Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Might have trojan. Don't know...


  • This topic is locked This topic is locked
18 replies to this topic

#1 sv19

sv19

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 AM

Posted 11 March 2009 - 05:56 AM

Okay my mom posted in the forum about the problem. I open an e-mail that I thought was from my dad and it had a link to d/l something, which I did. Something called SWfree.exe as an appication. Anyway it won't let run my McAfee anti-virus. So I think the thing has a trojan of some sort. Here is the Hijack This log.


DDS (Ver_09-02-01.01) - NTFSx86
Run by GX150 at 6:46:15.65 on Wed 03/11/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.190.56 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GX150\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [Aim6]
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRunOnce: [Shockwave Updater] c:\winnt\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -"http://mp47.slingo.com/shockscreen2.asp?shost=mp47.slingo.com&sport=29000&susername=sv19&spassword=city14&roomname=Mixed%20Matrix%2010K%20-%20Leagues%20&gameid=63"
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\gx150\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm429QUUS
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.exe
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220820318622
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
TCP: NameServer = 85.255.112.120,85.255.112.83
TCP: {10BCD621-B383-4050-99A3-7E3C65EB38CF} = 85.255.112.120,85.255.112.83

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\winnt\system32\drivers\mfehidk.sys [2009-3-11 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-11 358224]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-11 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-18 24652]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2008-4-8 61712]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-11 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\winnt\system32\drivers\mfeavfk.sys [2009-3-11 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\winnt\system32\drivers\mfebopk.sys [2009-3-11 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\winnt\system32\drivers\mfesmfk.sys [2009-3-11 40488]
S2 0057921236766828mcinstcleanup;McAfee Application Installer Cleanup (0057921236766828);c:\docume~1\gx150\locals~1\temp\005792~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\gx150\locals~1\temp\005792~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\winnt\system32\drivers\mferkdk.sys [2009-3-11 33832]

=============== Created Last 30 ================

2009-03-11 06:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_3f4.dat
2009-03-11 06:24 627 a------- c:\winnt\system32\Config.MPF
2009-03-11 05:24 143,360 a------- c:\winnt\system32\dunzip32.dll
2009-03-11 05:20 33,832 a------- c:\winnt\system32\drivers\mferkdk.sys
2009-03-11 05:20 40,488 a------- c:\winnt\system32\drivers\mfesmfk.sys
2009-03-11 05:20 79,304 a------- c:\winnt\system32\drivers\mfeavfk.sys
2009-03-11 05:20 35,240 a------- c:\winnt\system32\drivers\mfebopk.sys
2009-03-11 05:20 201,320 a------- c:\winnt\system32\drivers\mfehidk.sys
2009-03-11 05:20 113,952 a------- c:\winnt\system32\drivers\Mpfp.sys
2009-03-11 05:19 <DIR> --d----- c:\program files\McAfee.com
2009-03-11 05:19 <DIR> --d----- c:\program files\common files\McAfee
2009-03-11 05:19 <DIR> --d----- c:\program files\McAfee
2009-03-11 05:07 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1f0.dat
2009-03-11 05:05 464,946 ----h--- c:\winnt\ShellIconCache
2009-03-11 04:52 <DIR> --d----- c:\program files\common files\Scanner
2009-03-11 04:52 <DIR> --d----- c:\program files\CA Yahoo! Anti-Spy
2009-03-11 04:37 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1e8.dat
2009-03-11 02:13 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c8.dat
2009-03-11 02:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c0.dat
2009-03-10 22:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_294.dat
2009-03-10 20:10 16,384 a------t c:\winnt\system32\Perflib_Perfdata_42c.dat
2009-03-10 20:01 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1e4.dat
2009-03-10 19:57 379 ---shr-- C:\autorun.inf
2009-03-08 07:49 16,384 a------t c:\winnt\system32\Perflib_Perfdata_43c.dat
2009-03-08 06:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1e0.dat
2009-03-06 23:42 <DIR> --d----- c:\program files\Wonderland Online
2009-03-06 01:23 740,192,774 a------- C:\wl_setup_3.0.1.exe
2009-02-24 19:02 16,384 a------t c:\winnt\system32\Perflib_Perfdata_438.dat
2009-02-16 10:02 16,384 a------t c:\winnt\system32\Perflib_Perfdata_40c.dat

