Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected -Dont know exactly what to remove or how


  • This topic is locked This topic is locked
2 replies to this topic

#1 abacus_x

abacus_x

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 03 May 2009 - 01:03 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by abacus at 18:52:46.45 on 03/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2813.1890 [GMT 7:00]


============== Running Processes ===============

D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
svchost.exe
D:\Program Files\Prevx\prevx.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Prevx\prevx.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\FlashGet\flashget.exe
D:\Program Files\Prevx1\PXAgent.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\yabftjk.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Documents and Settings\abacus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: IsoBuster Toolbar: {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - d:\program files\isobuster\tbIso1.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: d:\windows\system32\jkshfuiehi.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - d:\windows\system32\jkshfuiehi.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - d:\program files\styler\tb\StylerTB.dll
TB: IsoBuster Toolbar: {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - d:\program files\isobuster\tbIso1.dll
mRun: [9417] C:\yabftjk.exe
mRunOnce: [Malwarebytes' Anti-Malware] d:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: d:\documents and settings\abacus\start menu\programs\startup\santa.bat
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: &Download All with FlashGet - d:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - d:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - d:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybotsd\SDHelper.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
STS: d:\windows\system32\jkshfuiehi.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - d:\windows\system32\jkshfuiehi.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\abacus\applic~1\mozilla\firefox\profiles\s3cpsbsy.default\
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 ahci7xx;ahci7xx;d:\windows\system32\drivers\ahci7xx.sys [2009-4-6 176136]
R0 pxscan;pxscan;d:\windows\system32\drivers\pxscan.sys [2009-5-3 22024]
R0 pxsec;pxsec;d:\windows\system32\drivers\pxsec.sys [2009-5-3 27656]
R0 SFAUDIO;Sonic Focus DSP Driver;d:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\program files\system\cpl bonus\vcdrom.sys [2009-5-2 8576]
R2 csiscanner;CSIScanner;d:\program files\prevx\prevx.exe [2009-5-3 4368952]
R3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [2009-5-3 38496]
S1 PrevxTdi;PREVX Tdi filter;d:\windows\system32\drivers\pxtdi.sys [2009-5-3 18560]
S3 Com4QLBEx;Com4QLBEx;d:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-5-2 222512]
S3 PrevxEmulator;PREVX Emulator Driver;d:\windows\system32\drivers\PxEmu.sys [2009-5-3 100864]

