Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32???? " Warning your computer contains"


  • This topic is locked This topic is locked
14 replies to this topic

#1 note_eater

note_eater

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 27 June 2009 - 01:11 PM

I have an unknown Malware on children's computer. It did not have protection and was infected. A window pops up with the display " warning!!! your computer contains various signs of viruses and malware programs presense " it directs you to onlinespywarescan.net .

I have tried to download spybot and various other tools and the malware will not allow the programs to run. I finally resorted to an online scan with EBT. after the scan it said it had found
VBS/Disabler.nab trojan
Win32/Agent.Crv trojan
Win32/Powerreg application

etc...

I chose for the scan to delete the files, but I am still infected. Here are my scans


DDS (Ver_09-06-26.01) - NTFSx86
Run by Robyn at 12:55:26.37 on Sat 06/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.100 [GMT -5:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Outdated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Robyn\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.bearshare.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\companion\modules\messmod4\v6\yhexbmes.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [A00F4DBD5.exe] c:\docume~1\robyn\locals~1\temp\_A00F4DBD5.exe
uRun: [A00F6B891E1.exe] c:\docume~1\robyn\locals~1\temp\_A00F6B891E1.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [BellSouthAlertManager.exe] c:\program files\bellsouth\alert manager\BellSouthAlertManager.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [HelpCenter4.1] c:\program files\fastaccessdsl\helpcenter43\bin\sprtcmd.exe /P HelpCenter4.1
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: b3b1584623 - c:\windows\system32\drmclien32.dll
Notify: __c004A961 - c:\windows\system32\__c004A961.dat
Notify: __c0077D9 - c:\windows\system32\__c0077D9.dat
AppInit_DLLs: c:\windows\system32\drmclien32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robyn\applic~1\mozilla\firefox\profiles\fw3sdo23.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/note_eater/index
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

=============== Created Last 30 ================

2009-06-27 11:38 <DIR> --dsh--- c:\windows\system32\SystemX86
2009-06-27 10:38 27,648 a------- c:\windows\system32\__c003089.dat
2009-06-26 23:21 374,272 a--sh--- c:\windows\system32\34D.tmp
2009-06-26 03:36 <DIR> --d----- c:\program files\ESET
2009-06-26 03:24 27,648 a------- c:\windows\system32\__c0077D9.dat
2009-06-26 03:24 <DIR> --dsh--- c:\documents and settings\robyn\PrivacIE
2009-06-26 03:21 <DIR> --d----- c:\program files\Panda Security
2009-06-26 03:20 <DIR> --dsh--- c:\documents and settings\robyn\IETldCache
2009-06-26 02:32 <DIR> --d----- c:\windows\ie8updates
2009-06-26 02:31 <DIR> -cd-h--- c:\windows\ie8
2009-06-26 02:29 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-26 02:29 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 02:29 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-26 02:29 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-26 02:29 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-25 11:04 <DIR> --d----- c:\program files\MSSOAP
2009-06-25 11:03 1,563,008 a------- c:\windows\WRSetup.dll
2009-06-25 11:03 <DIR> --d----- c:\program files\Webroot
2009-06-25 11:03 <DIR> --d----- c:\docume~1\robyn\applic~1\Webroot
2009-06-25 11:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-06-25 10:59 164 a------- c:\windows\install.dat
2009-06-25 10:13 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-25 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-25 10:03 127 a------- c:\windows\system32\MRT.INI
2009-06-25 10:03 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-06-25 01:47 18,068 a------- c:\windows\GnuHashes.ini
2009-06-25 01:40 615 a------- c:\windows\system32\qMgjlvGlRK6bDm5.vbs
2009-06-25 01:40 615 a------- c:\windows\system32\uqjkWemk45G0m.vbs
2009-06-25 01:39 615 a------- c:\windows\system32\MmEreUOMmr367xC.vbs
2009-06-25 01:39 615 a------- c:\windows\system32\gqVfGa2Oxpa96.vbs
2009-06-25 01:39 1,865 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-06-25 01:39 143,360 a------- c:\windows\system32\drmclien32.dll
2009-06-25 01:27 750 a------- c:\windows\ST5UNST.000
2009-06-25 01:27 0 a------- c:\windows\SETUP.LST
2009-06-25 00:58 <DIR> --d----- c:\docume~1\robyn\applic~1\FrostWire
2009-06-25 00:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-25 00:55 <DIR> --d----- c:\program files\FrostWire
2009-05-29 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\3136B

==================== Find3M ====================

2009-05-24 06:00 530,083 a------- C:\HC4DecommissionScheduler.exe
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-02-17 13:46 17,144 a------- c:\docume~1\robyn\applic~1\GDIPFONTCACHEV1.DAT
2002-09-11 09:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 12:57:41.87 ===============


and attached ....

Attached Files



BC AdBot (Login to Remove)

 


m

#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 01 July 2009 - 08:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 note_eater

note_eater
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 02 July 2009 - 12:18 AM

The problem has not been fixed. I have not tried to fix it on my own after I posted my post as per instruction. The situation is still the same.