==================== Find3M ====================

2009-02-08 11:16 1,644,784 a------- c:\winnt\system32\WIN32K.SYS
2009-02-02 12:24 16,384 a------t c:\winnt\system32\Perflib_Perfdata_444.dat
2009-02-02 12:19 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1f8.dat
2009-02-01 15:15 16,384 a------t c:\winnt\system32\Perflib_Perfdata_440.dat
2009-02-01 15:10 16,384 a------t c:\winnt\system32\Perflib_Perfdata_220.dat
2009-01-28 12:31 16,384 a------t c:\winnt\system32\Perflib_Perfdata_204.dat
2009-01-07 16:31 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4ac.dat
2008-12-31 07:32 591,296 a------- C:\WebmailPlugin.dll
2008-12-24 20:58 5,704 a------- c:\winnt\DiabUnin.dat
2008-12-24 20:58 118,784 a------- c:\winnt\DiabUnin.exe
2008-12-24 20:58 2,829 a------- c:\winnt\DiabUnin.pif
2008-12-14 13:05 410,984 a------- c:\winnt\system32\deploytk.dll
2008-04-08 17:06 21,952 ----h--- c:\program files\folder.htt
2008-04-08 17:06 271 ----h--- c:\program files\desktop.ini
2003-06-18 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 6:46:55.67 ===============


Please help if you can. Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:59 AM

Posted 22 March 2009 - 10:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 sv19

sv19
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 AM

Posted 22 March 2009 - 11:12 PM

Thank you for replying. Here's a new HJT log.


DDS (Ver_09-02-01.01) - NTFSx86
Run by GX150 at 0:08:42.22 on Mon 03/23/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.190.78 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GX150\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [Aim6]
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRunOnce: [Shockwave Updater] c:\winnt\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -"http://mp47.slingo.com/shockscreen2.asp?shost=mp47.slingo.com&sport=29000&susername=sv19&spassword=city14&roomname=Mixed%20Matrix%2010K%20-%20Leagues%20&gameid=63"
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\gx150\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm429QUUS
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.exe
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220820318622
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
TCP: NameServer = 85.255.112.120,85.255.112.83
TCP: {10BCD621-B383-4050-99A3-7E3C65EB38CF} = 85.255.112.120,85.255.112.83

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-18 24652]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2008-4-8 61712]

=============== Created Last 30 ================

2009-03-21 12:05 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1e4.dat
2009-03-18 08:21 16,384 a------t c:\winnt\system32\Perflib_Perfdata_400.dat
2009-03-17 18:03 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1a4.dat
2009-03-17 18:02 16,384 a------t c:\winnt\system32\Perflib_Perfdata_27c.dat
2009-03-17 02:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_278.dat
2009-03-16 16:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1e0.dat
2009-03-16 08:48 16,384 a------t c:\winnt\system32\Perflib_Perfdata_274.dat
2009-03-13 07:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1e8.dat
2009-03-12 09:27 376,812 ----h--- c:\winnt\ShellIconCache
2009-03-12 07:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_574.dat
2009-03-12 04:06 16,384 a------t c:\winnt\system32\Perflib_Perfdata_3ac.dat
2009-03-11 12:57 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-03-11 12:56 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-03-11 12:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-11 12:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 10:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_3d4.dat
2009-03-11 06:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_3f4.dat
2009-03-11 05:24 143,360 a------- c:\winnt\system32\dunzip32.dll
2009-03-11 05:19 <DIR> --d----- c:\program files\McAfee
2009-03-11 04:52 <DIR> --d----- c:\program files\common files\Scanner
2009-03-11 04:52 <DIR> --d----- c:\program files\CA Yahoo! Anti-Spy
2009-03-11 02:13 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c8.dat
2009-03-11 02:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c0.dat
2009-03-10 22:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_294.dat
2009-03-10 20:10 16,384 a------t c:\winnt\system32\Perflib_Perfdata_42c.dat
2009-03-08 07:49 16,384 a------t c:\winnt\system32\Perflib_Perfdata_43c.dat
2009-03-06 23:42 <DIR> --d----- c:\program files\Wonderland Online
2009-03-06 01:23 740,192,774 a------- C:\wl_setup_3.0.1.exe
2009-02-24 19:02 16,384 a------t c:\winnt\system32\Perflib_Perfdata_438.dat