=============== Created Last 30 ================

2009-05-03 16:35 61,440 a------- d:\windows\system32\drivers\xtgbw.sys
2009-05-03 16:28 <DIR> --d----- d:\docume~1\abacus\applic~1\Malwarebytes
2009-05-03 16:28 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-05-03 16:28 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 16:28 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-05-03 16:28 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-03 16:27 0 a------- d:\windows\pxsetup.rf
2009-05-03 16:21 <DIR> --d----- d:\docume~1\abacus\applic~1\Prevx
2009-05-03 16:21 9,728 a------- d:\windows\system32\drivers\pxscinst.dll
2009-05-03 16:21 7,680 a------- d:\windows\system32\drivers\pxinst.dll
2009-05-03 16:21 <DIR> --d----- d:\program files\Prevx1
2009-05-03 16:21 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Prevx
2009-05-03 05:58 <DIR> --d----- d:\program files\Trend Micro
2009-05-03 05:50 27,656 a------- d:\windows\system32\drivers\pxsec.sys
2009-05-03 05:50 22,024 a------- d:\windows\system32\drivers\pxscan.sys
2009-05-03 05:50 <DIR> --d----- d:\program files\Prevx
2009-05-03 05:50 <DIR> --d----- d:\docume~1\alluse~1\applic~1\PrevxCSI
2009-05-03 04:54 <DIR> --d----- d:\program files\SpyBotSD
2009-05-03 04:54 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-03 03:51 11,136 a------- d:\windows\system32\drivers\SLIP.sys
2009-05-03 03:51 85,248 a------- d:\windows\system32\drivers\NABTSFEC.sys
2009-05-03 03:51 10,880 a------- d:\windows\system32\drivers\NdisIP.sys
2009-05-03 03:51 17,024 a------- d:\windows\system32\drivers\CCDECODE.sys
2009-05-03 03:51 19,200 a------- d:\windows\system32\drivers\WSTCODEC.SYS
2009-05-03 03:51 7,552 a------- d:\windows\system32\drivers\MSKSSRV.sys
2009-05-03 03:51 5,376 a------- d:\windows\system32\drivers\MSPCLOCK.sys
2009-05-03 03:51 16,384 a------- d:\windows\system32\ipsink.ax
2009-05-03 03:51 15,232 a------- d:\windows\system32\drivers\StreamIP.sys
2009-05-03 03:51 4,992 a------- d:\windows\system32\drivers\MSPQM.sys
2009-05-03 03:51 3,072 a------- d:\windows\system32\drivers\audstub.sys
2009-05-03 03:49 0 a------- d:\windows\ativpsrm.bin
2009-05-03 03:49 57,600 a------- d:\windows\system32\drivers\redbook.sys
2009-05-03 03:48 74,240 a------- d:\windows\system32\usbui.dll
2009-05-03 03:47 10,240 a------- d:\windows\system32\drivers\compbatt.sys
2009-05-03 03:47 14,208 a------- d:\windows\system32\drivers\battc.sys
2009-05-03 03:47 13,952 a------- d:\windows\system32\drivers\CmBatt.sys
2009-05-03 03:47 8,832 a------- d:\windows\system32\drivers\wmiacpi.sys
2009-05-03 03:43 <DIR> --d----- d:\program files\common files\ODBC
2009-05-03 03:43 <DIR> --d----- d:\program files\common files\SpeechEngines
2009-05-03 03:42 21,504 a------- d:\windows\system32\CINTLGNT.IME
2009-05-03 03:41 9,216 a------- d:\windows\system32\kbdnecAT.dll
2009-05-03 03:41 <DIR> --d--r-- d:\documents and settings\all users\Documents
2009-05-03 03:40 <DIR> --d----- d:\windows\system32\CatRoot2
2009-05-03 03:40 <DIR> --d----- d:\windows\system32\CatRoot
2009-05-03 03:40 2,611,016 a------- d:\windows\setupapi.log.0.old
2009-05-03 03:39 1,123,328 a------- d:\windows\system32\drivers\BCMWL5.SYS
2009-05-03 03:38 296,448 a------- d:\windows\system32\drivers\yk51x86.sys
2009-05-03 03:38 282,624 a------- d:\windows\system32\ykx32mpcoinst.dll
2009-05-03 03:35 147,456 a------- d:\windows\system32\Oemdspif.dll
2009-05-03 03:35 45,056 a------- d:\windows\system32\amdcalrt.dll
2009-05-03 03:35 3,252,224 a------- d:\windows\system32\Amdcaldd.dll
2009-05-03 03:35 45,056 a------- d:\windows\system32\amdcalcl.dll
2009-05-03 03:34 33,792 a------- d:\windows\system32\drivers\AmdPPM.sys
2009-05-03 03:34 9,344 a------- d:\windows\system32\drivers\CPQBttn.sys
2009-05-03 03:34 5,760 a------- d:\windows\system32\drivers\EabUsb.sys
2009-05-03 03:34 <DIR> --d----- D:\Documents and Settings
2009-05-03 03:33 1,893 a------- d:\windows\system32\$winnt$.inf
2009-05-03 02:54 <DIR> --d----- d:\program files\PowerISO
2009-05-03 02:44 <DIR> --d----- d:\program files\Conduit
2009-05-03 02:44 <DIR> --d----- d:\program files\IsoBuster
2009-05-03 02:44 24,576 a------- d:\documents and settings\abacus\reader_s.exe
2009-05-03 02:43 4,964,648 a------- d:\docume~1\abacus\applic~1\Setup_isobuster_2500_all_lang.exe
2009-05-03 02:43 98,867 a------- d:\docume~1\abacus\applic~1\svhost.exe
2009-05-03 02:03 <DIR> --d----- d:\program files\FlashGet
2009-05-02 23:03 <DIR> --d----- d:\program files\ATI Technologies
2009-05-02 22:51 <DIR> --d----- d:\docume~1\abacus\applic~1\hpqLog
2009-05-02 22:47 <DIR> --d----- d:\program files\Synaptics
2009-05-02 22:43 <DIR> --d----- d:\program files\common files\SNP2UVC
2009-05-02 22:41 <DIR> --d----- d:\program files\Analog Devices
2009-05-02 22:11 <DIR> --d----- d:\program files\K-Lite Codec Pack
2009-05-02 22:11 <DIR> --d----- d:\program files\Microsoft Visual Studio 8
2009-05-02 22:01 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-05-02 21:59 <DIR> --d----- d:\program files\VisualTaskTips
2009-05-02 21:57 <DIR> --d----- d:\program files\WinFlip
2009-05-02 21:57 <DIR> --d----- d:\program files\VideoLAN
2009-05-02 21:56 <DIR> --d----- d:\docume~1\abacus\applic~1\Styler
2009-05-02 21:56 <DIR> --d----- d:\program files\Styler
2009-05-02 21:55 <DIR> --d----- d:\program files\TrueTransparency
2009-05-02 21:27 <DIR> --d----- d:\program files\PROnetworks
2009-05-02 21:24 <DIR> --dsh--- d:\documents and settings\abacus\PrivacIE
2009-05-02 21:24 <DIR> --dsh--- d:\documents and settings\abacus\IECompatCache
2009-05-02 21:15 <DIR> --dsh--- d:\documents and settings\abacus\IETldCache
2009-05-02 21:09 <DIR> --d----- d:\program files\Alky for Applications
2009-05-02 21:02 <DIR> --dsh--- d:\documents and settings\all users\DRM
2009-05-02 21:02 <DIR> --d-h--- d:\program files\WindowsUpdate
2009-05-02 21:02 <DIR> --d----- d:\program files\Online Services
2009-05-02 21:01 <DIR> --d----- d:\program files\Windows Media Connect 2
2009-05-02 21:01 <DIR> --d----- d:\program files\common files\MSSoap
2009-05-02 20:57 <DIR> --d----- d:\program files\VistaExperience.org
2009-05-02 20:54 <DIR> --d----- d:\program files\LClock
2009-05-02 20:54 <DIR> --d----- d:\program files\System
2009-05-02 20:54 <DIR> --d----- d:\program files\HashTab Shell Extension
2009-05-02 20:54 <DIR> --d----- d:\program files\Unlocker
2009-05-02 20:54 <DIR> --d----- d:\program files\Microsoft PowerToys
2009-05-02 20:53 <DIR> --d----- d:\program files\Windows NT

