Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ntdll64.exe? seocash?


  • This topic is locked This topic is locked
7 replies to this topic

#1 Space Hobos

Space Hobos

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 28 April 2009 - 05:46 PM

As of yesterday my pc has been acting fishy, at one point there was a red circle with a white X that was trying to get me to download some spyware tool, i ran Ad-Aware, then Avira, and even windows malware removal tool, got rid of a few files like ntdll64.exe but i can tell that my browser is trying to go to something called seocash.us or something like that and im pretty sure its still replicating. I found these fourms and saw someone talking abour combofix but i dont want to run it and have it mess stuff up :/

Please help!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Free Glow Cup at 18:30:04.28 on Tue 04/28/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.544 [GMT -4:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Documents and Settings\Free Glow Cup\Desktop\pics v2\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [Steam]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.908.8472\GoogleToolbarNotifier.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [brastk] c:\windows\system32\brastk.exe
uRun: [autochk] rundll32.exe c:\docume~1\freegl~1\protect.dll,_IWMPEvents@16
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [<NO NAME>] c:\windows\temp\cw5gx9i5s.exe
dRun: [Windows Resurections] c:\windows\temp\cw5gx9i5s.exe
dRun: [A00FE63A7.exe] c:\windows\temp\_A00FE63A7.exe
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\documents and settings\free glow cup\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\freegl~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\freegl~1\startm~1\programs\startup\nykoga~1.lnk - c:\program files\nyko\gamepad mapping tools\ngpmap.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: winbue32 - winbue32.dll
Notify: __c0076C4 - c:\windows\system32\__c0076C4.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\freegl~1\applic~1\mozilla\firefox\profiles\br0xkcwb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://imageshack.us/

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\antivir personaledition classic\avgio.sys [2006-5-5 11840]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2006-5-5 68865]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R3 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2006-5-5 151297]
R3 avgntflt;avgntflt;c:\program files\antivir personaledition classic\avgntflt.sys [2006-5-5 52032]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-7-16 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-7-16 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-7-16 22528]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]

=============== Created Last 30 ================

2009-04-28 13:27 271 a------- C:\xcrashdump.dat
2009-04-28 13:14 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-28 13:14 24,064 a--sh--- c:\documents and settings\free glow cup\protect.dll
2009-04-28 13:14 27,648 a------- c:\windows\system32\lmppcsetup.exe
2009-04-28 12:59 2,148 a------- c:\windows\system32\wpa.dbl
2009-04-27 14:08 27,648 a------- c:\windows\system32\__c0076C4.dat
2009-04-26 23:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-26 23:14 1,409 a------- c:\windows\QTFont.for
2009-03-30 02:53 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-03-30 02:52 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll
2009-03-30 02:52 444,776 a------- c:\windows\system32\d3dx10_35.dll
2009-03-30 02:52 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-03-30 02:52 62,744 a------- c:\windows\system32\xinput1_2.dll
2009-03-30 02:52 <DIR> --d----- c:\windows\Logs

