Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with win32 trojan-gen


  • This topic is locked This topic is locked
12 replies to this topic

#1 cstockwell

cstockwell

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 11 March 2009 - 08:26 AM

I've read a lot about this problem on the web. I have avast, it continually picks up these folders that are randomly created in the windows temp file. I'm afraid that there is other evil work being done here. or is my paranoia in vain?

word by word..."i turn on my laptop computer that i bought here in china, after the CCleaner finishes i double click my broadband connection icon, then connects to the internet. I open up firefox and goto my WOW websites. I hear avast saying it has updated succesfully. then i open WOW. while in the middle of killing bosses in Heroic Utgarde Pinnicle, i hear my avast going crazy!! TROJEN FOUND TROJEN FOUND!!. i get kicked out of my game to press the delete button. then my dps ingame goes down like 400 points. Then everyone ingame is telling me i suck and im like, no i dont, then they say, yes, then i ninja all the items cuz im pissed!!!"

Please.. My guild can't have me stalling in the middle of NAXX!!

this is a list from my avast log viewer...
2009/3/11 17:35:34 SYSTEM 1820 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\SAMSUNG\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VBW1C78S\klite9[1]" file.
2009/3/11 17:35:47 SYSTEM 1820 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\SAMSUNG\AppData\Local\Temp\tuvSiheE.dll" file.
2009/3/11 18:36:40 SYSTEM 1820 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\SAMSUNG\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VBW1C78S\klite9[1]" file.
2009/3/11 18:36:55 SYSTEM 1820 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\SAMSUNG\AppData\Local\Temp\pmnmligd.dll" file.
2009/3/11 19:37:15 SYSTEM 1820 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\SAMSUNG\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IL10GXEW\klite9[1]" file.
2009/3/11 19:37:40 SYSTEM 1820 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\SAMSUNG\AppData\Local\Temp\efcDSLbC.dll" file.
2009/3/11 20:38:11 SYSTEM 1820 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\SAMSUNG\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z31VIE1I\klite9[1]" file.
2009/3/11 20:38:21 SYSTEM 1820 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\SAMSUNG\AppData\Local\Temp\pmnkIYOF.dll" file.

i tried to find them and delete them, but no luck.



DDS (Ver_09-02-01.01) - NTFSx86
Run by SAMSUNG at 20:52:06.17 on 2009/03/11 三
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11
AV: avast! antivirus 4.8.1229 [VPS 081122-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\WLANExt.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Windows\System32\rundll32.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
D:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
D:\Program Files\Alwil Software\Avast4\ashLogV.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\SAMSUNG\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! 导航条: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - d:\program files\orbitdownloader\orbitcth.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! 导航条: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - d:\program files\orbitdownloader\GrabPro.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [CursorFX] "d:\program files\stardock\cursorfx\CursorFX.exe"
uRun: [ccleaner] "d:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [MSServer] rundll32.exe c:\users\samsung\appdata\local\temp\fcccdCvv.dll,#1
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] d:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MSServer] rundll32.exe c:\windows\system32\rqrrPjJB.dll,#1
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: 图像发送到 Bluetooth 设备(&:thumbup2:... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: 页面发送到 Bluetooth 设备(&:)... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {308FAD37-8176-42F8-BB2C-983425728B52} = 202.106.0.20 219.149.194.55
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\rqrrPjJB.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\samsung\appdata\roaming\mozilla\firefox\profiles\bqu6tg9x.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-8 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-8 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-11-8 51792]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\drivers\KMDFMEMIO.sys [2008-8-8 13312]
R3 NETw5v32;Intel® Wireless WiFi Link 适配器驱动程序(适用于 Windows Vista 32 位);c:\windows\system32\drivers\NETw5v32.sys [2008-5-21 3663360]
R3 VMC302;Vimicro Camera Service VMC302;c:\windows\system32\drivers\vmc302.sys [2008-8-8 242560]
S4 ccosm;Contrl Center of Storm Media;c:\program files\stormii\stormliv.exe /asservice --> c:\program files\stormii\stormliv.exe [?]

