Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stumped by a redirector.


  • This topic is locked This topic is locked
17 replies to this topic

#1 J2FcM

J2FcM

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 21 April 2009 - 01:32 PM

One day I freaked out because a new Combichrist album was available, and I needed CD burning software fast... I blindly clicked on the .exe from hell; by the time I snapped into reality, the damage was done.
My google searches are all redirected, and several other sites are redirected as well (generally stuff that opens in separate tabs is now redirected).

My NOD32 scan came up with some this
;
C:\Program Files\AIM\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll - Win32/Adware.WBug.A application
C:\RECYCLER\S-1-5-21-1078081533-1580436667-725345543-1003\Dc1.EXE »WISE »MiniBugTransporter.dll - Win32/Adware.WBug.A application
C:\System Volume Information\_restore{172D666C-4939-4C2A-9D51-721D38C66F40}\RP1549\A0464861.exe »NSIS »switch.exe - a variant of Win32/TrojanDownloader.IstBar trojan

DDS.txt log

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jeffrey at 11:09:17.52 on Tue 04/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2367 [GMT -7:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
F:\Program Files\Eset\nod32kui.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\games\steam\steam.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\WINDOWS\system32\wscntfy.exe
C:\Program Files\firefox.exe
F:\Program Files\MetaTrader - Alpari (US)\terminal.exe
F:\PROGRA~1\SSI\SYSENF~1.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Vuze\Azureus.exe
F:\Documents and Settings\Jeffrey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Steam] "f:\games\steam\steam.exe" -silent
uRun: [DAEMON Tools Lite] "f:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "f:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST]
mRun: [JMB36X IDE Setup] f:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] f:\windows\system32\xRaidSetup.exe boot
mRun: [StartCCC] "f:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [nod32kui] "f:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
mRun: [SSI] f:\program files\ssi\ssi /s
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
LSP: f:\windows\system32\imon.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239601532081&h=6ed5f99e3aeed2ae4453cd26c35c9a67/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.180,85.255.112.173
TCP: {3D25BAC2-6119-4418-8488-6E33D6C6014D} = 85.255.112.180,85.255.112.173
TCP: {E2AD6550-9150-47FB-A032-262153ECE564} = 85.255.112.180,85.255.112.173
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: RelevantKnowledge - f:\program files\relevantknowledge\rlls.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;f:\windows\system32\drivers\nod32drv.sys [2009-3-8 15424]
R2 GEST Service;GEST Service for program management.;f:\program files\gigabyte\energysaver\GSvr.exe [2008-12-25 68136]
R2 NOD32krn;NOD32 Kernel Service;f:\program files\eset\nod32krn.exe [2009-3-8 552064]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;f:\windows\system32\drivers\AtiHdmi.sys [2008-12-25 89600]

=============== Created Last 30 ================

2009-04-21 09:14 1,081,616 a------- f:\windows\system32\Mscomctl.ocx
2009-04-21 09:14 662,288 a------- f:\windows\system32\mscomct2.ocx
2009-04-21 09:14 159,744 a------- f:\windows\system32\hasher.dll
2009-04-21 09:14 140,288 a------- f:\windows\system32\Comdlg32.ocx
2009-04-21 09:14 <DIR> --d----- f:\program files\SSI
2009-04-19 18:44 9,200 -------- f:\windows\system32\drivers\cdralw2k.sys
2009-04-19 18:44 9,072 -------- f:\windows\system32\drivers\cdr4_xp.sys
2009-04-19 18:44 <DIR> --d----- f:\windows\system32\IOSUBSYS
2009-04-19 02:16 <DIR> --d----- f:\program files\common files\CyberLink
2009-04-19 02:16 29,480 a------- f:\windows\system32\msxml3a.dll
2009-04-19 01:24 0 a------- f:\windows\iPlayer.INI
2009-04-19 01:24 <DIR> --d----- f:\program files\InterActual
2009-04-13 19:07 0 a------- f:\windows\system32\commonpriv.log.lock
2009-04-13 19:05 <DIR> --d----- f:\program files\AVG
2009-04-13 19:05 <DIR> --d----- f:\docume~1\alluse~1\applic~1\avg8
2009-04-12 22:44 410,984 a------- f:\windows\system32\deploytk.dll
2009-04-12 22:44 73,728 a------- f:\windows\system32\javacpl.cpl
2009-04-12 21:28 <DIR> --d----- f:\docume~1\jeffrey\applic~1\NBC Direct
2009-04-12 21:28 <DIR> --d----- f:\docume~1\jeffrey\applic~1\IDM
2009-04-12 21:28 <DIR> --d----- f:\program files\Pando Networks
2009-04-12 21:28 <DIR> a-d----- f:\program files\NBC Direct
2009-04-12 21:28 <DIR> --d----- f:\docume~1\alluse~1\applic~1\NBC Direct
2009-03-31 22:45 <DIR> --d----- f:\windows\system32\KB905474

==================== Find3M ====================

2009-04-21 08:38 16,608 a------- f:\windows\gdrv.sys
2009-03-08 21:15 512,096 a------- f:\windows\system32\drivers\amon.sys
2009-03-08 21:15 298,104 a------- f:\windows\system32\imon.dll
2009-03-08 21:15 15,424 a------- f:\windows\system32\drivers\nod32drv.sys
2009-02-09 04:13 1,846,784 a------- f:\windows\system32\win32k.sys
2009-01-11 16:57 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920090105\index.dat
2009-01-11 16:57 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011120090112\index.dat

============= FINISH: 11:09:29.39 ===============


GooredFix option 1(no fix) Log

GooredFix v1.92 by jpshortstuff
Log created at 11:30 on 21/04/2009 running Option #1 (Jeffrey)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="F:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{6E19037A-12E3-4295-8915-ED48BC341614}"="F:\Program Files\RelevantKnowledge"









Thanks for any advice or help!

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:44 PM

Posted 04 May 2009 - 11:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 06 May 2009 - 07:38 PM

The update -
Computer continues to redirect my google searches, and prevent certain types of links on webpages from being followed. Also, slight abundance of pop ups.





DDS (Ver_09-03-16.01) - NTFSx86
Run by Jeffrey at 17:34:03.48 on Wed 05/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2402 [GMT -7:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Eset\nod32kui.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\games\steam\steam.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\PROGRA~1\SSI\SYSENF~1.EXE
F:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Ventrilo\Ventrilo.exe
F:\Program Files\Vuze\Azureus.exe
F:\Documents and Settings\Jeffrey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Steam] "f:\games\steam\steam.exe" -silent
uRun: [DAEMON Tools Lite] "f:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "f:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST]
mRun: [JMB36X IDE Setup] f:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] f:\windows\system32\xRaidSetup.exe boot
mRun: [StartCCC] "f:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [nod32kui] "f:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
mRun: [SSI] f:\program files\ssi\ssi /s
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
LSP: f:\windows\system32\imon.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239601532081&h=6ed5f99e3aeed2ae4453cd26c35c9a67/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.180,85.255.112.173
TCP: {3D25BAC2-6119-4418-8488-6E33D6C6014D} = 85.255.112.180,85.255.112.173
TCP: {E2AD6550-9150-47FB-A032-262153ECE564} = 85.255.112.180,85.255.112.173
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: RelevantKnowledge - f:\program files\relevantknowledge\rlls.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;f:\windows\system32\drivers\nod32drv.sys [2009-3-8 15424]
R2 GEST Service;GEST Service for program management.;f:\program files\gigabyte\energysaver\GSvr.exe [2008-12-25 68136]
R2 NOD32krn;NOD32 Kernel Service;f:\program files\eset\nod32krn.exe [2009-3-8 552064]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;f:\windows\system32\drivers\AtiHdmi.sys [2008-12-25 89600]