==================== Find3M ====================

2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2007-12-14 19:43 2,368 a------- c:\program files\NESten.INI
2006-12-09 05:42 7,680 a--sh--- c:\program files\Thumbs.db
2006-11-09 16:03 91 a------- c:\program files\rh.ini
2006-11-09 15:58 143 a------- c:\program files\rh.log
2006-11-03 05:13 506 a------- c:\program files\Shortcut to rh.exe.lnk
2006-08-12 11:51 7,589 a------- c:\program files\readme_j.txt
2006-08-12 10:55 217,088 a------- c:\program files\rh.exe
2006-08-09 06:52 1,934 a------- c:\program files\ST6UNST.LOG
2006-08-08 04:28 530 a------- c:\program files\Shortcut to NESten.exe.lnk
2006-03-06 03:54 1,115,126 a------- c:\program files\Uninst.isu
2006-03-06 03:54 15,900,672 a------- c:\program files\Photoshop.exe
2006-02-08 20:02 12,755 -------- c:\program files\Adobe Photoshop 7.0 Read Me.wri
2003-02-22 14:06 2,282 a------- c:\program files\PTAlarm.txt
2003-02-22 14:06 151,928 a------- c:\program files\PTAlarm.exe
2002-04-06 17:42 150,296 -------- c:\program files\TypeLibrary.tlb
2002-04-06 17:37 2,445,312 -------- c:\program files\PSViews.dll
2002-04-06 17:37 897,024 -------- c:\program files\Photoshop.dll
2002-04-06 17:37 24,576 -------- c:\program files\Photoshop.fon
2002-04-05 16:18 462,848 -------- c:\program files\ACE.dll
2002-04-04 01:38 4,059,242 -------- c:\program files\ImageReadyRes.dll
2002-04-04 01:04 13,336,651 -------- c:\program files\ImageReady.exe
2002-04-04 00:35 331,776 -------- c:\program files\JS32.dll
2002-04-01 03:29 53,248 -------- c:\program files\Plugin.dll
2002-03-28 20:56 628 a------- c:\program files\PTAlarm.exe.manifest
2002-03-26 18:42 1,458,176 -------- c:\program files\CoolType.dll
2002-03-13 05:24 3,485,696 -------- c:\program files\MPS.dll
2002-03-13 05:24 2,920,448 -------- c:\program files\PDFL50.dll
2002-03-13 05:24 929,792 -------- c:\program files\AGM.dll
2002-03-13 05:24 94,208 -------- c:\program files\OPP.dll
2002-03-05 16:10 4,265 -------- c:\program files\Photoshop.reg
2002-02-27 05:24 167,936 -------- c:\program files\Bib.dll
2001-12-06 16:24 61,440 -------- c:\program files\Uninst.dll
2001-06-29 19:38 712,751 a------- c:\program files\Asn.er.dll
2001-02-16 13:40 19,456 -------- c:\program files\PSUT9516.DLL
2000-10-10 15:49 23,024 -------- c:\program files\Shfolder.dll
2000-10-10 15:49 20,480 -------- c:\program files\Psut9532.dll
1993-07-23 01:00 210,944 -------- c:\program files\Msvcrt10.dll
2006-03-09 19:47 104 ---shr-- c:\windows\system32\AEBE5EB4D8.sys
2006-03-09 19:47 5,852 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-09 08:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat
2008-10-19 03:07 32,768 a--sh--- c:\windows\temp\cookies\index.dat
2008-10-19 03:07 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-10-19 03:07 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:30:41.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 29 April 2009 - 03:25 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Space Hobos

Space Hobos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 30 April 2009 - 03:22 AM

I followed your instructions to the best of my ability, it kept telling me avria was running even after i uninstalled it :/

Im not sure what you mean when you say "post a fresh hyjack this log" am i supposed to make a new thread?

ComboFix 09-04-29.03 - Free Glow Cup 04/30/2009 3:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.692 [GMT -4:00]
Running from: c:\documents and settings\Free Glow Cup\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Free Glow Cup\protect.dll
c:\windows\system32\__c0076C4.dat
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthkltpkdtvyfyveamlrrvbxdyqlxweibdt.sys
c:\windows\system32\ovfsthdpfsdyafqrmwdyrercsuexpmdxwrahep.dll
c:\windows\system32\ovfsthkufgudjcxxntwqvcltnaarfkmfjrjygj.dll
c:\windows\system32\ovfsthmjdvbutpawytktqjyidlefgshsfaghyy.dll
c:\windows\system32\ovfsthugrvitrhfrumoqnkioqcljggyvugmdne.dat
c:\windows\system32\ovfsthxhpdmpfixtibbwiyevvwakyttctafrrf.dat
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthodoulkysubndjbomkabemgbopmaoyxjs


