Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gxvxccounter,rootkit/backdoor trojan???


  • Please log in to reply
7 replies to this topic

#1 ChristinaSW

ChristinaSW

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 24 April 2009 - 08:20 AM

Where to start?!?! OK, When this first started I hadnt had this computer very long at all and it (of course) had Norton on it. I removed it (not a fan!) and just honestly had not gotten around to putting another scanner on here. I like to use Bitdefender online scanner. I realized I had SOMETHING becasue my google searches were being "hijacked". Then when I tried to download a scanner I couldn't my pc wouldnt let me download anything that could have been helpful. I got all types of error messages. However, with help from a couple in a different category here we did manage to get a few scanners to run. (malwarebytes, superantispyware, among others.) I was told afterward that my best shot was to reformat but that the computer just may never be "secure" again. Reformatting isn't an option as of right now so I was refered here. The only reason I can tell that there is some sort of malware is becasue of google still being hijacked. The computer is NOT slow, I do NOT get pop-ups, and as of now I am getting NO error messages, it is simply that my google search results pop up and when I click a link to go to that website it takes me somewhere else all together. Sometimes It is another search result and sometimes it is a real estate company, or a quiz to take. Here are the reports as requested.
Thanks in advance for any advice and help given.
Christina*




DDS (Ver_09-03-16.01) - NTFSx86
Run by E-Z Customer at 8:57:10.74 on Fri 04/24/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.894.78 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Google\Quick Search Box\qsb.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\E-Z Customer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.myspace.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
uInternet Settings,ProxyServer = http=127.0.0.1:8081
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_9993303B90FE6C1D.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\qsb.exe" /autorun
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_9993303B90FE6C1D.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\e-zcus~1\appdata\roaming\mozilla\firefox\profiles\nvitkpkf.default\
FF - prefs.js: browser.startup.homepage - www.myspace.com
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
S2 gupdate1c9b39049761620;Google Update Service (gupdate1c9b39049761620);c:\program files\google\update\GoogleUpdate.exe [2009-4-2 133104]
S3 getPlus® Installer;getPlus® Installer;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-4-3 59552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-5-20 132128]

