Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Has Rendered Computer Useless, Please Help Soon


  • Please log in to reply
9 replies to this topic

#1 Catie G.

Catie G.

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 11 May 2009 - 08:34 PM

1. When I sign on normally, explorer is stuck to the point where I don't have anything on my desktop to click, I can't open any programs, not even Task Manager. Basically can't do anything, including go on the internet. It's pretty much frozen.
2. In Safe Mode, I can sign on and everything shows up but I can't go on the internet.
3. The loading is extremely slow even though nothing ever ends up working anyway. Spybot was running on reboot and it was on for about 3-4 hours and was only 1/5th done.

Right now, I think I chose Debugging mode and I signed on my name. Explorer did not start up, so I ran firefox.exe in order to do this. I really need help because in this condition I basically can't transfer my important files onto a USB Stick in case this thing gets worse. And I'm sure it's some sort of trojan/malware/virtumonde thing and not my computer.

Also, if it's possible to fix this so that none of this happens on all the names on my computer, that'd be great, since I share this computer with 3 other people. I believe it started up when my sister signed on her name for the first time in a couple of months yesterday. It's the only thing that makes sense to me right now.

I'm sorry if there was more I needed to put in this entry, I can't really use the internet or my computer properly so I just used the DDS log. Thank you so much for your time and assistance.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Catie at 20:20:27.71 on Mon 05/11/09
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1575 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Catie\Desktop\Catie's Folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AOL Fast Start] "c:\program files\america online 9.0b\AOL.EXE" -b
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [pure networks port magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [hostmanager] c:\program files\common files\aol\1156281517\ee\AOLSoftware.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [aoldialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [aol spyware protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe
LSP: connwsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {e06e2e99-0aa1-11d4-aba6-0060082aa75c} -
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\catie\applic~1\mozilla\firefox\profiles\q3tc4l9e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2004-12-30 16855]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-10 24652]
S3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2004-12-30 21808]
S3 MmedFilter;MmedFilter;c:\windows\system32\drivers\MmedFilter.sys [2006-9-25 4096]
SUnknown okqbsluvkogd;okqbsluvkogd; [x]

=============== Created Last 30 ================

2009-05-11 20:15 445 a------- c:\windows\system32\win32hlp.cnf
2009-05-11 18:36 213,024 a------- c:\windows\system32\drivers\str.sys
2009-05-11 18:06 389,120 a------- c:\windows\system32\CF20821.exe
2009-05-11 01:36 19,456 a------- c:\windows\system32\loader49.exe
2009-05-11 01:05 59,904 a------- c:\windows\system32\drivers\rfxcniyxsggs.sys

==================== Find3M ====================

2009-05-11 01:37 104,960 a------- c:\windows\system32\userinit.exe
2009-05-11 01:37 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2009-03-19 18:36 389,120 a------- c:\windows\system32\CF15033.exe
2009-03-12 16:45 179,712 a------- c:\windows\system32\cmmon32.dll
2009-03-12 16:13 179,712 a------- c:\windows\system32\findstr.dll
2009-03-12 16:13 1,136,132 a------- c:\windows\system32\dllcache\explorer.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 16:12 14,336 a------- c:\windows\system32\svchost.exe
2009-03-08 16:12 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2006-11-14 16:02 0 ac------ c:\program files\common files\err.log
2008-11-24 18:08 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-25 15:12 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat
2007-12-17 11:17 16,384 ac-sh--- c:\windows\system32\yhorwmal.dll\cookies\index.dat
2007-12-17 11:17 16,384 ac-sh--- c:\windows\system32\yhorwmal.dll\history\history.ie5\index.dat
2007-12-17 11:17 32,768 ac-sh--- c:\windows\system32\yhorwmal.dll\temporary internet files\content.ie5\index.dat

============= FINISH: 20:21:27.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:38 PM

Posted 26 May 2009 - 06:11 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Catie G.