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 07:41 . 2009-04-30 07:41 27648 ----a-w c:\windows\system32\lmppcsetup.exe
2009-04-28 02:10 . 2009-04-28 02:10 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-04-15 16:41 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:41 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 16:41 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:41 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 16:41 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:41 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 16:41 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:41 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:41 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:41 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:41 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:41 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 07:43 . 2006-02-25 09:29 -------- d-----w c:\program files\bleepe Files
2009-04-27 07:00 . 2007-11-25 19:49 -------- d-----w c:\program files\Soulseek
2009-04-26 04:12 . 2006-03-06 07:53 -------- d-----w c:\program files\Required
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 10:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 04:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 10:18 56832 ----a-w c:\windows\system32\secur32.dll
2007-12-14 23:43 . 2006-08-08 08:29 2368 ----a-w c:\program files\NESten.INI
2006-12-09 09:42 . 2006-12-09 09:42 7680 --sha-w c:\program files\Thumbs.db
2006-11-09 20:03 . 2006-11-03 09:08 91 ----a-w c:\program files\rh.ini
2006-11-09 19:58 . 2006-11-03 09:08 143 ----a-w c:\program files\rh.log
2006-11-03 09:13 . 2006-11-03 09:13 506 ----a-w c:\program files\Shortcut to rh.exe.lnk
2006-08-12 15:51 . 2006-08-14 11:36 7589 ----a-w c:\program files\readme_j.txt
2006-08-12 14:55 . 2006-08-12 15:02 217088 ----a-w c:\program files\rh.exe
2006-08-09 10:52 . 2006-08-09 10:51 1934 ----a-w c:\program files\ST6UNST.LOG
2006-08-08 08:28 . 2006-08-08 08:28 530 ----a-w c:\program files\Shortcut to NESten.exe.lnk
2006-03-06 07:54 . 2006-03-06 07:53 1115126 ----a-w c:\program files\Uninst.isu
2006-03-06 07:54 . 2006-03-06 07:53 15900672 ----a-w c:\program files\Photoshop.exe
2006-02-09 00:02 . 2006-03-06 07:53 12755 ------w c:\program files\Adobe Photoshop 7.0 Read Me.wri
2003-02-22 18:06 . 2003-02-22 18:06 2282 ----a-w c:\program files\PTAlarm.txt
2003-02-22 18:06 . 2003-02-22 18:06 151928 ----a-w c:\program files\PTAlarm.exe
2002-04-06 21:42 . 2006-03-06 07:53 150296 ------w c:\program files\TypeLibrary.tlb
2002-04-06 21:37 . 2006-03-06 07:53 2445312 ------w c:\program files\PSViews.dll
2002-04-06 21:37 . 2006-03-06 07:53 897024 ------w c:\program files\Photoshop.dll
2002-04-06 21:37 . 2006-03-06 07:53 24576 ------w c:\program files\Photoshop.fon
2002-04-05 20:18 . 2006-03-06 07:53 462848 ------w c:\program files\ACE.dll
2002-04-04 05:38 . 2006-03-06 07:53 4059242 ------w c:\program files\ImageReadyRes.dll
2002-04-04 05:04 . 2006-03-06 07:53 13336651 ------w c:\program files\ImageReady.exe
2002-04-04 04:35 . 2006-03-06 07:53 331776 ------w c:\program files\JS32.dll
2002-04-01 07:29 . 2006-03-06 07:53 53248 ------w c:\program files\Plugin.dll
2002-03-29 00:56 . 2002-03-29 00:56 628 ----a-w c:\program files\PTAlarm.exe.manifest
2002-03-26 22:42 . 2006-03-06 07:53 1458176 ------w c:\program files\CoolType.dll
2002-03-13 09:24 . 2006-03-06 07:53 94208 ------w c:\program files\OPP.dll
2002-03-13 09:24 . 2006-03-06 07:53 929792 ------w c:\program files\AGM.dll
2002-03-13 09:24 . 2006-03-06 07:53 3485696 ------w c:\program files\MPS.dll
2002-03-13 09:24 . 2006-03-06 07:53 2920448 ------w c:\program files\PDFL50.dll
2002-03-05 20:10 . 2006-03-06 07:53 4265 ------w c:\program files\Photoshop.reg
2002-02-27 09:24 . 2006-03-06 07:53 167936 ------w c:\program files\Bib.dll
2001-12-06 20:24 . 2006-03-06 07:53 61440 ------w c:\program files\Uninst.dll
2001-06-29 23:38 . 2006-03-06 07:54 712751 ----a-w c:\program files\Asn.er.dll
2001-02-16 17:40 . 2006-03-06 07:53 19456 ------w c:\program files\PSUT9516.DLL
2000-10-10 19:49 . 2006-03-06 07:53 23024 ------w c:\program files\Shfolder.dll
2000-10-10 19:49 . 2006-03-06 07:53 20480 ------w c:\program files\Psut9532.dll
1993-07-23 05:00 . 2006-03-06 07:53 210944 ------w c:\program files\Msvcrt10.dll
2007-06-01 06:10 . 2006-12-23 07:16 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-06-01 06:10 . 2006-12-23 07:16 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-01 06:10 . 2006-12-23 07:16 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-03-09 23:47 . 2006-02-23 08:30 104 --sh--r c:\windows\system32\AEBE5EB4D8.sys
2006-03-09 23:47 . 2006-02-23 08:30 5852 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-17 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-30 24064]