=============== Created Last 30 ================

2009-04-21 19:24 138,804,520 a------- c:\windows\MEMORY.DMP
2009-04-21 18:42 0 a------- c:\windows\system32\settings.dat
2009-04-21 08:46 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-04-21 08:46 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-04-21 08:43 <DIR> --d----- c:\users\e-zcus~1\appdata\roaming\SUPERAntiSpyware.com
2009-04-21 08:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-21 08:42 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-21 07:35 <DIR> --d----- c:\users\e-zcus~1\appdata\roaming\Malwarebytes
2009-04-21 07:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-21 07:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 07:32 <DIR> --d----- c:\program files\bullbleepfile
2009-04-20 22:40 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-20 22:40 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-20 22:40 <DIR> --d----- c:\program files\blah blah bleeping
2009-04-20 05:05 <DIR> --d----- c:\program files\Simulanics MySpace Mobsters Bot 5.2
2009-04-15 19:48 376,832 a------- c:\windows\system32\winhttp.dll
2009-04-15 19:48 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-04-15 19:48 38,912 a------- c:\windows\system32\xolehlp.dll
2009-04-15 19:47 551,424 a------- c:\windows\system32\rpcss.dll
2009-04-15 19:47 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-15 19:47 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-04-15 19:47 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-04-15 19:47 183,296 a------- c:\windows\system32\sdohlp.dll
2009-04-15 19:47 98,304 a------- c:\windows\system32\iasrecst.dll
2009-04-15 19:47 54,784 a------- c:\windows\system32\iasads.dll
2009-04-15 19:47 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-04-15 19:47 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-04-15 19:47 17,408 a------- c:\windows\system32\iashost.exe
2009-04-15 19:46 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-04-15 19:46 72,704 a------- c:\windows\system32\secur32.dll
2009-04-15 19:46 24,064 a------- c:\windows\system32\amxread.dll
2009-04-15 19:46 13,824 a------- c:\windows\system32\apilogen.dll
2009-04-12 03:29 <DIR> --d----- c:\program files\common files\DivX Shared
2009-04-12 03:29 <DIR> --d----- c:\program files\DivX
2009-04-04 00:23 2,516 a--sh--- c:\programdata\KGyGaAvL.sys
2009-04-04 00:23 2,516 a--sh--- c:\progra~2\KGyGaAvL.sys
2009-04-04 00:23 88 ---shr-- c:\programdata\B47B70199A.sys
2009-04-04 00:23 88 ---shr-- c:\progra~2\B47B70199A.sys
2009-04-04 00:16 <DIR> --d----- c:\program files\common files\Protexis
2009-04-04 00:16 <DIR> --d----- c:\programdata\Corel
2009-04-04 00:16 <DIR> --d----- c:\program files\common files\Corel
2009-04-04 00:16 <DIR> --d----- c:\progra~2\Corel
2009-04-04 00:11 <DIR> --d----- c:\program files\Corel
2009-04-03 21:27 <DIR> --d----- c:\programdata\NOS
2009-04-02 08:38 <DIR> --d----- c:\programdata\Google Updater
2009-03-28 17:54 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-03-28 17:54 <DIR> --d----- c:\windows\system32\directx
2009-03-28 17:54 <DIR> --d----- c:\program files\Utherverse Digital Inc
2009-03-28 14:55 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-03-28 00:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-03-28 00:55 83,456 a------- c:\windows\system32\wudriver.dll
2009-03-28 00:55 162,064 a------- c:\windows\system32\wuwebv.dll
2009-03-28 00:55 31,232 a------- c:\windows\system32\wuapp.exe
2009-03-27 22:48 <DIR> --d----- c:\windows\system32\Adobe
2009-03-27 21:53 428,544 a------- c:\windows\system32\EncDec.dll
2009-03-27 21:53 217,088 a------- c:\windows\system32\psisrndr.ax
2009-03-27 21:53 293,376 a------- c:\windows\system32\psisdecd.dll
2009-03-27 21:53 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-03-27 21:53 80,896 a------- c:\windows\system32\MSNP.ax
2009-03-27 21:53 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-03-27 21:38 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-03-27 21:38 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-03-27 21:38 801,280 a------- c:\windows\system32\NaturalLanguage6.dll
2009-03-27 21:29 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-03-27 21:29 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-03-27 21:29 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-03-27 21:29 891,448 a------- c:\windows\system32\drivers\tcpip.sys
2009-03-27 21:29 72,192 a------- c:\windows\system32\drivers\pacer.sys
2009-03-27 21:29 15,360 a------- c:\windows\system32\pacerprf.dll
2009-03-27 21:29 296,960 a------- c:\windows\system32\gdi32.dll
2009-03-27 21:29 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-03-27 21:29 269,312 a------- c:\windows\system32\es.dll
2009-03-27 21:29 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-03-27 21:29 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-03-27 21:26 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-27 21:26 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-27 21:26 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-27 21:26 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-27 21:26 2,927,104 a------- c:\windows\explorer.exe
2009-03-27 21:23 147,456 a------- c:\windows\system32\Faultrep.dll
2009-03-27 21:23 125,952 a------- c:\windows\system32\wersvc.dll
2009-03-27 21:23 443,392 a------- c:\windows\system32\win32spl.dll
2009-03-27 21:23 625,152 a------- c:\windows\system32\drivers\dxgkrnl.sys
2009-03-27 21:23 565,248 a------- c:\windows\system32\emdmgmt.dll
2009-03-27 21:23 148,480 a------- c:\windows\system32\drivers\nwifi.sys
2009-03-27 21:23 45,056 a------- c:\windows\system32\dataclen.dll
2009-03-27 21:23 36,864 a------- c:\windows\system32\cdd.dll
2009-03-27 21:23 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-03-27 21:23 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-03-27 21:23 268,288 a------- c:\windows\system32\schannel.dll
2009-03-27 21:21 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-03-27 21:19 <DIR> --d----- c:\program files\Ares
2009-03-27 21:07 <DIR> --d----- c:\programdata\Yahoo!
2009-03-27 21:06 <DIR> --d----- c:\users\e-z customer\Roaming
2009-03-27 21:06 <DIR> --d----- c:\users\e-zcus~1\appdata\roaming\MySpace
2009-03-27 21:06 <DIR> --d----- c:\program files\MySpace
2009-03-27 20:53 <DIR> --d----- c:\programdata\IM
2009-03-27 20:53 <DIR> --d----- c:\progra~2\IM
2009-03-27 20:53 <DIR> --d----- c:\programdata\IncrediMail
2009-03-27 20:53 <DIR> --d----- c:\program files\IncrediMail
2009-03-27 20:53 <DIR> --d----- c:\progra~2\IncrediMail
2009-03-27 20:53 <DIR> --d----- c:\programdata\Google
2009-03-27 20:29 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-03-27 20:29 1,695,744 a------- c:\windows\system32\gameux.dll
2009-03-27 20:29 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll

