Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

registry editor is disable and other stuff


  • Please log in to reply
8 replies to this topic

#1 golpher247

golpher247

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 06 April 2009 - 09:21 PM

I hope I'm doing this right. I'm in over my head right now as I haven't had a virus in about 5 years and things are a lot different.......yes I do sound like an old man.

Here is my hijack this file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:43 PM, on 06/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\3361\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
C:\WINDOWS\system32\sopidkc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tdctxte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\DOCUME~1\User\LOCALS~1\Temp\1602416304.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: C:\WINDOWS\system32\ds43g4nfjkn93.dll - {d5bf49a0-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\ds43g4nfjkn93.dll
O2 - BHO: (no name) - {fc97b92e-faa9-448c-9691-600b20f57fa7} - C:\WINDOWS\system32\rahupeke.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [vibatokopu] Rundll32.exe "C:\WINDOWS\system32\bahezido.dll",s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [f4e20da2] rundll32.exe "C:\WINDOWS\system32\redehifa.dll",b
O4 - HKLM\..\Run: [CPMf7d13e3e] Rundll32.exe "c:\windows\system32\lihujedo.dll",a
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\svchost.exe"
O4 - HKLM\..\Run: [NIS] "C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\2454B0AB\16.0.0.125\InstStub.exe" /RELAUNCH /RUNONCE
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\svchost.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\User\LOCALS~1\Temp\1602416304.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\User\reader_s.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\User\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\71669742.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\f7x2q.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\f7x2q.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160055694020
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\lijuhidi.dll c:\windows\system32\lihujedo.dll,c:\progra~1\ThunMail\testabd.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lihujedo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lihujedo.dll
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\ds43g4nfjkn93.dll
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O23 - Service: SMART SNMP Agent Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe

--
End of file - 10936 bytes

I hope this is all you need. Thanks in advance....

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 07 April 2009 - 08:21 AM

Hello golpher247,


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

******************

Download Lop S&D
Lop S&D will only run on Windows XP and Windows Vista

You can find a detailed instructions with visuals here

Double-click Lop S&D.exe

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

******************

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\WINDOWS\System32\reader_s.exe
      C:\Documents and Settings\User\reader_s.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Edited by SifuMike, 07 April 2009 - 08:23 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 golpher247

golpher247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 07 April 2009 - 04:08 PM

Hi there and thanks for the help.

Here is the result of Security check by screen 317:

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
WindowsLiveOneCaresafetyscanner
ECHO is off.
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