c:\documents and settings\Free Glow Cup\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-28 24064]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2005-8-16 33280]
NYKO Gamepad Mapping Tools.lnk - c:\program files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2006-2-23 417280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeptheintermet\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeptheintermet\\half-life 2\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeptheintermet\\counter-strike source beta\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeptheintermet\\source sdk base\\hl2.exe"=
"c:\\Documents and Settings\\Free Glow Cup\\Desktop\\XPLAAAKKKK\\Old Skool\\NESTCL95.EXE"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\internetrape\\garrysmod\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Ultima Online 2D Client\\client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27476:TCP"= 27476:TCP:SLSK2
"57147:TCP"= 57147:TCP:azureus
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-05 17920]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-05-04 22528]
R3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\DRIVERS\xusb20.sys [2006-10-13 50048]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31d400fc-a4fe-11db-ac18-00123fc75b4c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-brastk - c:\windows\system32\brastk.exe
HKCU-Run-Steam - (no file)
HKLM-Run-autochk - c:\windows\system32\autochk.dll
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\cw5gx9i5s.exe
HKU-Default-Run-A00FE63A7.exe - c:\windows\TEMP\_A00FE63A7.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
Notify-__c0076C4 - c:\windows\system32\__c0076C4.dat
Notify-winbue32 - winbue32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\Free Glow Cup\Application Data\Mozilla\Firefox\Profiles\br0xkcwb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://imageshack.us/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 04:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5808)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Connect 2\wmccds.exe
.
**************************************************************************
.
Completion time: 2009-04-30 4:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 08:07

Pre-Run: 8,731,901,952 bytes free
Post-Run: 8,998,305,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

245 --- E O F --- 2009-04-16 12:04


Am i in the clear?

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 30 April 2009 - 05:44 AM

Find these files and delete them manually..

c:\windows\system32\lmppcsetup.exe
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Free Glow Cup\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Free Glow Cup\Start Menu\Programs\Startup\ChkDisk.lnk




Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post these logs in your next reply..

1. Malwarebytes'
2. ESET Online
3. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Space Hobos

Space Hobos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 30 April 2009 - 03:35 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2062
Windows 5.1.2600 Service Pack 3

4/30/2009 2:58:06 PM
mbam-log-2009-04-30 (14-58-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202017
Time elapsed: 49 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Msvcrt10.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Free Glow Cup\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthdpfsdyafqrmwdyrercsuexpmdxwrahep.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthkufgudjcxxntwqvcltnaarfkmfjrjygj.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0076C4.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthkltpkdtvyfyveamlrrvbxdyqlxweibdt.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1351439102-1461428673-1085580340-1005\Dc4.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1150\A0137916.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1150\A0137918.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1150\A0137919.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1150\A0137937.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1150\A0137939.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1150\A0137940.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1152\A0138129.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1152\A0138132.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Program Files\Asn.er.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\ImageReadyRes.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\JS32.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Msvcrt10.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\PSUT9516.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.