==================== Find3M ====================

2009-03-28 03:15 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-28 03:15 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-28 03:15 86,016 a------- c:\windows\inf\infstor.dat
2009-03-28 03:15 51,200 a------- c:\windows\inf\infpub.dat
2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-11 15:20 1,684 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_KT526AA-ABA SR5505F_YC_0Pres_QMXU834_E83NAv3PrA2_49_IIVY8_SOEMMB_V2.00_B5.14_T080502_WUH1_L409_M894_J160_7AMD_8Athlon 64 X2 Dual Core_92.2_#081125_N10DE03EF_Z14F12F20_G10DE03D0.MRK
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-08 07:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 07:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 07:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 07:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 07:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 07:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 07:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 07:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 07:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 07:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 07:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 07:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 07:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 07:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 07:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 07:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 07:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 07:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-08 23:10 2,033,152 a------- c:\windows\system32\win32k.sys
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 8:58:55.23 ===============

Attached Files


Edited by ChristinaSW, 24 April 2009 - 08:23 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 PM

Posted 04 May 2009 - 03:46 PM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
Then,

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log and the ark.txt as a reply to this topic.

#3 ChristinaSW

ChristinaSW
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 14 May 2009 - 01:09 AM

ok I give up. I have tried and tried to get combofix to run. It is telling me that windows defender is still running but it isn't. When I pull up windows defender it gives me the message telling me that it is off and gives me the option to turn it on and open it.

I apologize for taking so long to get back to this, we have welcomed a new baby to the family. :thumbup2:

Edited by ChristinaSW, 14 May 2009 - 01:10 AM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 PM

Posted 15 May 2009 - 01:44 PM

Redownload combofix and try again please.

#5 ChristinaSW

ChristinaSW
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 15 May 2009 - 08:02 PM