=============== Created Last 30 ================

2009-03-11 09:04 38,912 a------- c:\windows\system32\khfEWOIA.dll
2009-03-11 07:48 38,912 a------- c:\windows\system32\rqrrPjJB.dll
2009-03-11 07:13 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 07:13 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 07:13 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 07:13 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 07:13 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 07:13 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-07 21:26 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-03-07 21:25 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-02 23:35 <DIR> --d----- C:\downloads
2009-03-02 23:32 <DIR> --d----- c:\users\samsung\appdata\roaming\LimeWire
2009-02-24 11:25 15,303 a------- c:\windows\W2BNEUnin.dat
2009-02-24 11:25 98,304 a------- c:\windows\W2BNEUnin.exe
2009-02-24 11:25 2,829 a------- c:\windows\W2BNEUnin.pif
2009-02-23 23:51 <DIR> --d----- c:\users\samsung\appdata\roaming\tor
2009-02-15 21:36 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-15 21:36 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-15 21:36 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-15 21:36 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-15 21:36 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-10 00:16 <DIR> --d----- c:\program files\LimeWire Acceleration Patch
2009-02-09 23:34 <DIR> --d----- c:\users\samsung\appdata\roaming\uTorrent

==================== Find3M ====================

2009-03-11 17:35 317,520 a------- c:\windows\system32\prfh0804.dat
2009-03-11 17:35 101,082 a------- c:\windows\system32\prfc0804.dat
2009-03-11 17:29 119,049 a------- c:\programdata\nvModes.dat
2009-03-11 17:29 119,049 a------- c:\progra~2\nvModes.dat
2009-03-11 15:42 6,027 a------- c:\windows\bthservsdp.dat
2009-02-06 05:06 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-01-15 18:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 18:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 18:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 18:04 109,056 a------- c:\windows\system32\iesysprep.dll
2009-01-15 18:04 132,096 a------- c:\windows\system32\ieUnatt.exe
2009-01-15 18:04 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-01-15 18:04 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-01-15 18:04 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-01-15 18:04 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-01-15 18:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 18:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 18:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 18:03 66,560 a------- c:\windows\system32\wextract.exe
2009-01-15 18:02 169,472 a------- c:\windows\system32\iexpress.exe
2009-01-15 18:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 18:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 18:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 17:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-14 19:17 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-01-13 14:27 51,200 a------- c:\windows\inf\infpub.dat
2009-01-06 06:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-19 19:17 1,714 a------- c:\users\samsung\appdata\roaming\SAS7_000.DAT
2008-11-20 13:40 2,828 a--sh--- c:\programdata\KGyGaAvL.sys
2008-11-20 13:40 2,828 a--sh--- c:\progra~2\KGyGaAvL.sys
2008-11-12 02:40 86,016 a------- c:\windows\inf\infstrng.dat
2008-11-12 02:40 86,016 a------- c:\windows\inf\infstor.dat
2008-08-15 23:04 8 a--shr-- c:\programdata\A71C9967F8.sys
2008-08-15 23:04 8 a--shr-- c:\progra~2\A71C9967F8.sys
2008-08-08 23:46 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 13:27 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2008-01-21 13:27 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2008-01-21 13:27 109,926 a------- c:\windows\inf\perflib\0804\perfi.dat
2008-01-21 13:27 109,926 a------- c:\windows\inf\perflib\0804\perfh.dat
2008-01-21 13:27 30,674 a------- c:\windows\inf\perflib\0804\perfd.dat
2008-01-21 13:27 30,674 a------- c:\windows\inf\perflib\0804\perfc.dat
2008-01-21 13:27 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2008-01-21 13:27 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2008-01-21 10:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 20:52:35.97 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:06:36 PM

Posted 22 March 2009 - 10:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 cstockwell

cstockwell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 23 March 2009 - 02:19 AM

Things are a lot better! I went to cnet download .com and downloaded 6 different malware, spyware, and virus destroyers. after using them i deleted most of them. most important, my computer was cleaned.

I've added my dds form just to have you guys check out to see if there is anything else i could be worried about.

I know this takes some time to look over, but i think you owe it to me because of how long you took to respond.

thanks for the help, and ill appreciate any advice.

thanks!