==================== Find3M ====================

2009-03-18 08:20 410,984 a------- c:\winnt\system32\deploytk.dll
2009-02-16 10:02 16,384 a------t c:\winnt\system32\Perflib_Perfdata_40c.dat
2009-02-08 11:16 1,644,784 a------- c:\winnt\system32\WIN32K.SYS
2009-02-02 12:24 16,384 a------t c:\winnt\system32\Perflib_Perfdata_444.dat
2009-02-02 12:19 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1f8.dat
2009-02-01 15:15 16,384 a------t c:\winnt\system32\Perflib_Perfdata_440.dat
2009-01-28 12:31 16,384 a------t c:\winnt\system32\Perflib_Perfdata_204.dat
2009-01-07 16:31 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4ac.dat
2008-12-31 07:32 591,296 a------- C:\WebmailPlugin.dll
2008-12-24 20:58 5,704 a------- c:\winnt\DiabUnin.dat
2008-12-24 20:58 118,784 a------- c:\winnt\DiabUnin.exe
2008-12-24 20:58 2,829 a------- c:\winnt\DiabUnin.pif
2008-04-08 17:06 21,952 ----h--- c:\program files\folder.htt
2008-04-08 17:06 271 ----h--- c:\program files\desktop.ini
2003-06-18 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 0:09:07.70 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 23 March 2009 - 03:44 PM

Hello.

Haven't seen a 2000 in awhile.

At a quick looks, it appears clean.

I see that you have ViewPoint manager installed. This program is considered foistware, because it is installed without you permission, but does not do anything bad. I would suggest that you remove it using Add/Remove Programs.

While you are there, you can remove these old versions of Java.
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 7

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Run Fix with OTListIt
Please download OTListIt from here.
Copy the contents of the CodeBox below into the Custom Scans/Fixes.
c:\SWfree.exe /s

Click the Run Scan button. The scan should take a moment to complete. Post back with the logfile that opens.


Please also give me an update on the symptoms that you are experiencing.

With Regards,
The Panda

#5 sv19

sv19
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 AM

Posted 23 March 2009 - 08:16 PM

I can't get Kaspersky to run. My computer keeps on freezing especially if running anti-virus. I can't run MalwareBytes at all. But I can run OTListIt. Here's what I found.

OTListIt logfile created on: 3/23/2009 9:01:34 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.1 Folder = C:\Documents and Settings\GX150\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