If you need attachments then I will repost them as that.
Christina*










ComboFix 09-05-14.03 - E-Z Customer 05/15/2009 20:47.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.894.429 [GMT -4:00]
Running from: c:\users\E-Z Customer\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\drivers\gxvxcivmpipexvbprvxucprehstjprwrxxwhj.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcpiocttmiyxuononvgeaytrefyxyuisrs.dll
D:\Autorun.inf
d:\recycler\S-6-1-59-100010628-100021418-100018408-5463.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-15 11:56 . 2009-05-15 12:24 -------- d-----w c:\users\E-Z Customer\AppData\Roaming\Corel
2009-05-15 11:49 . 2009-05-15 11:49 -------- d-----w c:\program files\Common Files\Protexis
2009-05-15 11:49 . 2009-05-15 11:51 -------- d-----w c:\program files\Common Files\Corel
2009-05-15 11:49 . 2009-05-15 11:55 -------- d-----w c:\programdata\Corel
2009-05-15 11:49 . 2009-05-15 11:55 -------- d-----w c:\users\All Users\Corel
2009-05-15 10:53 . 2009-05-15 11:49 -------- d-----w c:\program files\Corel
2009-05-09 06:03 . 2009-05-09 06:04 -------- d-----w C:\[paint shop pro x2] Serials
2009-05-09 03:10 . 2008-06-20 01:14 97800 ----a-w c:\windows\system32\infocardapi.dll
2009-05-09 03:10 . 2008-06-20 01:14 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-05-09 03:10 . 2008-06-20 01:14 622080 ----a-w c:\windows\system32\icardagt.exe
2009-05-09 03:10 . 2008-06-20 01:14 11264 ----a-w c:\windows\system32\icardres.dll
2009-05-09 03:10 . 2008-06-20 01:14 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll
2009-05-09 03:10 . 2008-06-20 01:14 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll
2009-05-09 03:10 . 2008-06-20 01:14 326160 ----a-w c:\windows\system32\PresentationHost.exe
2009-05-09 03:06 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll
2009-05-09 03:06 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll
2009-05-09 03:06 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-05-09 03:05 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll
2009-05-09 03:05 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll
2009-05-08 18:54 . 2009-05-08 18:54 -------- d-----w c:\windows\Sun
2009-05-01 18:46 . 2009-05-01 18:48 -------- d-----w c:\program files\Jasc Software Inc
2009-04-29 11:51 . 2009-04-29 11:51 -------- d-----w c:\users\E-Z Customer\AppData\Local\Adobe
2009-04-21 22:42 . 2009-04-21 22:42 0 ----a-w c:\windows\system32\settings.dat
2009-04-21 12:46 . 2009-04-21 12:46 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-21 12:46 . 2009-04-21 12:46 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-21 12:43 . 2009-04-21 12:43 -------- d-----w c:\users\E-Z Customer\AppData\Roaming\SUPERAntiSpyware.com
2009-04-21 11:35 . 2009-04-21 11:35 -------- d-----w c:\users\E-Z Customer\AppData\Roaming\Malwarebytes
2009-04-21 03:21 . 2009-04-21 09:24 -------- d-----w c:\windows\BDOSCAN8
2009-04-21 02:40 . 2009-04-21 02:40 -------- d-----w c:\programdata\Malwarebytes
2009-04-21 02:40 . 2009-04-21 02:40 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-21 02:40 . 2009-04-21 02:43 -------- d-----w c:\program files\blah blah bleeping
2009-04-18 16:30 . 2009-04-18 16:30 -------- d-----w c:\users\E-Z Customer\AppData\Local\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 22:27 . 2009-04-04 04:23 2516 --sha-w c:\users\All Users\KGyGaAvL.sys
2009-05-15 22:27 . 2009-04-04 04:23 2516 --sha-w c:\programdata\KGyGaAvL.sys
2009-05-15 21:16 . 2009-04-04 04:23 168 --sh--r c:\users\All Users\B47B70199A.sys
2009-05-15 21:16 . 2009-04-04 04:23 168 --sh--r c:\programdata\B47B70199A.sys
2009-05-13 07:00 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-12 01:59 . 2009-05-12 01:59 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-12 07:29 . 2009-04-12 07:29 -------- d-----w c:\program files\DivX
2009-04-12 07:29 . 2009-04-12 07:29 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-04 01:27 . 2009-04-04 01:27 -------- d-----w c:\program files\NOS
2009-04-02 12:41 . 2009-03-28 00:53 -------- d-----w c:\program files\Google
2009-03-28 21:54 . 2009-03-28 21:54 -------- d-----w c:\program files\Utherverse Digital Inc
2009-03-28 18:55 . 2009-03-28 18:55 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-03-28 03:19 . 2008-05-20 18:02 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 01:19 . 2009-03-28 01:19 -------- d-----w c:\program files\Ares
2009-03-28 01:07 . 2008-05-20 18:00 -------- d-----w c:\program files\Yahoo!
2009-03-28 01:06 . 2009-03-28 01:06 -------- d-----w c:\program files\MySpace
2009-03-28 00:53 . 2009-03-28 00:53 -------- d-----w c:\program files\IncrediMail