DDS (Ver_09-03-16.01) - NTFSx86
Run by SAMSUNG at 14:42:27.02 on 2009/03/23 一
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
AV: avast! antivirus 4.8.1229 [VPS 081122-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
D:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
D:\Program Files\Hotspot Shield\bin\openvpnas.exe
D:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
D:\Program Files\Google\Picasa3\Picasa3.exe
C:\Windows\system32\SearchIndexer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\SAMSUNG\DownloadsC\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! 导航条: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll
mURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - d:\program files\hotspot shield\hssie\HssIE.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! 导航条: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Anonymous Browsing: {72c9a221-fcfd-4e21-8c9f-e954a4f5c92f} - "d:\program files\anonymous browsing\ABToolbar.dll"
TB: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [CursorFX] "d:\program files\stardock\cursorfx\CursorFX.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ccleaner] "d:\program files\ccleaner\CCleaner.exe" /AUTO
mRun: [avast!] d:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: 图像发送到 Bluetooth 设备(&:thumbup2:... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: 页面发送到 Bluetooth 设备(&:)... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {308FAD37-8176-42F8-BB2C-983425728B52} = 202.106.0.20 219.149.194.55
TCP: {8E09393D-7E4D-4054-ACBF-A92C68DC43FD} = 10.55.160.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\samsung\appdata\roaming\mozilla\firefox\profiles\bqu6tg9x.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-8 114768]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-18 108289]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-8 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-11-8 51792]
R2 HssSrv;Hotspot Shield Helper Service;d:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-2-6 117208]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\drivers\KMDFMEMIO.sys [2008-8-8 13312]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-3-21 31704]
R3 NETw5v32;Intel® Wireless WiFi Link 适配器驱动程序(适用于 Windows Vista 32 位);c:\windows\system32\drivers\NETw5v32.sys [2008-5-21 3663360]
R3 VMC302;Vimicro Camera Service VMC302;c:\windows\system32\drivers\vmc302.sys [2008-8-8 242560]
S4 ccosm;Contrl Center of Storm Media;c:\program files\stormii\stormliv.exe /asservice --> c:\program files\stormii\stormliv.exe [?]

=============== Created Last 30 ================

2009-03-21 01:41 <DIR> --d----- c:\program files\Conduit
2009-03-21 01:41 <DIR> --d----- c:\program files\Hotspot_Shield
2009-03-21 01:35 31,704 a------- c:\windows\system32\drivers\hssdrv.sys
2009-03-21 01:28 <DIR> --d----- c:\users\samsung\appdata\roaming\ABToolbar
2009-03-21 01:20 <DIR> --d----- c:\program files\GoTrusted.com
2009-03-19 14:09 <DIR> --d----- c:\users\samsung\appdata\roaming\Acreon
2009-03-18 21:48 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-03-18 15:24 <DIR> --d--r-- c:\users\samsung\DownloadsC
2009-03-18 05:48 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-03-18 05:48 <DIR> --d----- c:\programdata\Avira
2009-03-18 05:48 <DIR> --d----- c:\program files\Avira
2009-03-18 05:48 <DIR> --d----- c:\progra~2\Avira
2009-03-18 05:43 <DIR> --d----- c:\programdata\avg8
2009-03-18 05:43 <DIR> --d----- c:\progra~2\avg8
2009-03-18 05:22 <DIR> --d----- c:\users\samsung\appdata\roaming\Malwarebytes
2009-03-18 05:22 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-18 05:22 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-18 05:22 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-18 05:22 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-18 05:17 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-03-18 05:17 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-03-18 05:07 827,392 a------- c:\windows\system32\wininet.dll
2009-03-18 05:07 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-03-17 21:59 131,072 a------- c:\windows\system32\Ikeext.etl
2009-03-17 19:56 <DIR> --d----- c:\programdata\Lavasoft
2009-03-17 19:39 <DIR> --d----- c:\program files\Trend Micro
2009-03-17 18:30 <DIR> --d----- c:\program files\VIEWGOOD
2009-03-14 14:39 118 a------- c:\windows\system32\MRT.INI
2009-03-11 07:13 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 07:13 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 07:13 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 07:13 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 07:13 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 07:13 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-07 21:26 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-03-07 21:25 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-02 23:35 <DIR> --d----- C:\downloads
2009-03-02 23:32 <DIR> --d----- c:\users\samsung\appdata\roaming\LimeWire
2009-02-24 11:25 15,303 a------- c:\windows\W2BNEUnin.dat
2009-02-24 11:25 98,304 a------- c:\windows\W2BNEUnin.exe
2009-02-24 11:25 2,829 a------- c:\windows\W2BNEUnin.pif
2009-02-23 23:51 <DIR> --d----- c:\users\samsung\appdata\roaming\tor