Catie G.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 03 June 2009 - 07:14 PM

So right now, my Firefox browser doesn't work. Loading times are slow. Sometimes, I can't even load my desktop let alone any programs. I went into Safe Mode and ran ComboFix, but I need the new version. Sometimes I can't open Task Manager, but when I can, I close explorer.exe and then everything works pretty well. I do get pop-ups from my browser every now and then.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Catie at 20:10:08.12 on Wed 06/03/09
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1383 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\1156281517\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\common files\aol\1156281517\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1156281517\ee\aolsoftware.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Catie\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HostManager] c:\program files\common files\aol\1156281517\ee\AOLSoftware.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [pure networks port magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [aoldialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [aol spyware protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe
LSP: connwsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {e06e2e99-0aa1-11d4-aba6-0060082aa75c} -
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\catie\applic~1\mozilla\firefox\profiles\q3tc4l9e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2004-12-30 16855]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-10 24652]
S2 okqbsluvkogd;okqbsluvkogd;\??\c:\windows\system32\drivers\rfxcniyxsggs.sys --> c:\windows\system32\drivers\rfxcniyxsggs.sys [?]
S3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2004-12-30 21808]
S3 MmedFilter;MmedFilter;c:\windows\system32\drivers\MmedFilter.sys [2006-9-25 4096]
UnknownUnknown nrfhcvfdnxcgx;nrfhcvfdnxcgx; [x]

=============== Created Last 30 ================

2009-06-03 19:24 <DIR> --d----- C:\ComboFix
2009-06-03 18:32 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-06-03 18:32 14,336 ----h--- c:\windows\pp10.exe
2009-06-03 18:32 17,408 a------- c:\windows\system32\SYSDLL.exe
2009-06-03 18:32 2 ----h--- c:\windows\ro122730.dat
2009-06-03 18:32 <DIR> --d----- c:\windows\system32\sysloc
2009-06-03 18:32 14,848 ----h--- c:\windows\ld08.exe
2009-05-31 22:46 54,156 a---h--- c:\windows\QTFont.qfn
2009-05-31 22:46 1,409 a------- c:\windows\QTFont.for
2009-05-28 15:04 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-28 15:04 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 15:04 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-28 15:04 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 15:04 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 15:04 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 15:04 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 15:04 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 15:04 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 15:02 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-28 15:02 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-26 14:16 664 a------- c:\windows\system32\d3d9caps.dat
2009-05-25 23:52 198,144 -------- c:\windows\system32\_psisdecd.dll
2009-05-25 23:51 1,047,552 -------- c:\windows\system32\MFC71u.dll
2009-05-25 23:50 <DIR> --d----- C:\MyWorks
2009-05-25 23:50 <DIR> --d----- c:\program files\Digital Photo Navigator 1.5
2009-05-11 22:38 161,792 a------- c:\windows\SWREG.exe
2009-05-11 22:38 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-12 16:45 179,712 a------- c:\windows\system32\cmmon32.dll
2009-03-12 16:13 179,712 a------- c:\windows\system32\findstr.dll
2009-03-12 16:13 1,136,132 a------- c:\windows\system32\dllcache\explorer.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 16:12 14,336 a------- c:\windows\system32\svchost.exe
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2006-11-14 16:02 0 ac------ c:\program files\common files\err.log
2008-11-24 18:08 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-25 15:12 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat
2007-12-17 11:17 16,384 ac-sh--- c:\windows\system32\yhorwmal.dll\cookies\index.dat
2007-12-17 11:17 16,384 ac-sh--- c:\windows\system32\yhorwmal.dll\history\history.ie5\index.dat
2007-12-17 11:17 32,768 ac-sh--- c:\windows\system32\yhorwmal.dll\temporary internet files\content.ie5\index.dat

============= FINISH: 20:11:21.35 ===============

Thank you for reopening this. I hope I can get help soon because I'm afraid my computer will stop working again and it has been difficult to get around the problems.

Attached Files



#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 04 June 2009 - 10:02 AM

You have signs of a Keylogger on your computer.

You are strongly advised to do the following immediately:

1. Call all of your banks, credit card companies, and financial institutions. Inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer, because the attacker will get the new passwords and transaction information.

The infection you have is Koobface. See http://news.bbc.co.uk/newsbeat/hi/technolo...000/7773340.stm

...a virus designed to get hold of sensitive information like credit card details.