HijackThis 2.0.2
Java™ 6 Update 3
Java™ 6 Update 7
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took seconds.
`````````End of Log```````````


I'll get on the next two things as soon as I put my kids to bed.

#4 golpher247

golpher247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 07 April 2009 - 04:42 PM

Here are my LOP S&D results:


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : Intel® Pentium® M processor 1500MHz )
BIOS : Phoenix FirstBIOS™ Notebook Pro Version 2.0 for IBM ThinkPad
USER : User ( Administrator )
BOOT : Normal boot
C:\ (Local Disk) - NTFS - Total:34 Go (Free:16 Go)
D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 07/04/2009|17:13 )

--------------------\\ Listing folders in APPLIC~1

[05/10/2006|08:41] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[23/03/2009|09:46] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Mozilla

[30/03/2009|10:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[21/03/2008|12:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[21/03/2008|12:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[23/03/2009|09:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[13/05/2008|09:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit
[11/02/2009|10:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[24/03/2009|05:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[06/09/2008|11:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[07/04/2009|07:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Norton
[06/04/2009|06:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NortonInstaller
[08/06/2008|09:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SMART Technologies
[08/06/2008|09:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SMART Technologies Inc
[22/03/2009|09:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[22/03/2009|11:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[20/10/2008|09:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TomTom
[05/10/2006|12:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[24/03/2009|09:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo! Companion

[05/10/2006|08:41] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[06/04/2009|05:35] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Adobe
[06/04/2009|05:40] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Macromedia
[05/10/2006|08:47] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[06/04/2009|08:27] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Adobe
[06/04/2009|08:27] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Macromedia
[05/10/2006|08:45] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[14/07/2008|01:38] C:\DOCUME~1\User\APPLIC~1\<DIR> Adobe
[06/04/2008|03:43] C:\DOCUME~1\User\APPLIC~1\<DIR> Apple Computer
[21/12/2007|11:24] C:\DOCUME~1\User\APPLIC~1\<DIR> DivX
[28/02/2008|09:40] C:\DOCUME~1\User\APPLIC~1\<DIR> FileMaker
[26/11/2007|10:14] C:\DOCUME~1\User\APPLIC~1\<DIR> FirstClass
[31/01/2009|11:12] C:\DOCUME~1\User\APPLIC~1\<DIR> Google
[27/11/2008|10:27] C:\DOCUME~1\User\APPLIC~1\<DIR> Help
[05/10/2006|08:49] C:\DOCUME~1\User\APPLIC~1\<DIR> Identities
[26/11/2007|10:14] C:\DOCUME~1\User\APPLIC~1\<DIR> InstallShield Installation Information
[20/12/2007|01:36] C:\DOCUME~1\User\APPLIC~1\<DIR> InterVideo
[13/05/2008|09:09] C:\DOCUME~1\User\APPLIC~1\<DIR> Intuit
[01/12/2007|02:56] C:\DOCUME~1\User\APPLIC~1\<DIR> Macromedia
[24/03/2009|05:58] C:\DOCUME~1\User\APPLIC~1\<DIR> Malwarebytes
[13/11/2008|11:31] C:\DOCUME~1\User\APPLIC~1\<DIR> Microsoft
[21/12/2008|10:37] C:\DOCUME~1\User\APPLIC~1\<DIR> Move Networks
[06/07/2008|08:42] C:\DOCUME~1\User\APPLIC~1\<DIR> Mozilla
[26/02/2008|11:28] C:\DOCUME~1\User\APPLIC~1\<DIR> SecondLife
[08/06/2008|09:36] C:\DOCUME~1\User\APPLIC~1\<DIR> SMART Technologies
[08/06/2008|09:05] C:\DOCUME~1\User\APPLIC~1\<DIR> SMART Technologies Inc
[26/12/2007|11:42] C:\DOCUME~1\User\APPLIC~1\<DIR> Sun
[20/10/2008|09:06] C:\DOCUME~1\User\APPLIC~1\<DIR> TomTom
[24/03/2009|09:18] C:\DOCUME~1\User\APPLIC~1\<DIR> Yahoo!
[19/04/2008|08:09] C:\DOCUME~1\User\APPLIC~1\<DIR> yoclient

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[07/04/2009 05:10 PM][--ah-----] C:\WINDOWS\tasks\User_Feed_Synchronization-{D34D6001-4A87-469C-BF74-CC89C8CA9D78}.job
[05/10/2006 09:17 AM][--a------] C:\WINDOWS\tasks\BMMTask.job