2009-03-17 03:38 . 2009-04-15 23:46 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 23:46 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-16 18:18 . 2009-03-28 22:11 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 18:18 . 2009-03-28 22:11 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 18:18 . 2009-03-28 22:11 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 18:18 . 2009-03-28 22:11 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-11 19:25 . 2009-03-11 19:25 74352 ----a-w c:\users\E-Z Customer\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-09 19:27 . 2009-03-28 22:11 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 19:27 . 2009-03-28 22:11 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 19:27 . 2009-03-28 22:11 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-08 11:34 . 2009-03-28 00:30 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-03-28 00:30 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-03-28 00:30 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-03-28 00:30 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-03-28 00:30 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-03-28 00:30 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-03-28 00:30 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-03-28 00:30 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-03-28 00:30 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-03-28 00:30 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-03-28 00:30 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-03-28 00:30 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-03-28 00:30 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-03-28 00:30 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-03-28 00:30 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-03-28 00:30 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-03-28 00:30 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-03-28 00:30 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-15 23:47 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 23:47 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-15 23:47 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 23:47 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 23:47 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 23:47 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 23:47 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 23:47 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 23:47 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 23:47 17408 ----a-w c:\windows\system32\iashost.exe
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-05-16_00.36.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-05-16 00:40 39298 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-16 00:40 58586 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-11 19:21 . 2009-05-16 00:40 7240 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2412416612-4019885384-2817246712-1000_UserData.bin
+ 2009-05-16 00:38 . 2009-05-16 00:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-16 00:29 . 2009-05-16 00:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-16 00:38 . 2009-05-16 00:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-05-16 00:29 . 2009-05-16 00:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-04-15 972128]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-28 39408]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-12 81920]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-03-28 68592]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2009-01-21 16712]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-01-21 532808]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-03-26 5369856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C0F84430-5949-42C1-ADCF-7AE50A3226DA}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{9F3A3420-CB79-485A-BB51-DF49B4141F98}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{48CD2867-47D8-4EEF-B5A7-6DA60BA74B38}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{5B7DADCF-9969-4E72-99A9-AE7C59AFDF46}c:\\program files\\ares\\ares.exe"= UDP:c:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{2C7015F6-7590-490A-8C45-1AF4F3505548}c:\\program files\\ares\\ares.exe"= TCP:c:\program files\ares\ares.exe:Ares p2p for windows
"TCP Query User{80BE1BFD-73CD-4A5D-9BE1-5ECD9BDAF75D}c:\\program files\\myspace\\im\\myspaceim.exe"= UDP:c:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{CD34BDD6-50B3-4610-BB9F-073143CA5AA0}c:\\program files\\myspace\\im\\myspaceim.exe"= TCP:c:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"TCP Query User{DBB85F1B-37EF-4067-BCF6-1AF975AF20C6}c:\\program files\\simulanics myspace mobsters bot 5.2\\idgrabber.exe"= UDP:c:\program files\simulanics myspace mobsters bot 5.2\idgrabber.exe:IdGrabber
"UDP Query User{FFB36727-4A1F-48DE-9A37-7898D07AFE11}c:\\program files\\simulanics myspace mobsters bot 5.2\\idgrabber.exe"= TCP:c:\program files\simulanics myspace mobsters bot 5.2\idgrabber.exe:IdGrabber
"{C35AFDE0-98FD-48A5-9AD8-9F7D7B50F8A8}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{5556197C-B7E8-4CA6-89BA-6669F8676E58}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{EDEA4CEB-4883-4E57-A0A4-0F630AEB9DF8}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{ED91BC58-B723-414D-9612-B6EE4B65B393}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{75327141-F3E8-456F-8AE7-85FBAEC8C9A9}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{62704FD7-994E-4B51-9AA5-7A2DCC3EBAB3}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