I went into Safe Mode and ran ComboFix, but I need the new version.


What's preventing you from running a new version? Follow these instructions:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
If you can't download combofix, then can you download it on another PC and transfer it across?

Post the combofix log as a reply to this topic.

#5 Catie G.

Catie G.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 05 June 2009 - 03:46 AM

ComboFix 09-06-04.06 - Catie i 06/05/09 4:13.42 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1552 [GMT -4:00]
Running from: c:\documents and settings\Catie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\9g2234wesdf3dfgjf23
c:\windows\ld08.exe
c:\windows\pp10.exe
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\uleewocmdqdcyq.sys
c:\windows\system32\SYSDLL.exe
c:\windows\system32\sysloc
c:\windows\system32\sysloc\sysloc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NRFHCVFDNXCGX


((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-04 07:01 . 2009-06-04 07:01 -------- d-----w- c:\documents and settings\Cathy\Local Settings\Application Data\PCM4Everio
2009-06-03 22:32 . 2009-06-03 22:32 2 ---h--w- c:\windows\ro122730.dat
2009-05-28 19:04 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-05-28 19:04 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 19:04 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-05-28 19:04 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 19:04 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 19:04 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 19:04 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 19:04 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 19:04 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 19:02 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-28 19:02 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-05-26 21:25 . 2009-05-26 21:25 -------- d-----w- c:\documents and settings\LocalService\Application Data\CyberLink
2009-05-26 18:16 . 2009-06-05 04:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-26 03:52 . 2009-05-26 04:00 -------- d-----w- c:\documents and settings\Catie\Local Settings\Application Data\PCM4Everio
2009-05-26 03:52 . 2006-06-04 19:48 198144 ------w- c:\windows\system32\_psisdecd.dll
2009-05-26 03:51 . 2006-06-04 19:48 1047552 ------w- c:\windows\system32\MFC71u.dll
2009-05-26 03:50 . 2009-05-26 21:33 -------- d-----w- C:\MyWorks
2009-05-26 03:50 . 2009-05-26 03:50 -------- d-----w- c:\program files\Digital Photo Navigator 1.5
2009-05-23 19:13 . 2009-05-23 19:13 -------- d-----w- c:\documents and settings\Alison\Local Settings\Application Data\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 17:17 . 2008-02-07 05:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-26 04:00 . 2004-11-21 20:38 46920 -c--a-w- c:\documents and settings\Catie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 04:00 . 2004-11-09 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-26 03:57 . 2004-11-09 21:25 -------- d-----w- c:\program files\CyberLink
2009-05-26 03:56 . 2004-11-09 21:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-19 08:03 . 2009-03-07 06:43 -------- d-----w- c:\program files\Celtx
2009-05-12 04:25 . 2004-11-09 21:25 -------- d-----w- c:\program files\Common Files\AOL
2009-04-10 22:38 . 2004-11-09 21:23 -------- d-----w- c:\program files\Java
2009-04-10 22:37 . 2009-04-10 22:37 152576 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-22 00:15 . 2009-03-22 00:15 503808 -c--a-w- c:\documents and settings\Christin\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-594f4f09-n\msvcp71.dll
2009-03-22 00:15 . 2009-03-22 00:15 499712 -c--a-w- c:\documents and settings\Christin\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-594f4f09-n\jmc.dll
2009-03-22 00:15 . 2009-03-22 00:15 348160 -c--a-w- c:\documents and settings\Christin\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-594f4f09-n\msvcr71.dll
2009-03-21 18:23 . 2009-03-21 18:23 503808 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5a36613c-n\msvcp71.dll
2009-03-21 18:23 . 2009-03-21 18:23 499712 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5a36613c-n\jmc.dll
2009-03-21 18:23 . 2009-03-21 18:23 348160 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5a36613c-n\msvcr71.dll
2009-03-21 18:21 . 2009-03-21 18:21 152576 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-12 20:45 . 2009-03-12 20:45 179712 ----a-w- c:\windows\system32\cmmon32.dll
2009-03-12 20:13 . 2009-03-12 20:13 179712 ----a-w- c:\windows\system32\findstr.dll
2009-03-09 09:19 . 2008-11-22 16:34 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-08 20:12 . 2004-08-04 11:00 14336 ----a-w- c:\windows\system32\svchost.exe
2006-11-14 20:02 . 2006-11-14 20:02 0 -c--a-w- c:\program files\Common Files\err.log
2006-11-17 00:34 . 2006-11-17 00:34 944117 -csha-w- c:\windows\adrab.tmp
2005-12-10 06:37 . 2005-12-10 06:37 332461 -csha-w- c:\windows\SYSTEM32\ehkmp.tmp
2008-11-24 22:08 . 2004-11-17 23:41 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 11:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\SYSTEM32\DRIVERS\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-06-03_23.25.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 17:45 . 2009-06-05 04:50 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-11-13 20:22 . 2009-06-05 04:50 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-11-13 20:22 . 2009-06-03 23:02 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-11-13 20:22 . 2009-06-05 04:50 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2004-11-13 20:22 . 2009-06-03 23:02 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 57344]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msmsgs"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"HostManager"="c:\program files\Common Files\AOL\1156281517\ee\AOLSoftware.exe" [2006-09-26 50736]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"tgcmd"="c:\program files\support.com\bin\tgcmd.exe" [2003-02-28 1843200]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"pure networks port magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"aoldialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"aol spyware protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 40960]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-21 278528]
"quicktime task"="c:\program files\QuickTime\qttask.exe" [2006-01-13 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\Christin\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-3-15 200704]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\WINDOWS\\SYSTEM32\\dla\\tfswctrl.exe"=
"c:\\Program Files\\Windows NT\\Accessories\\wordpad.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156281517\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"=
"c:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\America Online 9.0b\\shellmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\SYSTEM32\DRIVERS\Achernar.sys [12/30/04 2:08 AM 16855]
S2 nrfhcvfdnxcgx;nrfhcvfdnxcgx;\??\c:\windows\system32\drivers\uleewocmdqdcyq.sys --> c:\windows\system32\drivers\uleewocmdqdcyq.sys [?]
S2 okqbsluvkogd;okqbsluvkogd;\??\c:\windows\system32\drivers\rfxcniyxsggs.sys --> c:\windows\system32\drivers\rfxcniyxsggs.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/10/08 5:49 PM 24652]
S3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\SYSTEM32\DRIVERS\Aldebaran.sys [12/30/04 2:08 AM 21808]
S3 MmedFilter;MmedFilter;c:\windows\SYSTEM32\DRIVERS\MmedFilter.sys [9/25/06 5:37 PM 4096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NRFHCVFDNXCGX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
cuusmfgo
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
LSP: connwsp.dll
FF - ProfilePath - c:\documents and settings\Catie\Application Data\Mozilla\Firefox\Profiles\q3tc4l9e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 04:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(712)
c:\progra~1\WINDOW~2\wmpband.dll
.
Completion time: 2009-06-05 4:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-05 08:35
ComboFix2.txt 2009-06-04 17:40
ComboFix3.txt 2009-06-04 17:27
ComboFix4.txt 2009-06-04 06:53
ComboFix5.txt 2009-06-05 08:11