[07/04/2009 12:16 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04/08/2004 08:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[30/03/2009|10:11] C:\Program Files\<DIR> Adobe
[23/03/2009|05:52] C:\Program Files\<DIR> Alwil Software
[05/10/2006|09:16] C:\Program Files\<DIR> Analog Devices
[05/10/2006|09:21] C:\Program Files\<DIR> ATI Technologies
[25/03/2009|11:37] C:\Program Files\<DIR> BitComet
[21/03/2008|12:49] C:\Program Files\<DIR> Bonjour
[05/04/2009|02:38] C:\Program Files\<DIR> Common Files
[05/10/2006|08:37] C:\Program Files\<DIR> ComPlus Applications
[21/12/2007|10:32] C:\Program Files\<DIR> DivX
[27/03/2008|09:11] C:\Program Files\<DIR> DupeEliminator
[06/06/2008|09:41] C:\Program Files\<DIR> Ezcomm mxWeb
[26/12/2007|08:36] C:\Program Files\<DIR> ffdshow
[28/02/2008|09:40] C:\Program Files\<DIR> FileMaker
[26/11/2007|10:14] C:\Program Files\<DIR> FirstClass
[15/08/2008|08:16] C:\Program Files\<DIR> FLVHosting
[09/03/2009|05:23] C:\Program Files\<DIR> Full Tilt Poker
[23/03/2009|09:56] C:\Program Files\<DIR> Google
[02/06/2008|08:49] C:\Program Files\<DIR> home4
[06/09/2008|10:57] C:\Program Files\<DIR> InstallShield Installation Information
[05/10/2006|09:19] C:\Program Files\<DIR> Intel
[05/04/2009|08:10] C:\Program Files\<DIR> Internet Explorer
[15/06/2007|10:13] C:\Program Files\<DIR> InterVideo
[11/02/2009|10:49] C:\Program Files\<DIR> iWin
[08/08/2008|11:29] C:\Program Files\<DIR> Java
[06/04/2009|08:56] C:\Program Files\<DIR> LanqiEngine
[05/10/2006|09:30] C:\Program Files\<DIR> ltmoh
[06/04/2008|08:36] C:\Program Files\<DIR> MediaMonkey
[13/08/2008|09:15] C:\Program Files\<DIR> Messenger
[09/11/2007|06:53] C:\Program Files\<DIR> Microsoft ActiveSync
[05/10/2006|08:41] C:\Program Files\<DIR> microsoft frontpage
[09/11/2007|06:53] C:\Program Files\<DIR> Microsoft Office
[05/10/2006|08:38] C:\Program Files\<DIR> Movie Maker
[05/04/2009|07:55] C:\Program Files\<DIR> Mozilla Firefox
[03/07/2008|07:55] C:\Program Files\<DIR> MSBuild
[05/10/2006|08:36] C:\Program Files\<DIR> MSN
[05/10/2006|08:36] C:\Program Files\<DIR> MSN Gaming Zone
[03/07/2008|07:48] C:\Program Files\<DIR> MSXML 6.0
[27/11/2008|10:51] C:\Program Files\<DIR> My Memory Book
[23/03/2009|09:53] C:\Program Files\<DIR> myfantasyleague
[05/10/2006|08:38] C:\Program Files\<DIR> NetMeeting
[07/04/2009|07:12] C:\Program Files\<DIR> NortonInstaller
[05/10/2006|08:39] C:\Program Files\<DIR> Online Services
[14/06/2007|04:12] C:\Program Files\<DIR> Outlook Express
[03/07/2008|08:05] C:\Program Files\<DIR> Paint.NET
[08/06/2008|07:18] C:\Program Files\<DIR> PartyGaming
[28/06/2008|12:40] C:\Program Files\<DIR> Quicken
[05/04/2008|11:48] C:\Program Files\<DIR> QuickTime
[11/02/2009|10:44] C:\Program Files\<DIR> RealArcade
[03/07/2008|07:54] C:\Program Files\<DIR> Reference Assemblies
[08/06/2008|09:35] C:\Program Files\<DIR> SMART Technologies
[02/04/2009|09:15] C:\Program Files\<DIR> SMART Technologies Inc
[22/03/2009|09:43] C:\Program Files\<DIR> Spybot - Search & Destroy
[22/03/2009|11:43] C:\Program Files\<DIR> Spyware Doctor
[05/10/2006|09:35] C:\Program Files\<DIR> Synaptics
[05/10/2006|09:35] C:\Program Files\<DIR> ThinkPad
[06/04/2009|08:43] C:\Program Files\<DIR> ThunMail
[26/03/2009|09:23] C:\Program Files\<DIR> TomTom HOME 2
[06/04/2009|10:03] C:\Program Files\<DIR> Trend Micro
[26/12/2007|08:34] C:\Program Files\<DIR> TVersity
[05/10/2006|08:49] C:\Program Files\<DIR> Uninstall Information
[29/07/2008|04:31] C:\Program Files\<DIR> Wills Kit
[31/03/2009|08:54] C:\Program Files\<DIR> Windows Live Safety Center
[02/04/2009|08:18] C:\Program Files\<DIR> Windows Live Safety CenterRebootActions
[09/11/2007|07:03] C:\Program Files\<DIR> Windows Media Connect 2
[09/11/2007|07:03] C:\Program Files\<DIR> Windows Media Player
[05/10/2006|08:36] C:\Program Files\<DIR> Windows NT
[05/10/2006|08:39] C:\Program Files\<DIR> WindowsUpdate
[05/10/2006|08:41] C:\Program Files\<DIR> xerox
[24/03/2009|09:18] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[30/03/2009|10:12] C:\Program Files\Common Files\<DIR> Adobe
[09/11/2007|06:53] C:\Program Files\Common Files\<DIR> DESIGNER
[13/11/2008|11:33] C:\Program Files\Common Files\<DIR> eSellerate
[05/10/2006|09:17] C:\Program Files\Common Files\<DIR> InstallShield
[26/12/2007|11:41] C:\Program Files\Common Files\<DIR> Java
[09/11/2007|06:53] C:\Program Files\Common Files\<DIR> Microsoft Shared