==================== Find3M ====================

2009-03-23 13:45 317,520 a------- c:\windows\system32\prfh0804.dat
2009-03-23 13:45 101,082 a------- c:\windows\system32\prfc0804.dat
2009-03-23 13:41 177,449 a------- c:\programdata\nvModes.dat
2009-03-23 13:41 177,449 a------- c:\progra~2\nvModes.dat
2009-03-21 01:41 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-21 01:41 51,200 a------- c:\windows\inf\infpub.dat
2009-03-21 01:41 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 16:52 6,027 a------- c:\windows\bthservsdp.dat
2009-02-06 05:06 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-01-14 19:17 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-01-06 06:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-19 19:17 1,714 a------- c:\users\samsung\appdata\roaming\SAS7_000.DAT
2008-11-20 13:40 2,828 a--sh--- c:\programdata\KGyGaAvL.sys
2008-11-20 13:40 2,828 a--sh--- c:\progra~2\KGyGaAvL.sys
2008-08-15 23:04 8 a--shr-- c:\programdata\A71C9967F8.sys
2008-08-15 23:04 8 a--shr-- c:\progra~2\A71C9967F8.sys
2008-08-08 23:46 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 13:27 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2008-01-21 13:27 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2008-01-21 13:27 109,926 a------- c:\windows\inf\perflib\0804\perfi.dat
2008-01-21 13:27 109,926 a------- c:\windows\inf\perflib\0804\perfh.dat
2008-01-21 13:27 30,674 a------- c:\windows\inf\perflib\0804\perfd.dat
2008-01-21 13:27 30,674 a------- c:\windows\inf\perflib\0804\perfc.dat
2008-01-21 13:27 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2008-01-21 13:27 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2008-01-21 10:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:43:01.59 ===============

Attached Files



#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:36 PM

Posted 23 March 2009 - 04:12 PM

Hello, cstockwell

Things are a lot better! I went to cnet download .com and downloaded 6 different malware, spyware, and virus destroyers. after using them i deleted most of them. most important, my computer was cleaned.

Oh no it's not lol. After this step we'll fix stuff, I promise!

We need to create an OTListIt2 Report
  • Please download OTListIt2 from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTListIt.txt
  • Extra.txt
  • GMER's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 cstockwell

cstockwell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 24 March 2009 - 09:58 AM

HAHA it was funny to see "oh no its not", i laughed,

i turned on the computer, started the internet, went into yahoo email, saw a response, read through what i needed to do, downloaded both programs, started OTList2, worked fine, closed all programs, started gmer, started fine, clicked start, ran for 30 seconds, crashed at \device\BTHmodem1, got the infamous windows crashed BLUE SCREEN OF DEATH!!, restarted, didn't connect to the internet this time, started gmer, 30 secs crash at the same spot \device\BTHmodem1, restart, 30 secs crash same spot, restart, started windows, wrote you a reply.

thank you so much for your quick reply! im so happy to work through this with some pro's!!

ive got 2/3 logs, im sry couldn't get that gmer one.

now what??

Attached Files



#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:36 PM

Posted 24 March 2009 - 02:13 PM

Hello, cstockwell
No problem :thumbup2: GMER is unequaled in being able to find stuff, but it can be very buggy sometimes. Give root repeal a shot instead.