189.52 Mb Total Physical Memory | 30.44 Mb Available Physical Memory | 16.06% Memory free
2.16 Gb Paging File | 1.97 Gb Available in Paging File | 91.22% Paging File free
Paging file location(s): C:\pagefile.sys 2047 2047;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 9.92 Gb Free Space | 53.25% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELLGX150
Current User Name: GX150
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/03/18 08:20:54 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2003/06/18 07:00:00 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2004/09/07 10:59:06 | 00,122,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\MSTask.exe
PRC - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2003/06/18 07:00:00 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\WBEM\WinMgmt.exe
PRC - [2003/06/18 07:00:00 | 00,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Explorer.EXE
PRC - [2008/09/07 17:21:54 | 00,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/03/18 08:20:54 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/03/18 08:20:54 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/05/29 21:43:36 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/05/29 21:43:38 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
PRC - [2002/08/29 06:14:40 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/18 08:20:53 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\java.exe
PRC - [2009/03/23 21:00:55 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GX150\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2003/06/18 07:00:00 | 00,147,728 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
SRV - [2003/06/18 07:00:00 | 00,094,992 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\faxsvc.exe -- (Fax [On_Demand | Stopped])
SRV - [2009/03/18 08:20:54 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2003/06/18 07:00:00 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry [Auto | Running])
SRV - [2004/09/07 10:59:06 | 00,122,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\MSTask.exe -- (Schedule [Auto | Running])
SRV - [2003/06/18 07:00:00 | 00,022,800 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\UtilMan.exe -- (UtilMan [On_Demand | Stopped])
SRV - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2003/06/18 07:00:00 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\WBEM\WinMgmt.exe -- (WinMgmt [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2002/04/01 12:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINNT\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2008/09/15 19:14:18 | 00,009,336 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdr4_2K.sys -- (Cdr4_2K [System | Running])
DRV - [2008/09/15 19:14:20 | 00,009,464 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [2003/06/18 07:00:00 | 00,007,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf [Boot | Running])
DRV - [2003/06/18 07:00:00 | 00,369,104 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\drivers\dmboot.sys -- (dmboot [Disabled | Stopped])
DRV - [2003/06/18 07:00:00 | 00,137,936 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\drivers\dmio.sys -- (dmio [Boot | Running])
DRV - [2003/06/18 07:00:00 | 00,007,312 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\drivers\dmload.sys -- (dmload [Boot | Running])
DRV - [2003/06/18 07:00:00 | 00,027,440 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\efs.sys -- (EFS [Disabled | Running])
DRV - [1999/10/23 07:22:20 | 00,061,712 | ---- | M] (3Com Corporation) -- C:\WINNT\system32\DRIVERS\el90xbc5.sys -- (EL90BC [On_Demand | Running])
DRV - [2002/07/23 09:01:38 | 00,161,020 | ---- | M] (Intel® Corporation) -- C:\WINNT\system32\DRIVERS\i81xnt5.sys -- (i81x [On_Demand | Running])
DRV - [1999/10/22 13:54:42 | 00,032,592 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\ichaud.sys -- (ichaud [On_Demand | Stopped])
DRV - [2004/07/09 01:58:10 | 00,015,104 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\MPE.sys -- (MPE [On_Demand | Stopped])
DRV - [2003/06/18 07:00:00 | 00,009,680 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect [On_Demand | Stopped])
DRV - [2003/06/18 07:00:00 | 00,060,208 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\parallel.sys -- (Parallel [On_Demand | Running])
DRV - [2003/06/18 07:00:00 | 00,017,680 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINNT\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/09/15 19:14:18 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2003/06/18 07:00:00 | 00,021,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\RCA.sys -- (RCA [On_Demand | Stopped])
DRV - [2003/06/18 07:00:00 | 00,006,032 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV - [2002/05/28 14:18:46 | 00,500,568 | ---- | M] (Analog Devices, Inc.) -- C:\WINNT\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2003/06/19 11:05:04 | 00,032,848 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\uhcd.sys -- (uhcd [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/18 08:20:55 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINNT\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 File not found
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINNT\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -"http://mp47.slingo.com/shockscreen2.asp?shost=mp47.slingo.com&sport=29000&susername=sv19&spassword=city14&roomname=Mixed%20Matrix%2010K%20-%20Leagues%20&gameid=63" (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\GX150\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm429QUUS
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_12.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Tcpip] - C:\WINNT\System32\rnr20.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.exe (Reg Error: Key error.)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (YInstStarter Class)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1220820318622 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://l.yimg.com/jh/games/web_games/popca...aploader_v6.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.120,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{10BCD621-B383-4050-99A3-7E3C65EB38CF}\\NameServer = 85.255.112.120,85.255.112.83
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\system32\wzcdlg.dll (Microsoft Corporation)
O21 - SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/08 17:07:01 | 00,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/03/23 21:00:52 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\GX150\Desktop\OTListIt2.exe
[2009/03/21 12:05:43 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_1e4.dat
[2009/03/18 08:21:17 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_400.dat
[2009/03/17 18:03:49 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_1a4.dat
[2009/03/17 18:02:33 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_27c.dat
[2009/03/17 02:42:42 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_278.dat
[2009/03/16 16:53:36 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_1e0.dat
[2009/03/16 08:48:32 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_274.dat
[2009/03/13 07:41:49 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_1e8.dat
[2009/03/12 09:27:12 | 00,829,010 | -H-- | C] () -- C:\WINNT\ShellIconCache
[2009/03/12 07:52:42 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_574.dat
[2009/03/12 04:06:37 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_3ac.dat
[2009/03/11 12:57:01 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2009/03/11 12:57:01 | 00,000,569 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/11 12:56:59 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/03/11 12:56:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/11 12:56:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/11 12:15:52 | 02,876,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\GX150\Desktop\mbam-setup.exe
[2009/03/11 10:35:02 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_3d4.dat
[2009/03/11 07:54:14 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\GX150\Desktop\HiJackThis.exe
[2009/03/11 06:26:18 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_3f4.dat
[2009/03/11 05:24:00 | 00,143,360 | ---- | C] (Inner Media, Inc.) -- C:\WINNT\System32\dunzip32.dll
[2009/03/11 05:19:45 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/03/11 04:52:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Scanner
[2009/03/11 04:52:45 | 00,000,000 | ---D | C] -- C:\Program Files\CA Yahoo! Anti-Spy
[2009/03/11 02:13:16 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_4c8.dat
[2009/03/11 02:08:04 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_4c0.dat
[2009/03/10 22:58:59 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_294.dat
[2009/03/10 20:10:34 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_42c.dat
[2009/03/08 07:49:04 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_43c.dat
[2009/03/07 00:05:54 | 00,000,603 | ---- | C] () -- C:\Documents and Settings\GX150\Desktop\Wonderland Online.lnk
[2009/03/06 23:42:10 | 00,000,000 | ---D | C] -- C:\Program Files\Wonderland Online
[2009/03/06 01:23:58 | 74,019,2774 | ---- | C] (IGG,Inc. ) -- C:\wl_setup_3.0.1.exe
[2009/02/24 19:02:56 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_438.dat