=============== Created Last 30 ================

2009-04-21 09:14 1,081,616 a------- f:\windows\system32\Mscomctl.ocx
2009-04-21 09:14 662,288 a------- f:\windows\system32\mscomct2.ocx
2009-04-21 09:14 159,744 a------- f:\windows\system32\hasher.dll
2009-04-21 09:14 140,288 a------- f:\windows\system32\Comdlg32.ocx
2009-04-21 09:14 <DIR> --d----- f:\program files\SSI
2009-04-19 18:44 9,200 -------- f:\windows\system32\drivers\cdralw2k.sys
2009-04-19 18:44 9,072 -------- f:\windows\system32\drivers\cdr4_xp.sys
2009-04-19 18:44 <DIR> --d----- f:\windows\system32\IOSUBSYS
2009-04-19 02:16 <DIR> --d----- f:\program files\common files\CyberLink
2009-04-19 02:16 29,480 a------- f:\windows\system32\msxml3a.dll
2009-04-19 01:24 0 a------- f:\windows\iPlayer.INI
2009-04-19 01:24 <DIR> --d----- f:\program files\InterActual
2009-04-13 19:07 0 a------- f:\windows\system32\commonpriv.log.lock
2009-04-13 19:05 <DIR> --d----- f:\program files\AVG
2009-04-13 19:05 <DIR> --d----- f:\docume~1\alluse~1\applic~1\avg8
2009-04-12 22:44 410,984 a------- f:\windows\system32\deploytk.dll
2009-04-12 22:44 73,728 a------- f:\windows\system32\javacpl.cpl
2009-04-12 21:28 <DIR> --d----- f:\docume~1\jeffrey\applic~1\NBC Direct
2009-04-12 21:28 <DIR> --d----- f:\docume~1\jeffrey\applic~1\IDM
2009-04-12 21:28 <DIR> --d----- f:\program files\Pando Networks
2009-04-12 21:28 <DIR> a-d----- f:\program files\NBC Direct
2009-04-12 21:28 <DIR> --d----- f:\docume~1\alluse~1\applic~1\NBC Direct

==================== Find3M ====================

2009-05-06 13:05 16,608 a------- f:\windows\gdrv.sys
2009-03-08 21:15 512,096 a------- f:\windows\system32\drivers\amon.sys
2009-03-08 21:15 298,104 a------- f:\windows\system32\imon.dll
2009-03-08 21:15 15,424 a------- f:\windows\system32\drivers\nod32drv.sys
2009-02-09 04:13 1,846,784 a------- f:\windows\system32\win32k.sys
2009-01-11 16:57 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920090105\index.dat
2009-01-11 16:57 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011120090112\index.dat

============= FINISH: 17:34:16.90 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:44 PM

Posted 07 May 2009 - 06:44 PM

Hi J2FcM,




Step1
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Remember to plug in the flash drive to disinfect as well.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.


Step2

Please download Malwarebytes' Anti-Malware from Here or Here
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Then, unplug the internet access, Flush your Dns , and try to Obtain a DNS address automatically . After that, What I'd like you to do is a hard reset with your router if you have one. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained. When done, try to get internet and tell me how it goes.




Step3
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


In your next reply, please post back:

1.MBAM log
2.RSIT log.txt and info.txt. Thanks.

#5 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 09 May 2009 - 12:27 PM

The Flash Disinfector seems to work and work quickly...

For reasons I have been unable to identify -

once Malwarebytes' Anti-Malware is installed; it will not run. Double clicking the .exe to start it up just turns the mouse into a loading icon for a split second, then nothing happens. No error message or anything occurs.

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:44 PM

Posted 09 May 2009 - 12:46 PM

Hi J2FcM,


Please do as per my instruction via PM. If you can't update it automatically, please download the virus definitions and install it manually.

http://www.gt500.org/malwarebytes/database.jsp

#7 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 09 May 2009 - 01:57 PM

MBAM log

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/9/2009 10:55:38 AM
mbam-log-2009-05-09 (10-55-38).txt

Scan type: Quick Scan
Objects scanned: 81713
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 3
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
F:\Program Files\RelevantKnowledge\rlls.dll (Spyware.Marketscore) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\relevantknowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831} (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3d25bac2-6119-4418-8488-6e33d6c6014d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e2ad6550-9150-47fb-a032-262153ece564}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e2ad6550-9150-47fb-a032-262153ece564}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3d25bac2-6119-4418-8488-6e33d6c6014d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e2ad6550-9150-47fb-a032-262153ece564}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e2ad6550-9150-47fb-a032-262153ece564}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3d25bac2-6119-4418-8488-6e33d6c6014d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e2ad6550-9150-47fb-a032-262153ece564}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e2ad6550-9150-47fb-a032-262153ece564}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.180,85.255.112.173 -> Quarantined and deleted successfully.

Folders Infected:
F:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Delete on reboot.
F:\Program Files\RelevantKnowledge\components (Spyware.Marketscore) -> Quarantined and deleted successfully.

Files Infected:
F:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Uninstall Instructions.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Program Files\RelevantKnowledge\chrome.manifest (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Program Files\RelevantKnowledge\install.rdf (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Program Files\RelevantKnowledge\rlls.dll (Spyware.Marketscore) -> Delete on reboot.
F:\Program Files\RelevantKnowledge\rloci.bin (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Program Files\RelevantKnowledge\rlph.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Program Files\RelevantKnowledge\rlservice.exe (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Program Files\RelevantKnowledge\rlxf.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.
F:\Program Files\RelevantKnowledge\components\rlxg.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.