==================== Find3M ====================

2009-05-03 18:52 106,620 a------- d:\windows\system32\drivers\78e7c499.sys
2009-05-03 02:50 182,656 a------- d:\windows\system32\drivers\ndis.sys
2009-05-03 02:50 182,656 a------- d:\windows\system32\dllcache\ndis.sys
2009-05-03 02:44 14,848 a------- d:\windows\system32\DL32.exe
2009-05-03 02:44 24,576 a------- d:\windows\system32\reader_s.exe
2009-05-03 02:43 15,000 -------- d:\windows\system32\jkshfuiehi.dll
2009-05-03 01:51 86,327 a------- d:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-02 22:51 0 a---h--- d:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2009-05-02 22:47 0 a---h--- d:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-05-02 22:47 0 a---h--- d:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-02 20:59 21,640 a------- d:\windows\system32\emptyregdb.dat
2009-04-28 05:04 5,105,659 a------- d:\windows\app.exe
2009-04-27 22:00 314,383 a------- d:\windows\es.exe
2009-04-06 10:50 14,471 a------- d:\windows\REGTWEAK.REG
2009-03-15 17:25 56,268 a------- d:\windows\system32\drivers\scdemu.sys
2009-02-10 01:56 67,584 a------- d:\windows\system32\ff_vfw.dll
2009-02-06 11:32 161,064 a------- d:\windows\system32\SynTPAPI.dll
2009-02-06 11:32 120,104 a------- d:\windows\system32\SynTPCo4.dll
2009-02-06 11:32 206,120 a------- d:\windows\system32\SynCtrl.dll
2009-02-06 11:32 169,256 a------- d:\windows\system32\SynCOM.dll

============= FINISH: 18:53:41.60 ===============

Attached Files


Edited by abacus_x, 03 May 2009 - 01:25 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:51 PM

Posted 04 May 2009 - 01:14 PM

Hello abacus_x,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**************

Download Lop S&D
Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.
To see how to disable security programs visit this tutorial:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

You can enable them after the scan.

You can find a detailed instructions with visuals here

Double-click Lop S&D.exe

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

**************

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:51 PM

Posted 22 May 2009 - 05:54 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users