========== Files - Modified Within 30 Days ==========

[1 C:\WINNT\System32\*.tmp files]
[4 C:\WINNT\*.tmp files]
[2009/03/23 21:00:55 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GX150\Desktop\OTListIt2.exe
[2009/03/23 20:32:19 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/03/23 20:29:07 | 00,829,010 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2009/03/21 18:55:48 | 00,000,369 | ---- | M] () -- C:\WINNT\win.ini
[2009/03/21 12:05:44 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_1e4.dat
[2009/03/18 08:21:17 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_400.dat
[2009/03/17 18:03:49 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_1a4.dat
[2009/03/17 18:02:33 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_27c.dat
[2009/03/17 02:42:42 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_278.dat
[2009/03/16 16:53:36 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_1e0.dat
[2009/03/16 08:48:32 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_274.dat
[2009/03/13 07:41:49 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_1e8.dat
[2009/03/12 09:06:43 | 00,013,872 | ---- | M] () -- C:\Documents and Settings\GX150\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/12 07:52:42 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_574.dat
[2009/03/12 04:06:37 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_3ac.dat
[2009/03/11 12:57:01 | 00,000,569 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/11 12:15:52 | 02,876,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\GX150\Desktop\mbam-setup.exe
[2009/03/11 10:35:02 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_3d4.dat
[2009/03/11 07:54:16 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\GX150\Desktop\HiJackThis.exe
[2009/03/11 06:26:18 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_3f4.dat
[2009/03/11 04:37:08 | 00,102,232 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[2009/03/11 04:24:43 | 00,001,410 | ---- | M] () -- C:\WINNT\imsins.BAK
[2009/03/11 02:13:16 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_4c8.dat
[2009/03/11 02:08:04 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_4c0.dat
[2009/03/10 22:58:59 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_294.dat
[2009/03/10 20:10:34 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_42c.dat
[2009/03/10 03:27:10 | 00,001,493 | ---- | M] () -- C:\Documents and Settings\GX150\Desktop\Slingo Quest.lnk
[2009/03/08 07:49:04 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_43c.dat
[2009/03/07 00:05:54 | 00,000,603 | ---- | M] () -- C:\Documents and Settings\GX150\Desktop\Wonderland Online.lnk
[2009/03/06 02:44:30 | 74,019,2774 | ---- | M] (IGG,Inc. ) -- C:\wl_setup_3.0.1.exe
[2009/02/24 19:02:57 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_438.dat

========== Custom Scans ==========


< c:\SWfree.exe /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> c:\Documents and Settings\All Users\Application Data\TEMP:1C4D3509
@Alternate Data Stream - 121 bytes -> c:\Documents and Settings\All Users\Application Data\TEMP:EE9AD6CC
@Alternate Data Stream - 109 bytes -> c:\Documents and Settings\All Users\Application Data\TEMP:6B181B84
@Alternate Data Stream - 100 bytes -> c:\Documents and Settings\All Users\Application Data\TEMP:3E5C6753
< End of report >

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 24 March 2009 - 07:17 AM

Hello.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#7 sv19

sv19
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 AM

Posted 24 March 2009 - 11:20 AM

Hi. It did find something when I scanned. Here's the results.

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-24 12:16:43
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.15 ----

Code 81577F8E ZwEnumerateKey
Code 81577F4E ZwFlushInstructionCache
Code 81577F0E ZwQueryValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 8041DDF4 5 Bytes JMP 81577FD3
.text ntoskrnl.exe!IofCompleteRequest 8041DEF8 5 Bytes JMP 81579493
PAGE ntoskrnl.exe!ZwFlushInstructionCache 804D2034 5 Bytes JMP 81577F52
PAGE ntoskrnl.exe!ZwEnumerateKey 8051263E 5 Bytes JMP 81577F92
PAGE ntoskrnl.exe!ZwQueryValueKey 80513908 5 Bytes JMP 81577F12

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[848] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys (*** hidden *** ) BBC61000-BBC74000 (77824 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxeqmijdnvoistypqkbaweaptltujqpxos.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxeqmijdnvoistypqkbaweaptltujqpxos.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxeqmijdnvoistypqkbaweaptltujqpxos.dll

---- Files - GMER 1.0.15 ----

File C:\WINNT\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys 34816 bytes executable <-- ROOTKIT !!!
File C:\WINNT\system32\gaopdxcounter 4 bytes
File C:\WINNT\system32\gaopdxeqmijdnvoistypqkbaweaptltujqpxos.dll 10752 bytes executable

---- EOF - GMER 1.0.15 ----

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 24 March 2009 - 03:16 PM

Hello.