info.txt log


info.txt logfile of random's system information tool 1.06 2009-05-09 11:54:20

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->F:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->F:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->F:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->F:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
ATI - Software Uninstall Utility-->F:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI AVIVO Codecs-->MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}
ATI Catalyst Control Center-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver-->rundll32 F:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
ATI Problem Report Wizard-->MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
Catalyst Control Center - Branding-->MsiExec.exe /I{FA3A247D-437A-455E-A88F-7EB6E5F9E799}
Critical Update for Windows Media Player 11 (KB959772)-->"F:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Energy Saver Advance B8.1015.1-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{7ED169D4-5053-4166-93DF-53B12AE6C539}\setup.exe" -l0x9 -removeonly
Fallout 3-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
Gigabyte Raid Configurer-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly
HijackThis 2.0.2-->"F:\Program Files\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"F:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"F:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"F:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Left 4 Dead-->"F:\Games\Steam\steam.exe" steam://uninstall/500
Malwarebytes' Anti-Malware-->"F:\Program Files\Anti-Malware\unins000.exe"
MetaTrader - Alpari (US) 4.00-->"F:\Program Files\MetaTrader - Alpari (US)\Uninstall.exe" "F:\Program Files\MetaTrader - Alpari (US)\install.log"
Microsoft .NET Framework 2.0-->F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft .NET Framework 3.0-->f:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Compression Client Pack 1.0 for Windows XP-->"F:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4AA3D64E-9EC3-4B0F-AB91-5885AC55641F}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{FD052FB9-FE90-4438-B355-15EDC89D8FB1}
Microsoft Internationalized Domain Names Mitigation APIs-->"F:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"F:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"F:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.10)-->C:\Program Files\uninstall\helper.exe
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Netflix Movie Viewer-->MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
NOD32 antivirus system-->F:\Program Files\Eset\Setup\setup.exe /UNINSTALL
Picasa 3-->"F:\Program Files\Google\Picasa3\Uninstall.exe"
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->F:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.EXE" -l0x9 -removeonly
Security Update for Windows Internet Explorer 7 (KB938127)-->"F:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"F:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"F:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"F:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"F:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"F:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"F:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"F:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"F:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"F:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"F:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"F:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"F:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"F:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"F:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"F:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"F:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"F:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"F:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"F:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"F:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"F:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"F:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"F:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"F:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"F:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"F:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"F:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"F:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"F:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"F:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"F:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"F:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"F:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"F:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"F:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
SopCast 3.0.3-->F:\Program Files\SopCast\uninst.exe
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Spyware Interrogator-->F:\PROGRA~1\SSI\UNWISE.EXE F:\PROGRA~1\SSI\INSTALL.LOG
Team Fortress 2-->"F:\Games\Steam\steam.exe" steam://uninstall/440
Update for Windows XP (KB951978)-->"F:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"F:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"F:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Vuze-->F:\Program Files\Vuze\uninstall.exe
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"F:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"F:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"F:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"F:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"F:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3-->"F:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: ESET NOD32 antivirus system 2.70

======System event log======

Computer Name: JEFF
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001FD0D0BAB0. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 4490
Source Name: Dhcp
Time Written: 20090319201125.000000-420
Event Type: warning
User:

Computer Name: JEFF
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 4369
Source Name: Tcpip
Time Written: 20090316164034.000000-420
Event Type: warning
User:

Computer Name: JEFF
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 4346
Source Name: Tcpip
Time Written: 20090314121434.000000-480
Event Type: warning
User:

Computer Name: JEFF
Event Code: 9
Message: The device, \Device\Scsi\JRAID1, did not respond within the timeout period.

Record Number: 4271
Source Name: JRAID
Time Written: 20090312222522.000000-480
Event Type: error
User:

Computer Name: JEFF
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001FD0D0BAB0. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 4270
Source Name: Dhcp
Time Written: 20090312220426.000000-480
Event Type: warning
User:

=====Application event log=====

Computer Name: JEFF
Event Code: 1002
Message: Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 538
Source Name: Application Hang
Time Written: 20090312222531.000000-480
Event Type: error
User:

Computer Name: JEFF
Event Code: 1517
Message: Windows saved user JEFF\Jeffrey registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 525
Source Name: Userenv
Time Written: 20090309005636.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: JEFF
Event Code: 1000
Message: Faulting application vlc.exe, version 0.8.6.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Record Number: 469
Source Name: Application Error
Time Written: 20090219211146.000000-480
Event Type: error
User:

Computer Name: JEFF
Event Code: 1000
Message: Faulting application vlc.exe, version 0.8.6.0, faulting module libwxwidgets_plugin.dll, version 0.0.0.0, fault address 0x000bb638.

Record Number: 467
Source Name: Application Error
Time Written: 20090219210952.000000-480
Event Type: error
User:

Computer Name: JEFF
Event Code: 1002
Message: Hanging application iexplore.exe, version 7.0.6000.16791, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 450
Source Name: Application Hang
Time Written: 20090214102628.000000-480
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;F:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=170a
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------



log.txt


Logfile of random's system information tool 1.06 (written by random/random)
Run by Jeffrey at 2009-05-09 11:54:19
Microsoft Windows XP Professional Service Pack 3
System drive F: has 514 GB (84%) free of 610 GB
Total RAM: 3326 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:19 AM, on 5/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Eset\nod32kui.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\games\steam\steam.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\SSI\SYSENF~1.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Anti-Malware\765104546765.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Documents and Settings\Jeffrey\Desktop\RSIT.exe
F:\Program Files\HijackThis\Jeffrey.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] F:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [StartCCC] "F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSI] F:\Program Files\SSI\ssi /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Steam] "f:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - F:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: SysEnforce - Unknown owner - F:\PROGRA~1\SSI\SYSENF~1.EXE

--
End of file - 5258 bytes

======Scheduled tasks folder======

F:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - F:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - F:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-12 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-12 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=F:\WINDOWS\RTHDCPL.EXE [2008-07-23 16804864]
"SoundMan"=F:\WINDOWS\SOUNDMAN.EXE [2008-06-18 77824]
"AlcWzrd"=F:\WINDOWS\ALCWZRD.EXE [2008-06-19 2808832]
"Alcmtr"=F:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]
"GEST"= []
"JMB36X IDE Setup"=F:\WINDOWS\RaidTool\xInsIDE.exe [2007-03-19 36864]
"36X Raid Configurer"=F:\WINDOWS\System32\xRaidSetup.exe [2007-11-18 1966080]
"StartCCC"=F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-01 61440]
"nod32kui"=F:\Program Files\Eset\nod32kui.exe [2009-03-08 949376]
"SunJavaUpdateSched"=F:\Program Files\Java\jre6\bin\jusched.exe [2009-04-12 148888]
"SSI"=F:\Program Files\SSI\ssi /s []
"Adobe Reader Speed Launcher"=F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Steam"=f:\games\steam\steam.exe [2008-12-28 1410296]
"DAEMON Tools Lite"=F:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-29 687560]
"ctfmon.exe"=F:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=F:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
F:\WINDOWS\system32\Ati2evxx.dll [2008-08-20 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
F:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\Games\Steam\steam.exe"="F:\Games\Steam\steam.exe:*:Enabled:Steam"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\Program Files\SopCast\adv\SopAdver.exe"="F:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"F:\Program Files\SopCast\SopCast.exe"="F:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
"F:\Program Files\Vuze\Azureus.exe"="F:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
"F:\WINDOWS\Temp\~os5.tmp\ossproxy.exe"="F:\WINDOWS\Temp\~os5.tmp\ossproxy.exe:*:Enabled:ossproxy.exe"
"f:\program files\relevantknowledge\rlvknlg.exe"="f:\program files\relevantknowledge\rlvknlg.exe:*:Enabled:rlvknlg.exe"
"F:\Games\Steam\steamapps\j2fcm\team fortress 2\hl2.exe"="F:\Games\Steam\steamapps\j2fcm\team fortress 2\hl2.exe:*:Enabled:hl2"
"F:\Games\Steam\steamapps\common\left 4 dead\left4dead.exe"="F:\Games\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 3 months======