Pre-Run: 31,889,211,392 bytes free
Post-Run: 34,100,240,384 bytes free

Current=6 Default=6 Failed=2 LastKnownGood=7 Sets=1,2,5,6,7
226 --- E O F --- 2009-05-28 19:50

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 05 June 2009 - 06:17 PM

Open notepad and copy/paste the text in the codeebox below into it:

http://www.bleepingcomputer.com/forums/t/226253/something-has-rendered-computer-useless-please-help-soon/
Collect::
c:\windows\pp10.exe
c:\windows\ro122730.dat
c:\windows\system32\drivers\rfxcniyxsggs.sys
c:\windows\system32\drivers\MmedFilter.sys
c:\windows\system32\win32hlp.cnf
c:\windows\system32\drivers\str.sys
c:\windows\system32\loader49.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
Driver::
nrfhcvfdnxcgx
okqbsluvkogd
MmedFilter
NetSvc::
cuusmfgo

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


#7 Catie G.

Catie G.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 06 June 2009 - 02:53 PM

ComboFix 09-06-05.09 - Catie t 06/06/09 13:47.43 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1556 [GMT -4:00]
Running from: c:\documents and settings\Catie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Catie\Desktop\CFScript.txt

file zipped: c:\windows\ro122730.dat
file zipped: c:\windows\system32\drivers\MmedFilter.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ro122730.dat
c:\windows\system32\drivers\MmedFilter.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MMEDFILTER
-------\Legacy_NRFHCVFDNXCGX
-------\Legacy_OKQBSLUVKOGD
-------\Service_MmedFilter
-------\Service_nrfhcvfdnxcgx
-------\Service_okqbsluvkogd


((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))
.

2009-06-04 07:01 . 2009-06-04 07:01 -------- d-----w- c:\documents and settings\Cathy\Local Settings\Application Data\PCM4Everio
2009-05-28 19:04 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-05-28 19:04 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 19:04 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-05-28 19:04 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 19:04 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 19:04 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 19:04 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 19:04 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 19:04 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 19:02 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-28 19:02 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-05-26 21:25 . 2009-05-26 21:25 -------- d-----w- c:\documents and settings\LocalService\Application Data\CyberLink
2009-05-26 18:16 . 2009-06-06 16:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-26 03:52 . 2009-05-26 04:00 -------- d-----w- c:\documents and settings\Catie\Local Settings\Application Data\PCM4Everio
2009-05-26 03:52 . 2006-06-04 19:48 198144 ------w- c:\windows\system32\_psisdecd.dll
2009-05-26 03:51 . 2006-06-04 19:48 1047552 ------w- c:\windows\system32\MFC71u.dll
2009-05-26 03:50 . 2009-05-26 21:33 -------- d-----w- C:\MyWorks
2009-05-26 03:50 . 2009-05-26 03:50 -------- d-----w- c:\program files\Digital Photo Navigator 1.5
2009-05-23 19:13 . 2009-05-23 19:13 -------- d-----w- c:\documents and settings\Alison\Local Settings\Application Data\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 17:17 . 2008-02-07 05:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-26 04:00 . 2004-11-21 20:38 46920 -c--a-w- c:\documents and settings\Catie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 04:00 . 2004-11-09 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-26 03:57 . 2004-11-09 21:25 -------- d-----w- c:\program files\CyberLink
2009-05-26 03:56 . 2004-11-09 21:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-19 08:03 . 2009-03-07 06:43 -------- d-----w- c:\program files\Celtx
2009-05-12 04:25 . 2004-11-09 21:25 -------- d-----w- c:\program files\Common Files\AOL
2009-04-10 22:38 . 2004-11-09 21:23 -------- d-----w- c:\program files\Java
2009-04-10 22:37 . 2009-04-10 22:37 152576 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-22 00:15 . 2009-03-22 00:15 503808 -c--a-w- c:\documents and settings\Christin\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-594f4f09-n\msvcp71.dll