S2 gupdate1c9b39049761620;Google Update Service (gupdate1c9b39049761620);c:\program files\Google\Update\GoogleUpdate.exe [4/2/2009 8:40 AM 133104]
S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [4/3/2009 9:27 PM 59552]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-28 12:38]

2009-05-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 12:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
uInternet Settings,ProxyServer = http=127.0.0.1:8081
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 20:51
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-16 20:52
ComboFix-quarantined-files.txt 2009-05-16 00:52

Pre-Run: 101,845,331,968 bytes free
Post-Run: 101,833,957,376 bytes free

223 --- E O F --- 2009-05-13 07:00














GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-14 01:11:45
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 8A3C22C8 ZwEnumerateKey
Code 8A36E2D0 ZwFlushInstructionCache
Code 8A3D32BD IofCallDriver
Code 8A3343BE IofCompleteRequest

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gxvxcivmpipexvbprvxucprehstjprwrxxwhj.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 PM

Posted 18 May 2009 - 10:38 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\users\All Users\B47B70199A.sys
c:\programdata\B47B70199A.sys


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

#7 ChristinaSW

ChristinaSW
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 18 May 2009 - 02:09 PM

ComboFix 09-05-17.08 - E-Z Customer 05/18/2009 15:00.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.894.489 [GMT -4:00]
Running from: c:\users\E-Z Customer\Desktop\ComboFix.exe
Command switches used :: c:\users\E-Z Customer\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
c:\programdata\B47B70199A.sys
c:\users\All Users\B47B70199A.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\B47B70199A.sys