Ah.. there is the infection. A nasty one.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes only if you are using Windows XP. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished, you may, remove ERUNT using Add/Remove Programs.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Right click avenger.zip and extract the contents to your desktop
  • Start the Avenger.exe.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to delete:
    gaopdxserv.sys
    
    Files to delete:
    C:\WINNT\system32\drivers\gaopdxklymcjsucpfurdwodldgwqcmpcluyrdp.sys
    C:\WINNT\system32\gaopdxcounter
    C:\WINNT\system32\gaopdxeqmijdnvoistypqkbaweaptltujqpxos.dll
    
    Registry keys to delete:
    HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys
    HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.
Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

In your next reply please include:
-the Avenger log
-the MalwareBytes scan log
-a new OTListIt log
-a new GMER scan log

With Regards,
The Panda

#9 sv19

sv19
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 AM

Posted 24 March 2009 - 05:59 PM

I forgot to save the avenger log, but it got rid of it. The Malwarebytes found vundo trojan on my computer. My computer was now able to update windows for the first time in a week and a half. Here's the results.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.0.2195 Service Pack 4

3/24/2009 6:31:23 PM
mbam-log-2009-03-24 (18-31-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 77153
Time elapsed: 19 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 8
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.120,85.255.112.83 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10bcd621-b383-4050-99a3-7e3c65eb38cf}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.120,85.255.112.83 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.120,85.255.112.83 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{10bcd621-b383-4050-99a3-7e3c65eb38cf}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.120,85.255.112.83 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.120,85.255.112.83 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{10bcd621-b383-4050-99a3-7e3c65eb38cf}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.120,85.255.112.83 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.120,85.255.112.83 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{10bcd621-b383-4050-99a3-7e3c65eb38cf}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.120,85.255.112.83 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWebSearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\05DDD6ED.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\001FFBB5.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-36-100024361-100028080-100017525-6044.com (Trojan.Agent) -> Quarantined and deleted successfully.

OTListIt logfile created on: 3/24/2009 6:35:19 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.7.1 Folder = C:\Documents and Settings\GX150\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