2009-05-09 11:54:19 ----D---- F:\rsit
2009-05-09 10:44:16 ----D---- F:\Documents and Settings\Jeffrey\Application Data\Malwarebytes
2009-05-09 10:25:47 ----D---- F:\Program Files\Anti-Malware
2009-05-09 10:25:47 ----D---- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-08 11:34:13 ----RASHD---- F:\autorun.inf
2009-04-28 12:34:57 ----SHD---- F:\Config.Msi
2009-04-21 09:59:19 ----D---- F:\Program Files\HijackThis
2009-04-21 09:14:59 ----D---- F:\Program Files\SSI
2009-04-21 09:14:59 ----A---- F:\WINDOWS\system32\hasher.dll
2009-04-19 18:44:01 ----N---- F:\WINDOWS\system32\vxblock.dll
2009-04-19 18:44:01 ----N---- F:\WINDOWS\system32\pxwave.dll
2009-04-19 18:44:01 ----N---- F:\WINDOWS\system32\pxmas.dll
2009-04-19 18:44:01 ----N---- F:\WINDOWS\system32\pxhpinst.exe
2009-04-19 18:44:01 ----N---- F:\WINDOWS\system32\pxdrv.dll
2009-04-19 18:44:01 ----N---- F:\WINDOWS\system32\px.dll
2009-04-19 18:44:00 ----D---- F:\WINDOWS\system32\IOSUBSYS
2009-04-19 18:43:55 ----D---- F:\Program Files\Google
2009-04-19 02:19:07 ----D---- F:\Documents and Settings\All Users\Application Data\CyberLink
2009-04-19 02:17:57 ----D---- F:\Documents and Settings\Jeffrey\Application Data\CyberLink
2009-04-19 02:16:41 ----D---- F:\Program Files\Common Files\CyberLink
2009-04-19 02:16:02 ----A---- F:\WINDOWS\system32\msxml3a.dll
2009-04-19 02:15:25 ----D---- F:\Documents and Settings\All Users\Application Data\Temp
2009-04-19 01:24:48 ----A---- F:\WINDOWS\iPlayer.INI
2009-04-19 01:24:03 ----D---- F:\Program Files\InterActual
2009-04-13 19:05:17 ----D---- F:\Program Files\AVG
2009-04-13 19:05:17 ----D---- F:\Documents and Settings\All Users\Application Data\avg8
2009-04-12 22:45:08 ----D---- F:\WINDOWS\Sun
2009-04-12 22:44:23 ----A---- F:\WINDOWS\system32\javaws.exe
2009-04-12 22:44:23 ----A---- F:\WINDOWS\system32\javaw.exe
2009-04-12 22:44:23 ----A---- F:\WINDOWS\system32\java.exe
2009-04-12 22:44:23 ----A---- F:\WINDOWS\system32\deploytk.dll
2009-04-12 22:44:09 ----D---- F:\Program Files\Java
2009-04-12 22:43:26 ----D---- F:\Documents and Settings\Jeffrey\Application Data\Sun
2009-04-12 21:28:40 ----D---- F:\Documents and Settings\Jeffrey\Application Data\NBC Direct
2009-04-12 21:28:35 ----D---- F:\Documents and Settings\Jeffrey\Application Data\IDM
2009-04-12 21:28:30 ----D---- F:\Program Files\Pando Networks
2009-04-12 21:28:26 ----D---- F:\Documents and Settings\All Users\Application Data\NBC Direct
2009-04-12 21:28:26 ----AD---- F:\Program Files\NBC Direct
2009-04-12 20:14:20 ----D---- F:\Documents and Settings\Jeffrey\Application Data\DeepBurner
2009-03-31 22:45:24 ----D---- F:\WINDOWS\system32\KB905474
2009-03-11 00:17:24 ----HDC---- F:\WINDOWS\$NtUninstallKB960225$
2009-03-11 00:17:21 ----HDC---- F:\WINDOWS\$NtUninstallKB938464-v2$
2009-03-11 00:17:18 ----HDC---- F:\WINDOWS\$NtUninstallKB958690$
2009-03-11 00:17:01 ----HDC---- F:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-08 22:09:47 ----A---- F:\WINDOWS\system32\ptpusd.dll
2009-03-08 22:09:47 ----A---- F:\WINDOWS\system32\ptpusb.dll
2009-03-08 21:16:41 ----A---- F:\WINDOWS\system32\imon.dll
2009-03-08 21:15:37 ----D---- F:\Program Files\ESET
2009-03-05 00:04:41 ----D---- F:\Documents and Settings\Jeffrey\Application Data\dvdcss
2009-03-05 00:00:27 ----A---- F:\WINDOWS\system32\MSVCR71.DLL
2009-03-05 00:00:27 ----A---- F:\WINDOWS\system32\MSVCP71.DLL
2009-02-28 19:35:56 ----D---- F:\Program Files\Microsoft Games for Windows - LIVE
2009-02-28 19:11:08 ----D---- F:\Music
2009-02-25 00:36:56 ----HDC---- F:\WINDOWS\$NtUninstallKB967715$
2009-02-11 01:12:19 ----HDC---- F:\WINDOWS\$NtUninstallKB960715$

======List of files/folders modified in the last 3 months======

2009-05-09 11:00:00 ----D---- F:\WINDOWS\Temp
2009-05-09 10:57:27 ----RD---- F:\Program Files
2009-05-09 10:57:27 ----D---- F:\WINDOWS\system32\drivers
2009-05-09 10:56:24 ----A---- F:\WINDOWS\SchedLgU.Txt
2009-05-09 10:46:04 ----D---- F:\WINDOWS\Prefetch
2009-05-08 21:30:39 ----D---- F:\WINDOWS\system32\CatRoot2
2009-05-06 20:06:25 ----D---- F:\Documents and Settings\Jeffrey\Application Data\Azureus
2009-04-29 15:42:33 ----D---- F:\WINDOWS\system32\config
2009-04-28 12:35:18 ----SHD---- F:\WINDOWS\Installer
2009-04-28 12:35:02 ----D---- F:\Documents and Settings\All Users\Application Data\Adobe
2009-04-28 12:35:01 ----D---- F:\Program Files\Common Files\Adobe
2009-04-28 12:35:00 ----D---- F:\Program Files\Adobe
2009-04-28 12:34:54 ----D---- F:\WINDOWS\system32
2009-04-26 15:59:26 ----HD---- F:\WINDOWS\inf
2009-04-20 12:21:58 ----D---- F:\Program Files\CDBurnerXP
2009-04-20 12:21:51 ----HD---- F:\Program Files\InstallShield Installation Information
2009-04-19 02:16:41 ----D---- F:\Program Files\Common Files
2009-04-19 01:24:48 ----D---- F:\WINDOWS
2009-04-16 18:46:44 ----D---- F:\Program Files\MetaTrader - Alpari (US)
2009-04-14 19:10:28 ----D---- F:\Program Files\Windows Media Player
2009-04-14 19:10:28 ----D---- F:\Program Files\Windows Media Connect 2
2009-04-14 19:10:28 ----D---- F:\Program Files\Messenger
2009-04-13 19:05:17 ----D---- F:\WINDOWS\WinSxS
2009-04-13 19:05:17 ----D---- F:\Program Files\Common Files\Microsoft Shared
2009-04-12 22:45:08 ----SD---- F:\WINDOWS\Downloaded Program Files
2009-04-12 14:27:46 ----SD---- F:\Documents and Settings\Jeffrey\Application Data\Microsoft
2009-04-10 16:58:37 ----D---- F:\Program Files\Vuze
2009-03-31 22:45:24 ----SD---- F:\WINDOWS\Tasks
2009-03-11 00:17:25 ----RSHDC---- F:\WINDOWS\system32\dllcache
2009-03-11 00:17:23 ----A---- F:\WINDOWS\imsins.BAK
2009-03-10 17:31:43 ----HD---- F:\WINDOWS\$hf_mig$
2009-03-08 21:14:22 ----A---- F:\WINDOWS\system32\PerfStringBackup.INI
2009-02-28 21:18:17 ----D---- F:\Documents and Settings\Jeffrey\Application Data\Ventrilo
2009-02-28 19:36:07 ----D---- F:\WINDOWS\system32\DirectX
2009-02-25 12:55:00 ----A---- F:\WINDOWS\system32\MRT.exe
2009-02-11 01:12:13 ----D---- F:\Program Files\Internet Explorer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; F:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 nod32drv;nod32drv; F:\WINDOWS\system32\drivers\nod32drv.sys [2009-03-08 15424]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; F:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R2 AMON;AMON; F:\WINDOWS\system32\drivers\amon.sys [2009-03-08 512096]
R3 Arp1394;1394 ARP Client Protocol; F:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; F:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2008-08-20 3299840]
R3 AtiHdmiService;ATI Function Driver for HDMI Service; F:\WINDOWS\system32\drivers\AtiHdmi.sys [2008-07-02 89600]
R3 gdrv;gdrv; \??\F:\WINDOWS\gdrv.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; F:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; F:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Microsoft HID Class Driver; F:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); F:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-07-24 4749824]
R3 mouhid;Mouse HID Driver; F:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160]
R3 NIC1394;1394 Net Driver; F:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; F:\WINDOWS\System32\DRIVERS\Rtenicxp.sys [2008-08-07 111360]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; F:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; F:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; F:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R4 MBAMSwissArmy;MBAMSwissArmy; \??\F:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 a5y41kgy;a5y41kgy; F:\WINDOWS\system32\drivers\a5y41kgy.sys []
S3 pgfilter;pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys []
S3 usbscan;USB Scanner Driver; F:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; F:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; F:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; F:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; F:\WINDOWS\System32\Ati2evxx.exe [2008-08-20 573440]
R2 GEST Service;GEST Service for program management.; F:\Program Files\GIGABYTE\EnergySaver\GSvr.exe [2008-09-24 68136]
R2 JavaQuickStarterService;Java Quick Starter; F:\Program Files\Java\jre6\bin\jqs.exe [2009-04-12 152984]
R2 NOD32krn;NOD32 Kernel Service; F:\Program Files\Eset\nod32krn.exe [2009-03-08 552064]
R2 SysEnforce;SysEnforce; F:\PROGRA~1\SSI\SYSENF~1.EXE [2006-01-13 57344]
S2 ATI Smart;ATI Smart; F:\WINDOWS\system32\ati2sgag.exe [2008-08-20 593920]
S3 aspnet_state;ASP.NET State Service; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; f:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 gusvc;Google Updater Service; F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-31 136120]
S3 idsvc;Windows CardSpace; F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; F:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; F:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:44 PM