.
((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-18 06:17 . 2009-05-18 06:17 -------- d-----w c:\program files\Your.Bounty.Hunter.4.7.Full.Cracked.By.FoFF
2009-05-18 06:16 . 2009-05-18 06:16 7921574 ----a-w c:\program files\Your.Bounty.Hunter.4.7.Full.Cracked.By.FoFF.zip
2009-05-15 11:56 . 2009-05-15 12:24 -------- d-----w c:\users\E-Z Customer\AppData\Roaming\Corel
2009-05-15 11:49 . 2009-05-15 11:49 -------- d-----w c:\program files\Common Files\Protexis
2009-05-15 11:49 . 2009-05-15 11:51 -------- d-----w c:\program files\Common Files\Corel
2009-05-15 11:49 . 2009-05-15 11:55 -------- d-----w c:\programdata\Corel
2009-05-15 11:49 . 2009-05-15 11:55 -------- d-----w c:\users\All Users\Corel
2009-05-15 10:53 . 2009-05-15 11:49 -------- d-----w c:\program files\Corel
2009-05-09 06:03 . 2009-05-09 06:04 -------- d-----w C:\[paint shop pro x2] Serials
2009-05-09 03:10 . 2008-06-20 01:14 97800 ----a-w c:\windows\system32\infocardapi.dll
2009-05-09 03:10 . 2008-06-20 01:14 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-05-09 03:10 . 2008-06-20 01:14 622080 ----a-w c:\windows\system32\icardagt.exe
2009-05-09 03:10 . 2008-06-20 01:14 11264 ----a-w c:\windows\system32\icardres.dll
2009-05-09 03:10 . 2008-06-20 01:14 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll
2009-05-09 03:10 . 2008-06-20 01:14 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll
2009-05-09 03:10 . 2008-06-20 01:14 326160 ----a-w c:\windows\system32\PresentationHost.exe
2009-05-09 03:06 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll
2009-05-09 03:06 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll
2009-05-09 03:06 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-05-09 03:05 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll
2009-05-09 03:05 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll
2009-05-08 18:54 . 2009-05-08 18:54 -------- d-----w c:\windows\Sun
2009-05-01 18:46 . 2009-05-01 18:48 -------- d-----w c:\program files\Jasc Software Inc
2009-04-29 11:51 . 2009-04-29 11:51 -------- d-----w c:\users\E-Z Customer\AppData\Local\Adobe
2009-04-21 22:42 . 2009-04-21 22:42 0 ----a-w c:\windows\system32\settings.dat
2009-04-21 12:46 . 2009-04-21 12:46 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-21 12:46 . 2009-04-21 12:46 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-21 12:43 . 2009-04-21 12:43 -------- d-----w c:\users\E-Z Customer\AppData\Roaming\SUPERAntiSpyware.com
2009-04-21 11:35 . 2009-04-21 11:35 -------- d-----w c:\users\E-Z Customer\AppData\Roaming\Malwarebytes
2009-04-21 03:21 . 2009-04-21 09:24 -------- d-----w c:\windows\BDOSCAN8
2009-04-21 02:40 . 2009-04-21 02:40 -------- d-----w c:\programdata\Malwarebytes
2009-04-21 02:40 . 2009-04-21 02:40 -------- d-----w c:\users\All Users\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 06:29 . 2009-03-28 00:53 -------- d-----w c:\program files\Google
2009-05-15 22:27 . 2009-04-04 04:23 2516 --sha-w c:\users\All Users\KGyGaAvL.sys
2009-05-15 22:27 . 2009-04-04 04:23 2516 --sha-w c:\programdata\KGyGaAvL.sys
2009-05-13 07:00 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-12 01:59 . 2009-05-12 01:59 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-12 07:29 . 2009-04-12 07:29 -------- d-----w c:\program files\DivX
2009-04-12 07:29 . 2009-04-12 07:29 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-04 01:27 . 2009-04-04 01:27 -------- d-----w c:\program files\NOS
2009-03-28 21:54 . 2009-03-28 21:54 -------- d-----w c:\program files\Utherverse Digital Inc
2009-03-28 18:55 . 2009-03-28 18:55 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-03-28 03:19 . 2008-05-20 18:02 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 01:19 . 2009-03-28 01:19 -------- d-----w c:\program files\Ares
2009-03-28 01:07 . 2008-05-20 18:00 -------- d-----w c:\program files\Yahoo!
2009-03-28 01:06 . 2009-03-28 01:06 -------- d-----w c:\program files\MySpace
2009-03-28 00:53 . 2009-03-28 00:53 -------- d-----w c:\program files\IncrediMail
2009-03-17 03:38 . 2009-04-15 23:46 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 23:46 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-16 18:18 . 2009-03-28 22:11 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 18:18 . 2009-03-28 22:11 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 18:18 . 2009-03-28 22:11 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 18:18 . 2009-03-28 22:11 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-11 19:25 . 2009-03-11 19:25 74352 ----a-w c:\users\E-Z Customer\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-09 19:27 . 2009-03-28 22:11 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 19:27 . 2009-03-28 22:11 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 19:27 . 2009-03-28 22:11 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-08 11:34 . 2009-03-28 00:30 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-03-28 00:30 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-03-28 00:30 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-03-28 00:30 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-03-28 00:30 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-03-28 00:30 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-03-28 00:30 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-03-28 00:30 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-03-28 00:30 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-03-28 00:30 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-03-28 00:30 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-03-28 00:30 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-03-28 00:30 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-03-28 00:30 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-03-28 00:30 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-03-28 00:30 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-03-28 00:30 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-03-28 00:30 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-15 23:47 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 23:47 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-15 23:47 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 23:47 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 23:47 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 23:47 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 23:47 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 23:47 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 23:47 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 23:47 17408 ----a-w c:\windows\system32\iashost.exe