2009-03-22 00:15 . 2009-03-22 00:15 499712 -c--a-w- c:\documents and settings\Christin\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-594f4f09-n\jmc.dll
2009-03-22 00:15 . 2009-03-22 00:15 348160 -c--a-w- c:\documents and settings\Christin\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-594f4f09-n\msvcr71.dll
2009-03-21 18:23 . 2009-03-21 18:23 503808 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5a36613c-n\msvcp71.dll
2009-03-21 18:23 . 2009-03-21 18:23 499712 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5a36613c-n\jmc.dll
2009-03-21 18:23 . 2009-03-21 18:23 348160 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5a36613c-n\msvcr71.dll
2009-03-21 18:21 . 2009-03-21 18:21 152576 -c--a-w- c:\documents and settings\Catie\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-12 20:45 . 2009-03-12 20:45 179712 ----a-w- c:\windows\system32\cmmon32.dll
2009-03-12 20:13 . 2009-03-12 20:13 179712 ----a-w- c:\windows\system32\findstr.dll
2009-03-09 09:19 . 2008-11-22 16:34 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-08 20:12 . 2004-08-04 11:00 14336 ----a-w- c:\windows\system32\svchost.exe
2006-11-14 20:02 . 2006-11-14 20:02 0 -c--a-w- c:\program files\Common Files\err.log
2006-11-17 00:34 . 2006-11-17 00:34 944117 -csha-w- c:\windows\adrab.tmp
2005-12-10 06:37 . 2005-12-10 06:37 332461 -csha-w- c:\windows\SYSTEM32\ehkmp.tmp
2008-11-24 22:08 . 2004-11-17 23:41 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 11:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\SYSTEM32\DRIVERS\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-06-03_23.25.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-06 17:53 . 2009-06-06 17:53 16384 c:\windows\temp\Perflib_Perfdata_7d4.dat
+ 2009-06-04 17:45 . 2009-06-05 04:50 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-11-13 20:22 . 2009-06-05 04:50 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-11-13 20:22 . 2009-06-03 23:02 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-11-13 20:22 . 2009-06-05 04:50 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2004-11-13 20:22 . 2009-06-03 23:02 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 57344]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msmsgs"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"AOL Fast Start"="c:\program files\America Online 9.0b\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"HostManager"="c:\program files\Common Files\AOL\1156281517\ee\AOLSoftware.exe" [2006-09-26 50736]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"tgcmd"="c:\program files\support.com\bin\tgcmd.exe" [2003-02-28 1843200]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"pure networks port magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"aoldialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"aol spyware protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 40960]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-21 278528]
"quicktime task"="c:\program files\QuickTime\qttask.exe" [2006-01-13 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\Christin\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-3-15 200704]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\WINDOWS\\SYSTEM32\\dla\\tfswctrl.exe"=
"c:\\Program Files\\Windows NT\\Accessories\\wordpad.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156281517\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"=
"c:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\America Online 9.0b\\shellmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\SYSTEM32\DRIVERS\Achernar.sys [12/30/04 2:08 AM 16855]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/10/08 5:49 PM 24652]
S3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\SYSTEM32\DRIVERS\Aldebaran.sys [12/30/04 2:08 AM 21808]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
LSP: connwsp.dll
FF - ProfilePath - c:\documents and settings\Catie\Application Data\Mozilla\Firefox\Profiles\q3tc4l9e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 14:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\connwsp.dll