[05/10/2006|08:38] C:\Program Files\Common Files\<DIR> MSSoap
[28/02/2008|09:40] C:\Program Files\Common Files\<DIR> ODBC
[22/03/2009|11:43] C:\Program Files\Common Files\<DIR> PC Tools
[05/10/2006|08:38] C:\Program Files\Common Files\<DIR> Services
[08/06/2008|09:05] C:\Program Files\Common Files\<DIR> SMART Technologies
[02/04/2009|09:13] C:\Program Files\Common Files\<DIR> SMART Technologies Inc
[15/06/2007|10:11] C:\Program Files\Common Files\<DIR> Sonic Shared
[05/10/2006|04:27] C:\Program Files\Common Files\<DIR> SpeechEngines
[06/04/2009|09:41] C:\Program Files\Common Files\<DIR> Symantec Shared
[09/11/2007|06:53] C:\Program Files\Common Files\<DIR> System

--------------------\\ Process

( 65 Processes )

IEXPLORE.EXE ~ [PID:2488]
IEXPLORE.EXE ~ [PID:2772]
IEXPLORE.EXE ~ [PID:2696]
IEXPLORE.EXE ~ [PID:4232]
IEXPLORE.EXE ~ [PID:4240]
IEXPLORE.EXE ~ [PID:4444]
IEXPLORE.EXE ~ [PID:4592]
IEXPLORE.EXE ~ [PID:4928]
IEXPLORE.EXE ~ [PID:5372]
IEXPLORE.EXE ~ [PID:5952]
iexplore.exe ~ [PID:444]
iexplore.exe ~ [PID:4588]
IEXPLORE.EXE ~ [PID:5292]
IEXPLORE.EXE ~ [PID:5324]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\User\LOCALS~1\Temp\nsc1C.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\nsuC.tmp
C:\DOCUME~1\User\Cookies\user@advertising[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 17:29:06
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\User\Application Data\yoclient\rsrc\bundles\tiles\outdoors\structures\bundle\jettyedge_crack.raw
C:\DOCUME~1\User\Local Settings\Temp\Temporary Internet Files\Content.IE5\L5VV2I1Y\crackkills[1].gif


[F:2684][D:97]-> C:\DOCUME~1\User\LOCALS~1\Temp
[F:119][D:0]-> C:\DOCUME~1\User\Cookies
[F:2971][D:15]-> C:\DOCUME~1\User\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 07/04/2009|17:37 - Option : [1]

--------------------\\ Scan completed at 17:37:31

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 07 April 2009 - 05:28 PM

Hi golpher247,


You forgot the most important scan - the VirScan report. :thumbup2:

Edited by SifuMike, 07 April 2009 - 05:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 golpher247

golpher247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 07 April 2009 - 07:28 PM

Yup, I'm working on that. Whatever I have seems to have removed the "folder options" part of tools. It means that I can show all files.

If you have any suggestions then that would be great. I'm searching and I'll try to figure it out.

Thanks

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 07 April 2009 - 09:05 PM

I assume you are trying to see the hidden files. Try this:
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

then do the VirScan with the file I gave you and post the output

Edited by SifuMike, 07 April 2009 - 09:07 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 golpher247

golpher247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 08 April 2009 - 07:16 AM

Unfortunately, that is one of my many problems. Under tools, all I have are three options (I'm not in front of the computer right now to tell you all three but I know one of them is sychronize something and another has something to do with network).

I would normally do the run -> regedit method but it says my editing has been disabled by the administrator......and I'm guessing that by administrator, they mean virus. I've searched and searched on the internet but I can't seem to get rid of this inability to edit my registry.

On top of that, somehow my wireless card has gone by way of the dodo bird. It seems to be done as well. I'll have to reconfigure it I think.

I do have access to another computer so I can still download and work on the infected pc but I'm a little worried that the days may be numbered for my poor laptop.

You may be thinking that it isn't worth the trouble and I'd understand but if you are willing to offer suggestions and ideas then I'd be willing to do them.

Thanks in advance for your help.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 08 April 2009 - 08:43 AM

Hi golpher247,

I am sorry to give you some very bad news. :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, an expert  for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows
:

http://web.mit.edu/ist/products/winxp/adva...all-format.html
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users