Posted 09 May 2009 - 08:25 PM

Hi J2FcM,



It seemed that you had AVG8 leftovers. Please download AVG remover to clean the leftovers from Here .


Step1

Download OTMoveIt3.exe by OldTimer and save it to your desktop.
  • Double click on OTMoveIt3.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
  • Note: Do not type it out to minimize the risk of typo error
    :Processes 
    explorer.exe
    
    :Files
    F:\WINDOWS\system32\drivers\a5y41kgy.sys
    F:\program files\relevantknowledge
    F:\WINDOWS\Temp\~os5.tmp
    
    :Services
    a5y41kgy
    
    :Reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "F:\WINDOWS\Temp\~os5.tmp\ossproxy.exe"=-
    "f:\program files\relevantknowledge\rlvknlg.exe"=-
    
    :Commands
    [EmptyTemp]
    [start explorer]
    [Reboot]
  • Click on MoveIt!
  • When done, click on Exit
  • Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
  • A log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.
  • You may refer to this thread for your reference.

Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please do an online scan with Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.OTMoveIT log
2.KAS Scan Report
3.RIST log txt

Tell me how your pc is running now.

#9 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 09 May 2009 - 11:01 PM

OTMoveIt

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder F:\WINDOWS\system32\drivers\a5y41kgy.sys not found.
File/Folder F:\program files\relevantknowledge not found.
File/Folder F:\WINDOWS\Temp\~os5.tmp not found.
========== SERVICES/DRIVERS ==========
Service\Driver a5y41kgy not found.
Service\Driver key a5y41kgy deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\F:\WINDOWS\Temp\~os5.tmp\ossproxy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\f:\program files\relevantknowledge\rlvknlg.exe deleted successfully.
========== COMMANDS ==========
File delete failed. F:\DOCUME~1\Jeffrey\LOCALS~1\Temp\IH2633.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\ZXMDNBHC\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\ZXMDNBHC\index[1].htm scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\U1YSRV1S\index[6].htm scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\H4U7VWQ5\index[4].htm scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\H4U7VWQ5\mail[1].htm scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\H4U7VWQ5\mail[2].htm scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\FWJRCTKY\bind[2].htm scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\FWJRCTKY\mail[3].htm scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\BW08E3JX\OTMoveIt3[1].exe scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. F:\WINDOWS\temp\Perflib_Perfdata_600.dat scheduled to be deleted on reboot.
File delete failed. F:\WINDOWS\temp\Perflib_Perfdata_634.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05092009_205109

Files moved on Reboot...
File F:\DOCUME~1\Jeffrey\LOCALS~1\Temp\IH2633.tmp not found!
File F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\ZXMDNBHC\iframe[1].htm not found!
File F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\ZXMDNBHC\index[1].htm not found!
File F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\U1YSRV1S\index[6].htm not found!
File F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\H4U7VWQ5\index[4].htm not found!
File F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\H4U7VWQ5\mail[1].htm not found!
File F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\H4U7VWQ5\mail[2].htm not found!
File F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\FWJRCTKY\bind[2].htm not found!
File F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\FWJRCTKY\mail[3].htm not found!
F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\BW08E3JX\OTMoveIt3[1].exe moved successfully.
F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File F:\WINDOWS\temp\Perflib_Perfdata_600.dat not found!
File F:\WINDOWS\temp\Perflib_Perfdata_634.dat not found!







WILL POST ADDITIONAL LOGS AS SOON AS SCANS COMPLETE! Thank you!

Edited by J2FcM, 09 May 2009 - 11:03 PM.


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:44 PM

Posted 10 May 2009 - 02:34 AM

:thumbup2:

#11 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 11 May 2009 - 05:15 PM

Here is the KAS report...

I was instructed to post an RIST log as well????