- - - - - - - > 'explorer.exe'(732)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Common Files\AOL\1156281517\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\America Online 9.0b\waol.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
c:\program files\America Online 9.0b\shellmon.exe
.
**************************************************************************
.
Completion time: 2009-06-06 14:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-06 18:12
ComboFix2.txt 2009-06-05 08:35
ComboFix3.txt 2009-06-04 17:40
ComboFix4.txt 2009-06-04 17:27
ComboFix5.txt 2009-06-06 17:45

Pre-Run: 31,740,252,160 bytes free
Post-Run: 31,946,944,512 bytes free

Current=6 Default=6 Failed=2 LastKnownGood=7 Sets=1,2,3,5,6,7
239 --- E O F --- 2009-05-28 19:50

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 07 June 2009 - 06:41 PM

Please upload this file:

c:\windows\SYSTEM32\DRIVERS\tcpip.sys

To either jotti or virustotal

Then copy and paste the results as a reply to this topic, along with a description of any remaining problems.

Edited by random/random, 07 June 2009 - 06:42 PM.


#9 Catie G.

Catie G.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 07 June 2009 - 07:03 PM

http://virusscan.jotti.org/en/scanresult/0...18fe73b0daca99e

My Firefox Browser still doesn't work. It says, "Firefox is configured to use a proxy server that is refusing connections." And my computer is just being slow and heating up quickly in general. But I can now sign onto my name at least. I'm afraid to check on my other family members accounts on the computer because when my sister signed onto hers that's when it all started.

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 09 June 2009 - 11:34 AM

Open up firefox and then go to Tools > Advanced > Network and then click on Settings, and then check the proxy settings. You can change it to No Proxy and then see if firefox works properly.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users