189.52 Mb Total Physical Memory | 74.29 Mb Available Physical Memory | 39.20% Memory free
2.16 Gb Paging File | 2.06 Gb Available in Paging File | 95.29% Paging File free
Paging file location(s): C:\pagefile.sys 2047 2047;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 9.89 Gb Free Space | 53.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELLGX150
Current User Name: GX150
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/03/18 08:20:54 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2003/06/18 07:00:00 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2004/09/07 10:59:06 | 00,122,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\MSTask.exe
PRC - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2003/06/18 07:00:00 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\WBEM\WinMgmt.exe
PRC - [2003/06/18 07:00:00 | 00,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Explorer.EXE
PRC - [2008/09/07 17:21:54 | 00,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/03/18 08:20:54 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/03/18 08:20:54 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/05/29 21:43:36 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/05/29 21:43:38 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
PRC - [2009/03/23 21:00:55 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GX150\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2003/06/18 07:00:00 | 00,147,728 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
SRV - [2003/06/18 07:00:00 | 00,094,992 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\faxsvc.exe -- (Fax [On_Demand | Stopped])
SRV - [2009/03/18 08:20:54 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2003/06/18 07:00:00 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry [Auto | Running])
SRV - [2004/09/07 10:59:06 | 00,122,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\MSTask.exe -- (Schedule [Auto | Running])
SRV - [2003/06/18 07:00:00 | 00,022,800 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\UtilMan.exe -- (UtilMan [On_Demand | Stopped])
SRV - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2003/06/18 07:00:00 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\WBEM\WinMgmt.exe -- (WinMgmt [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2002/04/01 12:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINNT\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2008/09/15 19:14:18 | 00,009,336 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdr4_2K.sys -- (Cdr4_2K [System | Running])
DRV - [2008/09/15 19:14:20 | 00,009,464 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [2003/06/18 07:00:00 | 00,007,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf [Boot | Running])
DRV - [2003/06/18 07:00:00 | 00,369,104 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\drivers\dmboot.sys -- (dmboot [Disabled | Stopped])
DRV - [2003/06/18 07:00:00 | 00,137,936 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\drivers\dmio.sys -- (dmio [Boot | Running])
DRV - [2003/06/18 07:00:00 | 00,007,312 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\drivers\dmload.sys -- (dmload [Boot | Running])
DRV - [2003/06/18 07:00:00 | 00,027,440 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\efs.sys -- (EFS [Disabled | Running])
DRV - [1999/10/23 07:22:20 | 00,061,712 | ---- | M] (3Com Corporation) -- C:\WINNT\system32\DRIVERS\el90xbc5.sys -- (EL90BC [On_Demand | Running])
DRV - [2002/07/23 09:01:38 | 00,161,020 | ---- | M] (Intel® Corporation) -- C:\WINNT\system32\DRIVERS\i81xnt5.sys -- (i81x [On_Demand | Running])
DRV - [1999/10/22 13:54:42 | 00,032,592 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\ichaud.sys -- (ichaud [On_Demand | Stopped])
DRV - [2004/07/09 01:58:10 | 00,015,104 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\MPE.sys -- (MPE [On_Demand | Stopped])
DRV - [2003/06/18 07:00:00 | 00,009,680 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect [On_Demand | Stopped])
DRV - [2003/06/18 07:00:00 | 00,060,208 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\parallel.sys -- (Parallel [On_Demand | Running])
DRV - [2003/06/18 07:00:00 | 00,017,680 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINNT\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/09/15 19:14:18 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2003/06/18 07:00:00 | 00,021,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\RCA.sys -- (RCA [On_Demand | Stopped])
DRV - [2003/06/18 07:00:00 | 00,006,032 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV - [2002/05/28 14:18:46 | 00,500,568 | ---- | M] (Analog Devices, Inc.) -- C:\WINNT\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2003/06/19 11:05:04 | 00,032,848 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\uhcd.sys -- (uhcd [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/18 08:20:55 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINNT\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 File not found
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINNT\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -"http://mp47.slingo.com/shockscreen2.asp?shost=mp47.slingo.com&sport=29000&susername=sv19&spassword=city14&roomname=Mixed%20Matrix%2010K%20-%20Leagues%20&gameid=63" (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\GX150\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O8 - Extra context menu item: &Search - Reg Error: Value error.
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_12.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Tcpip] - C:\WINNT\System32\rnr20.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (YInstStarter Class)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1220820318622 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\system32\wzcdlg.dll (Microsoft Corporation)
O21 - SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/08 17:07:01 | 00,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINNT\*.tmp files]
[2009/03/24 18:34:18 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_1d8.dat
[2009/03/24 18:02:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\GX150\Application Data\Malwarebytes
[2009/03/24 17:34:21 | 00,731,136 | ---- | C] () -- C:\Documents and Settings\GX150\Desktop\avenger.exe
[2009/03/24 17:33:38 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\GX150\Desktop\avenger.zip
[2009/03/24 17:32:13 | 00,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2009/03/24 17:31:44 | 00,000,481 | ---- | C] () -- C:\Documents and Settings\GX150\Desktop\ERUNT.lnk
[2009/03/24 17:31:44 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/03/24 17:30:37 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\GX150\Desktop\erunt-setup.exe
[2009/03/24 12:07:48 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\GX150\Desktop\gmer.exe
[2009/03/23 21:00:52 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\GX150\Desktop\OTListIt2.exe
[2009/03/21 12:05:43 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_1e4.dat
[2009/03/18 08:21:17 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_400.dat
[2009/03/17 18:03:49 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_1a4.dat
[2009/03/17 18:02:33 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_27c.dat
[2009/03/17 02:42:42 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_278.dat
[2009/03/16 08:48:32 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_274.dat
[2009/03/13 07:41:49 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_1e8.dat
[2009/03/12 09:27:12 | 00,829,144 | -H-- | C] () -- C:\WINNT\ShellIconCache
[2009/03/12 07:52:42 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_574.dat
[2009/03/12 04:06:37 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_3ac.dat
[2009/03/11 12:57:01 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2009/03/11 12:57:01 | 00,000,569 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/11 12:56:59 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/03/11 12:56:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/11 12:56:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/11 12:15:52 | 02,876,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\GX150\My Documents\mbam-setup.exe
[2009/03/11 10:35:02 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_3d4.dat
[2009/03/11 07:54:14 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\GX150\Desktop\HiJackThis.exe
[2009/03/11 06:26:18 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_3f4.dat
[2009/03/11 05:24:00 | 00,143,360 | ---- | C] (Inner Media, Inc.) -- C:\WINNT\System32\dunzip32.dll
[2009/03/11 05:19:45 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/03/11 04:52:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Scanner
[2009/03/11 04:52:45 | 00,000,000 | ---D | C] -- C:\Program Files\CA Yahoo! Anti-Spy
[2009/03/11 02:13:16 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_4c8.dat
[2009/03/11 02:08:04 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_4c0.dat
[2009/03/10 22:58:59 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_294.dat
[2009/03/10 20:10:34 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_42c.dat
[2009/03/08 07:49:04 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_43c.dat
[2009/03/07 00:05:54 | 00,000,603 | ---- | C] () -- C:\Documents and Settings\GX150\Desktop\Wonderland Online.lnk
[2009/03/06 23:42:10 | 00,000,000 | ---D | C] -- C:\Program Files\Wonderland Online
[2009/03/06 01:23:58 | 74,019,2774 | ---- | C] (IGG,Inc. ) -- C:\wl_setup_3.0.1.exe
[2009/02/24 19:02:56 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_438.dat