My google is still re-directing me.. otherwise the computer seems to be running alright... I havent been web surfing all that much and am sort of conditioned to copying and pasting all links directly now...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 11, 2009 20:47:46
Records in database: 2162765
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 189619
Threat name: 20
Infected objects: 23
Suspicious objects: 0
Duration of the scan: 01:57:19


File name / Threat name / Threats count
globalroot\systemroot\system32\gxvxcdxvnrjlucbkrewppnnwxxrvpfqbfaiib.dll/globalroot\systemroot\system32\gxvxcdxvnrjlucbkrewppnnwxxrvpfqbfaiib.dll Infected: Trojan.Win32.Agent2.hoq 1
C:\Documents and Settings\Jeff\Yugma\lib\DskHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Documents and Settings\Jeff\Yugma\lib\YugmaPlugin.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1360 1
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1
C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll Infected: not-a-virus:AdWare.Win32.NavExcel.j 1
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\59A03920.exe Infected: Trojan-Dropper.Win32.Small.gq 1
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6EEF0771.exe Infected: Trojan-Dropper.Win32.Small.gg 1
C:\WINDOWS\dealhlpr.dll Infected: not-a-virus:AdWare.Win32.DealHelper.c 1
C:\WINDOWS\DHP.dll Infected: not-a-virus:AdWare.Win32.DealHelper.d 1
C:\WINDOWS\dhsvr.exe Infected: not-a-virus:AdWare.Win32.DealHelper.d 1
C:\WINDOWS\system32\msfdje.gif Infected: not-a-virus:AdWare.Win32.ClientMan 1
C:\WINDOWS\system32\msglji.gif Infected: not-a-virus:AdWare.Win32.SearchAssistant.d 1
C:\WINDOWS\system32\msiaih.dll Infected: not-a-virus:AdWare.Win32.Ipend 1
C:\WINDOWS\system32\mskceo.dll_tobedeleted Infected: not-a-virus:AdWare.Win32.ClientMan 1
F:\Program Files\ESET\infected\0NWLAKBA.NQF Infected: not-a-virus:AdWare.Win32.NavExcel.i 1
F:\Program Files\ESET\infected\DM0XZYAA.NQF Infected: not-a-virus:AdWare.Win32.DealHelper.f 1
F:\Program Files\ESET\infected\H1RIEWAA.NQF Infected: Trojan-Spy.Win32.Delf.dx 1
F:\Program Files\ESET\infected\IXHU50AA.NQF Infected: not-a-virus:AdWare.Win32.Altnet.o 1
F:\Program Files\ESET\infected\NROH4NBA.NQF Infected: not-a-virus:AdWare.Win32.DealHelper.b 1
F:\Program Files\ESET\infected\NTGSBQAA.NQF Infected: not-a-virus:AdWare.Win32.NavExcel.i 1
F:\Program Files\ESET\infected\PB3RTBAA.NQF Infected: Trojan-Downloader.Win32.IstBar.gen 1

The selected area was scanned.

Edited by J2FcM, 11 May 2009 - 05:17 PM.


#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:44 PM

Posted 11 May 2009 - 05:25 PM

Hi J2FcM,



Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:

Posted Image

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below:

Posted Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.


In your next reply, please post back:


1.Combofix log

#13 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 13 May 2009 - 08:23 AM

ComboFix Log


ComboFix 09-05-12.06 - Jeffrey 05/13/2009 6:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2971 [GMT -7:00]
Running from: f:\documents and settings\Jeffrey\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\windows\system32\drivers\gxvxcrsblxfubxhopabdmetkwvbnqbqipyvxf.sys
f:\windows\system32\gxvxccounter
f:\windows\system32\gxvxcdxvnrjlucbkrewppnnwxxrvpfqbfaiib.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-10 05:37 . 2009-05-10 05:37 -------- d-----w f:\program files\Microsoft Silverlight
2009-05-10 03:51 . 2009-05-10 03:51 -------- d-----w F:\_OTMoveIt
2009-05-09 21:49 . 2009-03-06 14:22 284160 -c----w f:\windows\system32\dllcache\pdh.dll
2009-05-09 21:49 . 2009-02-09 12:10 401408 -c----w f:\windows\system32\dllcache\rpcss.dll
2009-05-09 21:49 . 2009-02-06 11:11 110592 -c----w f:\windows\system32\dllcache\services.exe
2009-05-09 21:49 . 2009-02-09 12:10 473600 -c----w f:\windows\system32\dllcache\fastprox.dll
2009-05-09 21:49 . 2009-02-06 10:10 227840 -c----w f:\windows\system32\dllcache\wmiprvse.exe
2009-05-09 21:49 . 2009-02-09 12:10 453120 -c----w f:\windows\system32\dllcache\wmiprvsd.dll
2009-05-09 21:49 . 2009-02-09 12:10 729088 -c----w f:\windows\system32\dllcache\lsasrv.dll
2009-05-09 21:49 . 2009-02-09 12:10 617472 -c----w f:\windows\system32\dllcache\advapi32.dll
2009-05-09 21:49 . 2009-02-09 12:10 714752 -c----w f:\windows\system32\dllcache\ntdll.dll
2009-05-09 21:49 . 2008-05-03 11:55 2560 ------w f:\windows\system32\xpsp4res.dll
2009-05-09 21:49 . 2008-04-21 12:08 215552 -c----w f:\windows\system32\dllcache\wordpad.exe
2009-05-09 18:54 . 2009-05-09 18:54 -------- d-----w F:\rsit
2009-05-09 17:44 . 2009-05-09 17:44 -------- d-----w f:\documents and settings\Jeffrey\Application Data\Malwarebytes
2009-05-09 17:25 . 2009-04-06 22:32 15504 ----a-w f:\windows\system32\drivers\mbam.sys
2009-05-09 17:25 . 2009-04-06 22:32 38496 ----a-w f:\windows\system32\drivers\mbamswissarmy.sys
2009-05-09 17:25 . 2009-05-09 17:25 -------- d-----w f:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-09 17:25 . 2009-05-09 17:45 -------- d-----w f:\program files\Anti-Malware
2009-04-21 16:14 . 2006-04-14 05:05 159744 ----a-w f:\windows\system32\hasher.dll
2009-04-21 16:14 . 2009-04-21 16:15 -------- d-----w f:\program files\SSI
2009-04-20 01:44 . 2008-07-31 22:17 9072 ------w f:\windows\system32\drivers\cdr4_xp.sys
2009-04-20 01:44 . 2008-07-31 22:17 9200 ------w f:\windows\system32\drivers\cdralw2k.sys
2009-04-14 02:05 . 2009-04-14 02:05 -------- d-----w f:\program files\AVG
2009-04-14 02:05 . 2009-04-14 02:07 -------- d-----w f:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 13:20 . 2008-12-26 05:00 16608 ----a-w f:\windows\gdrv.sys
2009-05-13 13:10 . 2009-03-09 04:15 -------- d-----w f:\program files\ESET
2009-05-10 03:56 . 2008-12-26 05:53 13504 ----a-w f:\documents and settings\Jeffrey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 19:35 . 2009-01-14 02:31 -------- d-----w f:\program files\Common Files\Adobe
2009-04-20 19:21 . 2008-12-26 05:01 -------- d--h--w f:\program files\InstallShield Installation Information
2009-04-20 01:43 . 2009-04-20 01:43 -------- d-----w f:\program files\Google
2009-04-20 01:43 . 2009-04-19 08:24 -------- d-----w f:\program files\InterActual
2009-04-19 09:16 . 2009-04-19 09:16 -------- d-----w f:\program files\Common Files\CyberLink
2009-04-19 09:15 . 2009-04-19 09:16 29480 ----a-w f:\windows\system32\msxml3a.dll
2009-04-17 01:46 . 2009-01-07 05:24 -------- d-----w f:\program files\MetaTrader - Alpari (US)
2009-04-15 02:10 . 2009-01-02 00:07 -------- d-----w f:\program files\Windows Media Connect 2
2009-04-13 14:31 . 2009-04-13 04:28 -------- d-----w f:\program files\Pando Networks
2009-04-13 05:44 . 2009-04-13 05:44 410984 ----a-w f:\windows\system32\deploytk.dll
2009-04-13 05:44 . 2009-04-13 05:44 -------- d-----w f:\program files\Java
2009-04-13 04:53 . 2009-04-13 04:28 -------- d---a-w f:\program files\NBC Direct
2009-04-10 23:58 . 2009-02-06 02:08 -------- d-----w f:\program files\Vuze
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w f:\windows\system32\pdh.dll
2009-03-03 00:18 . 2003-03-31 12:00 826368 ----a-w f:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-12-30 02:22 78336 ----a-w f:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="f:\games\steam\steam.exe" [2008-12-29 1410296]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="f:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSI"="f:\program files\SSI\ssi" [X]
"JMB36X IDE Setup"="f:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="f:\windows\System32\xRaidSetup.exe" [2007-11-19 1966080]
"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-04-13 148888]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"RTHDCPL"="RTHDCPL.EXE" - f:\windows\RTHDCPL.exe [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" - f:\windows\SoundMan.exe [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" - f:\windows\alcwzrd.exe [2008-06-19 2808832]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Games\\Steam\\steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"f:\\Program Files\\SopCast\\SopCast.exe"=
"f:\\Program Files\\Vuze\\Azureus.exe"=
"f:\\Games\\Steam\\steamapps\\j2fcm\\team fortress 2\\hl2.exe"=
"f:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R2 GEST Service;GEST Service for program management.;f:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/25/2008 10:01 PM 68136]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;f:\windows\system32\drivers\AtiHdmi.sys [12/25/2008 10:48 PM 89600]
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 f:\windows\Tasks\WGASetup.job
- f:\windows\system32\KB905474\wgasetup.exe [2009-04-01 05:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-GEST - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 06:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
f:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-05-13 6:22
ComboFix-quarantined-files.txt 2009-05-13 13:22

