129.01 3074762 2009-01-29 10.85 -
The Hacker 6.3.1.5 v00234 2009-01-29 1.03 -
VBA32 3.12.8.11 20090129.1546 2009-01-29 1.79 -
VirusBuster 4.5.11.10 10.100.42/784779 2009-01-29 1.18 -


ComboFix 09-02-12.03 - Zora Turner 2009-02-13 4:36:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.126 [GMT -5:00]
Running from: c:\documents and settings\Zora Turner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 090212-0] *On-access scanning disabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\hizzz.exe
C:\new.exe
C:\wbdz.exe
c:\windows\SYSTEM32\DRIVERS\e7996a1b.sys
c:\windows\system32\pdtqfkrn.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EWDMAUDN
-------\Service_e7996a1b
-------\Service_ewdmaudn


((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-13 03:51 . 2009-02-13 04:24 <DIR> d-------- C:\Combo-Fix
2009-02-11 10:32 . 2009-02-11 10:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 10:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-11 10:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-10 21:55 . 2009-02-12 13:36 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-10 21:45 . 2009-02-10 21:45 325,128 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-02-10 21:45 . 2009-02-10 21:45 107,272 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-02-10 21:45 . 2009-02-10 21:45 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-02-10 21:44 . 2009-02-12 09:55 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-02-10 21:44 . 2009-02-11 09:00 <DIR> d-------- c:\documents and settings\Zora Turner\Application Data\AVGTOOLBAR
2009-02-10 21:43 . 2009-02-10 21:43 <DIR> d-------- c:\program files\AVG
2009-02-10 21:43 . 2009-02-11 09:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-08 21:20 . 2009-02-09 20:47 <DIR> d-------- c:\program files\Norton Security Scan
2009-02-08 21:20 . 2009-02-09 20:59 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-02-08 13:51 . 2009-02-08 13:51 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-08 13:51 . 2009-02-08 13:51 1,409 --a------ c:\windows\QTFont.for
2009-02-05 20:17 . 2009-02-06 17:52 <DIR> d-------- c:\documents and settings\Zora Turner\Application Data\GetRightToGo
2009-01-23 15:04 . 2009-01-23 15:09 <DIR> d-------- c:\documents and settings\Temporary\Application Data\muvee Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 09:14 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-02-06 13:08 45,754 ----a-w c:\documents and settings\Zora Turner\Application Data\wklnhst.dat
2009-02-05 22:31 34 ----a-w c:\documents and settings\Zora Turner\jagex_runescape_preferences.dat
2009-02-04 21:54 34 ----a-w c:\documents and settings\Temporary\jagex_runescape_preferences.dat
2009-01-25 14:33 --------- d-----w c:\program files\Google
2009-01-23 19:17 --------- d-----w c:\program files\LimeWire
2009-01-20 22:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-11 12:11 42 ----a-w c:\documents and settings\Temporary\Application Data\wklnhst.dat
2008-04-29 03:35 65,456 ----a-w c:\documents and settings\Zora Turner\Application Data\GDIPFONTCACHEV1.DAT
2007-02-25 20:13 142 ----a-w c:\documents and settings\kidsadmin\Application Data\wklnhst.dat
2006-02-03 03:12 774,144 ----a-w c:\program files\RngInterstitial.dll
2009-02-11 23:53 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-11 23:53 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-11 23:53 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-11 23:54 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-11 23:54 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-19 17:15 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-12_11.01.11.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-13 09:09:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-05-31 143360]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 50688]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 473928]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-25 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-02 257088]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-10 1601304]

c:\documents and settings\Jordan\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2007-01-29 122880]

c:\documents and settings\Temporary\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2007-01-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-03-31 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-11-26 1073152]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-10 21:45 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"vidc.iv32"= c:\windows\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire1\\LimeWire.exe"=
"c:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Games\\Diablo\\Spawn\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:Z

R1 aswsp;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2008-08-20 78416]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-02-10 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-02-10 107272]
R2 aswfsblk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2008-08-20 20560]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-10 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-10 298264]
S2 EMSLink;EMS Inter-Link driver V3.0;c:\windows\SYSTEM32\DRIVERS\EM3Link.sys [2005-02-22 6176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [2009-02-11 38496]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\SYSTEM32\DRIVERS\OVCE.sys [2004-03-22 31872]
S3 V0230Vfx;V0230Vfx;c:\windows\SYSTEM32\DRIVERS\V0230Vfx.sys [2006-03-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\SYSTEM32\DRIVERS\V0230VID.sys [2006-09-29 500480]
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-11 c:\windows\Tasks\Norton Security Scan for Temporary.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uInternet Settings,ProxyServer = 192.168.1.1:8080
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Jordan\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} - hxxp://67.15.101.3/g_bin/eng/roulette_2_0_0_25.cab
DPF: {ECEAD8AE-01D6-11D5-9A39-0080C8D85044} - hxxp://67.15.101.3/g_bin/eng/slots80_2_0_0_33.cab
FF - ProfilePath - c:\documents and settings\Zora Turner\Application Data\Mozilla\Firefox\Profiles\ffybwctr.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 04:47:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-69087924-417629898-1209147006-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-02-13 5:04:56
ComboFix-quarantined-files.txt 2009-02-13 10:03:35
ComboFix2.txt 2009-02-12 16:05:59

Pre-Run: 37,409,644,544 bytes free
Post-Run: 37,397,745,664 bytes free

206 --- E O F --- 2009-02-11 23:05:06

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  

Posted 13 February 2009 - 12:03 PM

I need to confirm on something.. Lets do this...


Please download GMER and unzip it to your Desktop. <<mirror>>
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Guest_z2009_*

Guest_z2009_*

  • Guests
  • OFFLINE
  •  

Posted 16 February 2009 - 07:37 AM

Gmer log attached as requested...

Attached Files



#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 16 February 2009 - 10:33 AM

Looks good.. Lets run an online scan to make sure we get them all :thumbup2:


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Guest_z2009_*

Guest_z2009_*

  • Guests
  • OFFLINE
  •  

Posted 17 February 2009 - 09:24 AM

The computer is definitely running better with normal functioning now--thank you very much.

When I go to do the ESET scan, after agreeing to terms, it does ask me to install a file, but there is no start button to press again (as suggested). Should I install the file to see if I can then run the scan? The image is not showing up at all actually--maybe that's why I can not see a "Start" button (?).

It asks to install the 'OnlineScanner.cab' fro 'ESET, spol. s.o'

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  

Posted 17 February 2009 - 10:08 AM

If it is indeed from ESET, just install it.. Otherwise we can always do alternative scanner :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 25 February 2009 - 07:43 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users