We need to back up your registry
  • Please download ERUNT and save it to your desktop.
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
We need to run an OTListIt2 Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :otli
    FF - prefs.js..keyword.URL: "http://search.speedbit.com/searchresults.asp?src=default&q="
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Key error. File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Reg Error: Key error. File not found
    O33 - MountPoints2\{bde19462-65c9-11dd-a746-001fe1fe4488}\Shell\AutoRun\command - "" = nhbivui.exe
    O33 - MountPoints2\{bde19462-65c9-11dd-a746-001fe1fe4488}\Shell\explore\Command - "" = nhbivui.exe
    O33 - MountPoints2\{bde19462-65c9-11dd-a746-001fe1fe4488}\Shell\open\Command - "" = nhbivui.exe
    O33 - MountPoints2\{e10de63a-e134-11dd-a12a-a95d61b9833a}\Shell\AutoRun\command - "" = wdsync.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{8E09393D-7E4D-4054-ACBF-A92C68DC43FD}\\NameServer = 10.15.128.1
    :commands
    [EmptyTemp]
  • Push Posted Image
  • OTLI2 may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

In your next reply, please include the following:
  • OTListIt2 Fix Log
  • RootRepeal Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 cstockwell

cstockwell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 24 March 2009 - 08:18 PM

Registry backup...check
OtList fix...check (sent log)
RootRepeal...check (sent log)
delete old, install new java...check (i deleted update 7 and update 11, only these two programs seemed to be installed, i was looking for other names with java in it, but found nothing, i found update 13, but i only downloaded update 12. should i download update 13 next time?)
new OT scan...check (sent log)

my explorer.exe crashed again because i right clicked on a file in the desktop. this wasn't the first time. it would also crash on startup in the past. just letting you know everything i can think of. $@#!$#@ computers!!

Thanks so much guys... i'll try a gmer scan again...

Attached Files



#8 cstockwell

cstockwell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 25 March 2009 - 12:34 AM

restarted in safemode, ran gmer(sent log gmersafemode)

restarted windows regular mode, ran gmer, but with only 'System' checked(sent log gmerSystem)
...same thing with only 'Sections' checked(sent log gmeSsections)
...same thing with only 'IAT/EAT' checked(sent log gmerIAT_EAT)
...same thing with only 'Devices' checked(sent log gmerDevices)
...Modules no change
...Processes no change
...Threads no change
...Libraries no change
...Services no change
...same thing with only 'Registry' checked(sent log gmerRegistry)
...Files no change

if i check everything, it crashes in 'Sections'.


hope this helps

and java updated to 13 automatically...

Attached Files


Edited by cstockwell, 25 March 2009 - 12:37 AM.


#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:36 PM

Posted 25 March 2009 - 07:49 PM

Hello, cstockwell

and java updated to 13 automatically...

You still need to uninstall the old ones. 13 is the current version -- just came out. I need to update my instructions. Thanks for letting me know!

The problems with GMER appear to be caused by STPD -- a component of Alcohol 120% and Daemon Tools. These are legit programs, but thought you'd like to know what the issue was.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 cstockwell

cstockwell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 26 March 2009 - 02:31 AM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3964 (20090326)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=7294ca4b2f7f664d86720c69a1acd1bd
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-26 07:23:18
# local_time=2009-03-26 03:23:18 )
# country="People's Republic of China"
# osver=6.0.6001 NT Service Pack 1
# scanned=349002
# found=0
# scan_time=3410

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:36 PM

Posted 26 March 2009 - 08:52 PM

Hello, cstockwell
Congratulations! You now appear clean! :thumbup2:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware


We Need to Clean Up Our Mess
  • Please reopen Posted Image on your desktop.
  • Push the large "Cleanup" button
  • Allow your system to reboot
Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.
  • Go to Start -> Control Panel -> System and Maintenance -> System.
  • Select "System Protection" in the upper left hand corner.
  • Click the button marked "Create" in the bottom of the window.
  • Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Open Vista's Searchbox (on your start menu) and type in "cleanmgr.exe"
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up", and then "Delete" in the "System Restore and Shadow Copies" section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 cstockwell

cstockwell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 27 March 2009 - 09:30 AM

I did everything on the list. took an hour or so. but i did it.

i feel better to hear you say that things are ok now.

I thank you for your help. If there is anything I could do to help you out, let me know.

And i'll be back, as with all *bleep* computers...they suck!

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:36 PM

Posted 28 March 2009 - 02:52 PM

Hello, cstockwell

You're welcome :thumbup2:

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users