Pre-Run: 539,526,463,488 bytes free
Post-Run: 540,523,950,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

133 --- E O F --- 2009-05-13 08:07

#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:44 PM

Posted 13 May 2009 - 10:50 AM

Hi J2FcM,



Please go to ESET Quarantine directory (C:\Program Files\Eset\Infected) to empty the contents of infected folder. It seemed that you still had symantec leftovers in your system.
Please go to Here to download Norton Removal Tool to remove the leftovers.



Step1
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
File::
C:\WINDOWS\dealhlpr.dll 
C:\WINDOWS\DHP.dll 
C:\WINDOWS\dhsvr.exe 
C:\WINDOWS\system32\msfdje.gif 
C:\WINDOWS\system32\msglji.gif 
C:\WINDOWS\system32\msiaih.dll 
C:\WINDOWS\system32\mskceo.dll_tobedeleted 
C:\Documents and Settings\Jeff\Yugma\lib\DskHooks.dll 
C:\Documents and Settings\Jeff\Yugma\lib\YugmaPlugin.dll 

Folder::
C:\Program Files\NavExcel Search Toolbar


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

Please go to F-Secure Online Scanner Next Generation
  • Click on the link "Start your scan".
  • You may receive an alert on the address bar at this point to install the ActiveX control.
  • Read the license agreement and click "Accept".
  • Click "Full System Scan" to download the scanning components and begin scan and cleaning.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • When done click "Show report" and copy/paste its contents into your next reply.


In your next reply, please post back:

1.Combofix log
2.F-Secure report
3.New HJT log

Tell me how your pc is running now

#15 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 15 May 2009 - 06:31 PM

COMBO FIX LOG
ComboFix 09-05-12.06 - Jeffrey 05/15/2009 16:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2747 [GMT -7:00]
Running from: f:\documents and settings\Jeffrey\Desktop\ComboFix.exe
Command switches used :: f:\documents and settings\Jeffrey\Desktop\CFScript.txt

FILE ::
c:\documents and settings\Jeff\Yugma\lib\DskHooks.dll
c:\documents and settings\Jeff\Yugma\lib\YugmaPlugin.dll
c:\windows\dealhlpr.dll
c:\windows\DHP.dll
c:\windows\dhsvr.exe
c:\windows\system32\msfdje.gif
c:\windows\system32\msglji.gif
c:\windows\system32\msiaih.dll
c:\windows\system32\mskceo.dll_tobedeleted
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeff\Yugma\lib\DskHooks.dll
c:\documents and settings\Jeff\Yugma\lib\YugmaPlugin.dll
c:\program files\NavExcel Search Toolbar
c:\program files\NavExcel Search Toolbar\NavExcelBar.dll
c:\program files\NavExcel Search Toolbar\settings.dat
c:\windows\dealhlpr.dll
c:\windows\DHP.dll
c:\windows\dhsvr.exe
c:\windows\system32\msfdje.gif
c:\windows\system32\msglji.gif
c:\windows\system32\msiaih.dll
c:\windows\system32\mskceo.dll_tobedeleted