ESET online

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4046 (20090430)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=b6dd486553a77d44869a30dc447c0529
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-30 08:20:33
# local_time=2009-04-30 04:20:33 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=317617
# found=2
# scan_time=4209
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthmjdvbutpawytktqjyidlefgshsfaghyy.dll.vir Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\AdService.dll Win32/Spy.Small.DM trojan (unable to clean - deleted) 00000000000000000000000000000000

I went and deleted the first thing ESET detected but i couldnt find the adservice.dll

Im not sure if its totally clean or not, but i must say i thank you for all your help, you sir are awesome.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 30 April 2009 - 03:41 PM

I went and deleted the first thing ESET detected but i couldnt find the adservice.dll


Don't worry, ESET deleted it.. Please run DDS once again and post the log here for my final review..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Space Hobos

Space Hobos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 30 April 2009 - 08:16 PM

ComboFix 09-04-30.05 - Free Glow Cup 04/30/2009 21:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.553 [GMT -4:00]
Running from: c:\documents and settings\Free Glow Cup\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-30 19:07 . 2009-04-30 20:20 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-30 17:59 . 2009-04-30 17:59 -------- d-----w c:\documents and settings\Free Glow Cup\Application Data\Malwarebytes
2009-04-30 17:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-30 17:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 17:59 . 2009-04-30 17:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 17:59 . 2009-04-30 17:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 02:10 . 2009-04-28 02:10 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-04-15 16:41 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:41 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 16:41 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:41 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 16:41 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:41 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 16:41 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:41 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:41 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:41 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:41 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:41 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 07:43 . 2006-02-25 09:29 -------- d-----w c:\program files\bleepe Files
2009-04-27 07:00 . 2007-11-25 19:49 -------- d-----w c:\program files\Soulseek
2009-04-26 04:12 . 2006-03-06 07:53 -------- d-----w c:\program files\Required
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 10:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 04:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 10:18 56832 ----a-w c:\windows\system32\secur32.dll
2007-12-14 23:43 . 2006-08-08 08:29 2368 ----a-w c:\program files\NESten.INI
2006-12-09 09:42 . 2006-12-09 09:42 7680 --sha-w c:\program files\Thumbs.db
2006-11-09 20:03 . 2006-11-03 09:08 91 ----a-w c:\program files\rh.ini
2006-11-09 19:58 . 2006-11-03 09:08 143 ----a-w c:\program files\rh.log
2006-11-03 09:13 . 2006-11-03 09:13 506 ----a-w c:\program files\Shortcut to rh.exe.lnk
2006-08-12 15:51 . 2006-08-14 11:36 7589 ----a-w c:\program files\readme_j.txt
2006-08-12 14:55 . 2006-08-12 15:02 217088 ----a-w c:\program files\rh.exe
2006-08-09 10:52 . 2006-08-09 10:51 1934 ----a-w c:\program files\ST6UNST.LOG
2006-08-08 08:28 . 2006-08-08 08:28 530 ----a-w c:\program files\Shortcut to NESten.exe.lnk
2006-03-06 07:54 . 2006-03-06 07:53 1115126 ----a-w c:\program files\Uninst.isu
2006-03-06 07:54 . 2006-03-06 07:53 15900672 ----a-w c:\program files\Photoshop.exe
2006-02-09 00:02 . 2006-03-06 07:53 12755 ------w c:\program files\Adobe Photoshop 7.0 Read Me.wri
2003-02-22 18:06 . 2003-02-22 18:06 2282 ----a-w c:\program files\PTAlarm.txt
2003-02-22 18:06 . 2003-02-22 18:06 151928 ----a-w c:\program files\PTAlarm.exe
2002-04-06 21:42 . 2006-03-06 07:53 150296 ------w c:\program files\TypeLibrary.tlb
2002-04-06 21:37 . 2006-03-06 07:53 2445312 ------w c:\program files\PSViews.dll
2002-04-06 21:37 . 2006-03-06 07:53 897024 ------w c:\program files\Photoshop.dll
2002-04-06 21:37 . 2006-03-06 07:53 24576 ------w c:\program files\Photoshop.fon
2002-04-05 20:18 . 2006-03-06 07:53 462848 ------w c:\program files\ACE.dll
2002-04-04 05:04 . 2006-03-06 07:53 13336651 ------w c:\program files\ImageReady.exe
2002-04-01 07:29 . 2006-03-06 07:53 53248 ------w c:\program files\Plugin.dll
2002-03-29 00:56 . 2002-03-29 00:56 628 ----a-w c:\program files\PTAlarm.exe.manifest
2002-03-26 22:42 . 2006-03-06 07:53 1458176 ------w c:\program files\CoolType.dll
2002-03-13 09:24 . 2006-03-06 07:53 94208 ------w c:\program files\OPP.dll
2002-03-13 09:24 . 2006-03-06 07:53 929792 ------w c:\program files\AGM.dll
2002-03-13 09:24 . 2006-03-06 07:53 3485696 ------w c:\program files\MPS.dll
2002-03-13 09:24 . 2006-03-06 07:53 2920448 ------w c:\program files\PDFL50.dll
2002-03-05 20:10 . 2006-03-06 07:53 4265 ------w c:\program files\Photoshop.reg
2002-02-27 09:24 . 2006-03-06 07:53 167936 ------w c:\program files\Bib.dll
2001-12-06 20:24 . 2006-03-06 07:53 61440 ------w c:\program files\Uninst.dll
2000-10-10 19:49 . 2006-03-06 07:53 23024 ------w c:\program files\Shfolder.dll
2000-10-10 19:49 . 2006-03-06 07:53 20480 ------w c:\program files\Psut9532.dll
2007-06-01 06:10 . 2006-12-23 07:16 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-06-01 06:10 . 2006-12-23 07:16 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-01 06:10 . 2006-12-23 07:16 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-03-09 23:47 . 2006-02-23 08:30 104 --sh--r c:\windows\system32\AEBE5EB4D8.sys
2006-03-09 23:47 . 2006-02-23 08:30 5852 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_08.03.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-02-05 12:48 . 2008-02-05 12:48 77824 c:\windows\system32\OnlineScannerUninstaller.exe
+ 2004-12-07 14:11 . 2004-12-07 14:11 258352 c:\windows\system32\unicows.dll
+ 2008-02-08 17:53 . 2008-02-08 17:53 110592 c:\windows\system32\OnlineScannerLang.dll
+ 2008-02-11 13:39 . 2008-02-11 13:39 237568 c:\windows\system32\OnlineScannerDLLW.dll
+ 2008-02-11 13:39 . 2008-02-11 13:39 253952 c:\windows\system32\OnlineScannerDLLA.dll
+ 2005-12-05 16:37 . 2005-12-05 16:37 106496 c:\windows\system32\lnod32upd.dll
+ 2005-12-05 23:25 . 2005-12-05 23:25 139264 c:\windows\system32\lnod32umc.dll
+ 2007-07-27 18:49 . 2007-07-27 18:49 225355 c:\windows\system32\lnod32apiW.dll
+ 2007-07-27 18:49 . 2007-07-27 18:49 196683 c:\windows\system32\lnod32apiA.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-17 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