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-05-16_00.36.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-05-17 08:51 39436 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-17 08:51 58658 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-11 19:17 . 2009-05-18 18:58 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-11 19:17 . 2009-05-15 15:55 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-11 19:17 . 2009-05-18 18:58 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-11 19:17 . 2009-05-15 15:55 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-11 19:17 . 2009-05-18 18:58 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-11 19:17 . 2009-05-15 15:55 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-28 01:58 . 2009-05-18 14:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-28 01:58 . 2009-05-15 18:33 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-28 01:58 . 2009-05-15 18:33 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-28 01:58 . 2009-05-18 14:20 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-28 01:58 . 2009-05-18 14:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-28 01:58 . 2009-05-15 18:33 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-17 06:29 . 2009-05-17 06:29 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
+ 2009-05-17 06:29 . 2009-05-17 06:29 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-05-17 06:29 . 2009-05-17 06:29 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-05-17 06:29 . 2009-05-17 06:29 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-05-17 06:29 . 2009-05-17 06:29 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-05-17 06:29 . 2009-05-17 06:29 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ARPPRODUCTICON.exe
- 2009-03-28 07:15 . 2009-05-16 00:28 2632 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-03-28 07:15 . 2009-05-16 08:19 2632 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-03-11 19:21 . 2009-05-17 08:51 7304 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2412416612-4019885384-2817246712-1000_UserData.bin
- 2009-05-16 00:29 . 2009-05-16 00:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-17 08:49 . 2009-05-17 08:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-16 00:29 . 2009-05-16 00:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-17 08:49 . 2009-05-17 08:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-27 23:47 . 2009-05-17 08:48 5552 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-04-15 972128]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-28 39408]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-12 81920]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-03-28 68592]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2009-01-21 16712]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-01-21 532808]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-03-26 5369856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C0F84430-5949-42C1-ADCF-7AE50A3226DA}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{9F3A3420-CB79-485A-BB51-DF49B4141F98}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{48CD2867-47D8-4EEF-B5A7-6DA60BA74B38}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{5B7DADCF-9969-4E72-99A9-AE7C59AFDF46}c:\\program files\\ares\\ares.exe"= UDP:c:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{2C7015F6-7590-490A-8C45-1AF4F3505548}c:\\program files\\ares\\ares.exe"= TCP:c:\program files\ares\ares.exe:Ares p2p for windows
"TCP Query User{80BE1BFD-73CD-4A5D-9BE1-5ECD9BDAF75D}c:\\program files\\myspace\\im\\myspaceim.exe"= UDP:c:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{CD34BDD6-50B3-4610-BB9F-073143CA5AA0}c:\\program files\\myspace\\im\\myspaceim.exe"= TCP:c:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"TCP Query User{DBB85F1B-37EF-4067-BCF6-1AF975AF20C6}c:\\program files\\simulanics myspace mobsters bot 5.2\\idgrabber.exe"= UDP:c:\program files\simulanics myspace mobsters bot 5.2\idgrabber.exe:IdGrabber
"UDP Query User{FFB36727-4A1F-48DE-9A37-7898D07AFE11}c:\\program files\\simulanics myspace mobsters bot 5.2\\idgrabber.exe"= TCP:c:\program files\simulanics myspace mobsters bot 5.2\idgrabber.exe:IdGrabber
"{C35AFDE0-98FD-48A5-9AD8-9F7D7B50F8A8}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{5556197C-B7E8-4CA6-89BA-6669F8676E58}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{DDD225BC-FD81-40DB-B5FD-76486F679839}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{63770C45-9CB3-4F10-9734-C9EDF801F1B6}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{848F5CA5-5856-43DC-AB14-D61117FA6076}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{C4D129FB-E799-464D-8C37-3DE2EBB1AA83}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

S2 gupdate1c9b39049761620;Google Update Service (gupdate1c9b39049761620);c:\program files\Google\Update\GoogleUpdate.exe [4/2/2009 8:40 AM 133104]
S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [4/3/2009 9:27 PM 59552]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-28 12:38]

2009-05-18 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 12:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
uInternet Settings,ProxyServer = http=127.0.0.1:8081
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 15:03
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-18 15:04
ComboFix-quarantined-files.txt 2009-05-18 19:04
ComboFix2.txt 2009-05-16 00:52

Pre-Run: 101,080,621,056 bytes free
Post-Run: 101,170,409,472 bytes free

237 --- E O F --- 2009-05-13 07:00

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 PM

Posted 18 May 2009 - 02:23 PM

You need to stop download and installing cracks for warez. It is from these files you are becoming infected.

I am not seeing anything else that is bad on your computer, but I promise you will get infections again if you keep using the cracks.

At this point I do not see anything else that is wrong.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users