.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-10 05:37 . 2009-05-10 05:37 -------- d-----w f:\program files\Microsoft Silverlight
2009-05-10 03:51 . 2009-05-10 03:51 -------- d-----w F:\_OTMoveIt
2009-05-09 21:49 . 2009-03-06 14:22 284160 -c----w f:\windows\system32\dllcache\pdh.dll
2009-05-09 21:49 . 2009-02-09 12:10 401408 -c----w f:\windows\system32\dllcache\rpcss.dll
2009-05-09 21:49 . 2009-02-06 11:11 110592 -c----w f:\windows\system32\dllcache\services.exe
2009-05-09 21:49 . 2009-02-09 12:10 473600 -c----w f:\windows\system32\dllcache\fastprox.dll
2009-05-09 21:49 . 2009-02-06 10:10 227840 -c----w f:\windows\system32\dllcache\wmiprvse.exe
2009-05-09 21:49 . 2009-02-09 12:10 453120 -c----w f:\windows\system32\dllcache\wmiprvsd.dll
2009-05-09 21:49 . 2009-02-09 12:10 729088 -c----w f:\windows\system32\dllcache\lsasrv.dll
2009-05-09 21:49 . 2009-02-09 12:10 617472 -c----w f:\windows\system32\dllcache\advapi32.dll
2009-05-09 21:49 . 2009-02-09 12:10 714752 -c----w f:\windows\system32\dllcache\ntdll.dll
2009-05-09 21:49 . 2008-05-03 11:55 2560 ------w f:\windows\system32\xpsp4res.dll
2009-05-09 21:49 . 2008-04-21 12:08 215552 -c----w f:\windows\system32\dllcache\wordpad.exe
2009-05-09 18:54 . 2009-05-09 18:54 -------- d-----w F:\rsit
2009-05-09 17:44 . 2009-05-09 17:44 -------- d-----w f:\documents and settings\Jeffrey\Application Data\Malwarebytes
2009-05-09 17:25 . 2009-04-06 22:32 15504 ----a-w f:\windows\system32\drivers\mbam.sys
2009-05-09 17:25 . 2009-04-06 22:32 38496 ----a-w f:\windows\system32\drivers\mbamswissarmy.sys
2009-05-09 17:25 . 2009-05-09 17:25 -------- d-----w f:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-09 17:25 . 2009-05-09 17:45 -------- d-----w f:\program files\Anti-Malware
2009-04-21 16:14 . 2006-04-14 05:05 159744 ----a-w f:\windows\system32\hasher.dll
2009-04-21 16:14 . 2009-04-21 16:15 -------- d-----w f:\program files\SSI
2009-04-20 01:44 . 2008-07-31 22:17 9072 ------w f:\windows\system32\drivers\cdr4_xp.sys
2009-04-20 01:44 . 2008-07-31 22:17 9200 ------w f:\windows\system32\drivers\cdralw2k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 16:44 . 2008-12-26 05:00 16608 ----a-w f:\windows\gdrv.sys
2009-05-13 13:10 . 2009-03-09 04:15 -------- d-----w f:\program files\ESET
2009-05-10 03:56 . 2008-12-26 05:53 13504 ----a-w f:\documents and settings\Jeffrey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 19:35 . 2009-01-14 02:31 -------- d-----w f:\program files\Common Files\Adobe
2009-04-20 19:21 . 2008-12-26 05:01 -------- d--h--w f:\program files\InstallShield Installation Information
2009-04-20 01:43 . 2009-04-20 01:43 -------- d-----w f:\program files\Google
2009-04-20 01:43 . 2009-04-19 08:24 -------- d-----w f:\program files\InterActual
2009-04-19 09:16 . 2009-04-19 09:16 -------- d-----w f:\program files\Common Files\CyberLink
2009-04-19 09:15 . 2009-04-19 09:16 29480 ----a-w f:\windows\system32\msxml3a.dll
2009-04-17 01:46 . 2009-01-07 05:24 -------- d-----w f:\program files\MetaTrader - Alpari (US)
2009-04-15 02:10 . 2009-01-02 00:07 -------- d-----w f:\program files\Windows Media Connect 2
2009-04-14 02:05 . 2009-04-14 02:05 -------- d-----w f:\program files\AVG
2009-04-13 14:31 . 2009-04-13 04:28 -------- d-----w f:\program files\Pando Networks
2009-04-13 05:44 . 2009-04-13 05:44 410984 ----a-w f:\windows\system32\deploytk.dll
2009-04-13 05:44 . 2009-04-13 05:44 -------- d-----w f:\program files\Java
2009-04-13 04:53 . 2009-04-13 04:28 -------- d---a-w f:\program files\NBC Direct
2009-04-10 23:58 . 2009-02-06 02:08 -------- d-----w f:\program files\Vuze
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w f:\windows\system32\pdh.dll
2009-03-03 00:18 . 2003-03-31 12:00 826368 ----a-w f:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-12-30 02:22 78336 ----a-w f:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-13_13.21.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-15 16:44 . 2009-05-15 16:44 16384 f:\windows\Temp\Perflib_Perfdata_6c8.dat
+ 2009-05-15 16:44 . 2009-05-15 16:44 16384 f:\windows\Temp\Perflib_Perfdata_2f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="f:\games\steam\steam.exe" [2008-12-29 1410296]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="f:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSI"="f:\program files\SSI\ssi" [X]
"JMB36X IDE Setup"="f:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="f:\windows\System32\xRaidSetup.exe" [2007-11-19 1966080]
"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-04-13 148888]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"RTHDCPL"="RTHDCPL.EXE" - f:\windows\RTHDCPL.exe [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" - f:\windows\SoundMan.exe [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" - f:\windows\alcwzrd.exe [2008-06-19 2808832]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Games\\Steam\\steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"f:\\Program Files\\SopCast\\SopCast.exe"=
"f:\\Program Files\\Vuze\\Azureus.exe"=
"f:\\Games\\Steam\\steamapps\\j2fcm\\team fortress 2\\hl2.exe"=
"f:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R2 GEST Service;GEST Service for program management.;f:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/25/2008 10:01 PM 68136]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;f:\windows\system32\drivers\AtiHdmi.sys [12/25/2008 10:48 PM 89600]
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 f:\windows\Tasks\WGASetup.job
- f:\windows\system32\KB905474\wgasetup.exe [2009-04-01 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
f:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2212)
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-15 16:29
ComboFix-quarantined-files.txt 2009-05-15 23:29
ComboFix2.txt 2009-05-13 13:22

Pre-Run: 539,199,619,072 bytes free
Post-Run: 540,387,033,088 bytes free

150 --- E O F --- 2009-05-13 08:07




ONLINE SCANNER REPORT

Scanning Report
Friday, May 15, 2009 16:41:17 - 18:02:08

Computer name: JEFF
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\ F:\
15 malware found
TrackingCookie.Questionmarket (spyware)

* System (Disinfected)

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Revsci (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

TrackingCookie.Mediaplex (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Trojan-Dropper.Win32.Small.gq (virus)

* C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\59A03920.EXE (Renamed & Submitted)

Trojan-Dropper.Win32.Small.gg (virus)

* C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\6EEF0771.EXE (Renamed & Submitted)

W32/Packed_PeX.B (virus)

* C:\PROGRAM FILES\KAZAA LITE\KAZAA.EXE (Not cleaned & Submitted)

Suspicious_F.gen (virus)

* C:\PROGRAM FILES\BPFTP\PATCH.EXE (Not cleaned & Submitted)

Statistics
Scanned:

* Files: 52076
* System: 2849
* Not scanned: 72

Actions:

* Disinfected: 11
* Renamed: 2
* Deleted: 0
* Not cleaned: 2
* Submitted: 4

Files not scanned:

* C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
* C:\WINDOWS\$NTUNINSTALLQ828026$\WMPCORE.DLL
* C:\WINDOWS\$NTUNINSTALLKB839645$\FLDRCLNR.DLL
* C:\WINDOWS\$NTUNINSTALLKB839645$\SHELL32.DLL
* C:\WINDOWS\$NTUNINSTALLKB839645$\SXS.DLL
* C:\WINDOWS\$NTUNINSTALLKB839645$\XPSP2RES.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\EXPSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCH40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCL40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJET40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOL1.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOLEDB40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJINT40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTER40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTES40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSLTUS40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSPBDE40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD2X40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD3X40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSREPL40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSTEXT40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSWDAT10.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSWSTR10.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSXBDE40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\VBAJET32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE
* C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL
* C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB828035$\WKSSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB828028$\MSASN1.DLL
* C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
* C:\WINDOWS\$NTUNINSTALLKB824141$\WIN32K.SYS
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0518A108A125C3EE4F35F8332FC9A549_64B5376A-2327-4423-AC7B-F7B1CE86C1F7
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\42C8C7B08489762C04892B4868EEA322_64B5376A-2327-4423-AC7B-F7B1CE86C1F7
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\86CE3A76DCACD604EA06101069CC5867_64B5376A-2327-4423-AC7B-F7B1CE86C1F7
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B3F438B07EE577DADCF11BA0A80F53EC_64B5376A-2327-4423-AC7B-F7B1CE86C1F7
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C675E0A3EA391B938FAF4CB925DC8D6F_64B5376A-2327-4423-AC7B-F7B1CE86C1F7
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FE22E701970882951DC8DB9A8788E595_64B5376A-2327-4423-AC7B-F7B1CE86C1F7

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.8.9080, 2009-05-15
* F-Secure AVP: 7.0.171, 2009-05-15
* F-Secure Pegasus: 1.20.0
* F-Secure Blacklight

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics







My computer seems to be running better... Google doesnt redirect me anymore! Havent removed Symantec (Norton) stuff yet though... I have an old version and haven't figured out which version.

Edited by J2FcM, 15 May 2009 - 08:19 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users