c:\documents and settings\Free Glow Cup\Start Menu\Programs\Startup\
NYKO Gamepad Mapping Tools.lnk - c:\program files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2006-2-23 417280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeptheintermet\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeptheintermet\\half-life 2\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeptheintermet\\counter-strike source beta\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeptheintermet\\source sdk base\\hl2.exe"=
"c:\\Documents and Settings\\Free Glow Cup\\Desktop\\XPLAAAKKKK\\Old Skool\\NESTCL95.EXE"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\internetrape\\garrysmod\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Ultima Online 2D Client\\client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27476:TCP"= 27476:TCP:SLSK2
"57147:TCP"= 57147:TCP:azureus
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-05 17920]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-05-04 22528]
R3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\DRIVERS\xusb20.sys [2006-10-13 50048]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31d400fc-a4fe-11db-ac18-00123fc75b4c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\Free Glow Cup\Application Data\Mozilla\Firefox\Profiles\br0xkcwb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://imageshack.us/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 21:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(13072)
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-01 21:06
ComboFix-quarantined-files.txt 2009-05-01 01:05
ComboFix2.txt 2009-04-30 17:31
ComboFix3.txt 2009-04-30 08:07

Pre-Run: 8,949,297,152 bytes free
Post-Run: 8,946,614,272 bytes free

205 --- E O F --- 2009-04-16 12:04

Actually i think my computer is clean. I cant thank you enough, i wish i had money cause id give it to you. I am in your debt. If theres anything i can do for you hit me up on space hobos via aim

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 30 April 2009 - 11:13 PM

Don't worry.. We do this for fun :thumbup2:


Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users