========== Files - Modified Within 30 Days ==========

[1 C:\WINNT\System32\*.tmp files]
[4 C:\WINNT\*.tmp files]
[2009/03/24 18:34:19 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/03/24 18:34:18 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_1d8.dat
[2009/03/24 17:33:43 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\GX150\Desktop\avenger.zip
[2009/03/24 17:31:44 | 00,000,481 | ---- | M] () -- C:\Documents and Settings\GX150\Desktop\ERUNT.lnk
[2009/03/24 17:30:42 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\GX150\Desktop\erunt-setup.exe
[2009/03/24 12:59:52 | 00,829,144 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2009/03/23 21:00:55 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GX150\Desktop\OTListIt2.exe
[2009/03/21 18:55:48 | 00,000,369 | ---- | M] () -- C:\WINNT\win.ini
[2009/03/21 12:05:44 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_1e4.dat
[2009/03/20 08:08:42 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\GX150\Desktop\gmer.exe
[2009/03/18 08:21:17 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_400.dat
[2009/03/17 18:03:49 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_1a4.dat
[2009/03/17 18:02:33 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_27c.dat
[2009/03/17 02:42:42 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_278.dat
[2009/03/16 08:48:32 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_274.dat
[2009/03/13 07:41:49 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_1e8.dat
[2009/03/12 09:06:43 | 00,013,872 | ---- | M] () -- C:\Documents and Settings\GX150\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/12 07:52:42 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_574.dat
[2009/03/12 04:06:37 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_3ac.dat
[2009/03/11 12:57:01 | 00,000,569 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/11 12:15:52 | 02,876,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\GX150\My Documents\mbam-setup.exe
[2009/03/11 10:35:02 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_3d4.dat
[2009/03/11 07:54:16 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\GX150\Desktop\HiJackThis.exe
[2009/03/11 06:26:18 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_3f4.dat
[2009/03/11 04:37:08 | 00,102,232 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[2009/03/11 04:24:43 | 00,001,410 | ---- | M] () -- C:\WINNT\imsins.BAK
[2009/03/11 02:13:16 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_4c8.dat
[2009/03/11 02:08:04 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_4c0.dat
[2009/03/10 22:58:59 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_294.dat
[2009/03/10 20:10:34 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_42c.dat
[2009/03/10 03:27:10 | 00,001,493 | ---- | M] () -- C:\Documents and Settings\GX150\Desktop\Slingo Quest.lnk
[2009/03/08 07:49:04 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_43c.dat
[2009/03/07 00:05:54 | 00,000,603 | ---- | M] () -- C:\Documents and Settings\GX150\Desktop\Wonderland Online.lnk
[2009/03/06 02:44:30 | 74,019,2774 | ---- | M] (IGG,Inc. ) -- C:\wl_setup_3.0.1.exe
[2009/02/24 19:02:57 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_438.dat
< End of report >

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-24 18:50:59
Windows 5.0.2195 Service Pack 4


---- Kernel code sections - GMER 1.0.15 ----

? skxlhg.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\netapi32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\netapi32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\netapi32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[824] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 24 March 2009 - 07:42 PM

Hello.

The Avenger log should be saved at
C:\Avenger.txt

Let's run an online scan to check for anything left.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

With Regards,
The Panda

#11 sv19

sv19
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 AM

Posted 24 March 2009 - 10:13 PM

Here's the Kaspersky log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 25, 2009
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 24, 2009 23:35:05
Records in database: 1964820
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 30953
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:17:31

No malware has been detected. The scan area is clean.

The selected area was scanned.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 25 March 2009 - 07:15 AM

Hello.

Looks good. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#13 sv19

sv19
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 AM

Posted 25 March 2009 - 07:35 AM

I didn't use combofix... I'm okay otherwise the computer is running great. Thanks for the help!

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 25 March 2009 - 10:41 AM

Oops. Usually, we'd use ComboFix to remove the infection.

In that case..

Download and Run OTCleanIt
This program will remove the tools we have used.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Delete the file after use, if it did not delete itself.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
With Regards,
The Panda

#15 sv19

sv19
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 AM

Posted 25 March 2009 - 01:38 PM

I'm stuck at system restore because this computer don't have a system restore program. It has back-up but not system restore. What do I do now??




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users