DDS


DDS (Ver_09-06-26.01) - NTFSx86
Run by Robyn at 0:10:54.96 on Thu 07/02/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.145 [GMT -5:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Outdated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Robyn\LOCALS~1\Temp\msgup900_2162_us_v2.exe
C:\DOCUME~1\Robyn\LOCALS~1\Temp\nsg3C8.tmp\msgup_us.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Robyn\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.bearshare.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\companion\modules\messmod4\v6\yhexbmes.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [A00F4DBD5.exe] c:\docume~1\robyn\locals~1\temp\_A00F4DBD5.exe
uRun: [A00F6B891E1.exe] c:\docume~1\robyn\locals~1\temp\_A00F6B891E1.exe
uRun: [A00FA5F509E.exe] c:\docume~1\robyn\locals~1\temp\_A00FA5F509E.exe
uRun: [A00FBE6EE86.exe] c:\docume~1\robyn\locals~1\temp\_A00FBE6EE86.exe
uRun: [A00FC52FD7D.exe] c:\docume~1\robyn\locals~1\temp\_A00FC52FD7D.exe
uRun: [A00FD5E8AF5.exe] c:\docume~1\robyn\locals~1\temp\_A00FD5E8AF5.exe
uRun: [A00FE5399F1.exe] c:\docume~1\robyn\locals~1\temp\_A00FE5399F1.exe
uRun: [A00F1117B5B3.exe] c:\docume~1\robyn\locals~1\temp\_A00F1117B5B3.exe
uRun: [A00F11A12626.exe] c:\docume~1\robyn\locals~1\temp\_A00F11A12626.exe
uRun: [A00F11A79D2D.exe] c:\docume~1\robyn\locals~1\temp\_A00F11A79D2D.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [BellSouthAlertManager.exe] c:\program files\bellsouth\alert manager\BellSouthAlertManager.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [HelpCenter4.1] c:\program files\fastaccessdsl\helpcenter43\bin\sprtcmd.exe /P HelpCenter4.1
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: b3b1584623 - c:\windows\system32\drmclien32.dll
Notify: __c004A961 - c:\windows\system32\__c004A961.dat
Notify: __c0077D9 - c:\windows\system32\__c0077D9.dat
AppInit_DLLs: c:\windows\system32\drmclien32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robyn\applic~1\mozilla\firefox\profiles\fw3sdo23.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/note_eater/index
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-6-25 1205760]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

=============== Created Last 30 ================

2009-07-02 00:09 <DIR> --d-h--- c:\windows\PIF
2009-06-29 13:35 27,648 a------- c:\windows\system32\__c001753B.dat
2009-06-29 13:28 27,648 a------- c:\windows\system32\__c008D3CD.dat
2009-06-29 10:58 27,648 a------- c:\windows\system32\__c00D34E4.dat
2009-06-28 22:05 27,648 a------- c:\windows\system32\__c00E78DF.dat
2009-06-28 17:37 27,648 a------- c:\windows\system32\__c00E1B2A.dat
2009-06-28 12:45 27,648 a------- c:\windows\system32\__c00F0031.dat
2009-06-28 10:47 27,648 a------- c:\windows\system32\__c0091809.dat
2009-06-28 03:39 27,648 a------- c:\windows\system32\__c00D7A6B.dat
2009-06-28 01:06 56 a------- C:\xcrashdump.dat
2009-06-27 11:38 <DIR> --dsh--- c:\windows\system32\SystemX86
2009-06-27 10:38 27,648 a------- c:\windows\system32\__c003089.dat
2009-06-26 23:21 374,272 a--sh--- c:\windows\system32\34D.tmp
2009-06-26 03:36 <DIR> --d----- c:\program files\ESET
2009-06-26 03:24 27,648 a------- c:\windows\system32\__c0077D9.dat
2009-06-26 03:24 <DIR> --dsh--- c:\documents and settings\robyn\PrivacIE
2009-06-26 03:21 <DIR> --d----- c:\program files\Panda Security
2009-06-26 03:20 <DIR> --dsh--- c:\documents and settings\robyn\IETldCache
2009-06-26 02:32 <DIR> --d----- c:\windows\ie8updates
2009-06-26 02:31 <DIR> -cd-h--- c:\windows\ie8
2009-06-26 02:29 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-26 02:29 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 02:29 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-26 02:29 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-26 02:29 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-25 11:04 <DIR> --d----- c:\program files\MSSOAP
2009-06-25 11:03 1,563,008 a------- c:\windows\WRSetup.dll
2009-06-25 11:03 <DIR> --d----- c:\program files\Webroot
2009-06-25 11:03 <DIR> --d----- c:\docume~1\robyn\applic~1\Webroot
2009-06-25 11:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-06-25 10:59 164 a------- c:\windows\install.dat
2009-06-25 10:13 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-25 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-25 10:03 127 a------- c:\windows\system32\MRT.INI
2009-06-25 10:03 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-06-25 01:47 17,428 a------- c:\windows\GnuHashes.ini
2009-06-25 01:40 615 a------- c:\windows\system32\qMgjlvGlRK6bDm5.vbs
2009-06-25 01:40 615 a------- c:\windows\system32\uqjkWemk45G0m.vbs
2009-06-25 01:39 615 a------- c:\windows\system32\MmEreUOMmr367xC.vbs
2009-06-25 01:39 615 a------- c:\windows\system32\gqVfGa2Oxpa96.vbs
2009-06-25 01:39 1,865 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-06-25 01:39 143,360 a------- c:\windows\system32\drmclien32.dll
2009-06-25 01:27 750 a------- c:\windows\ST5UNST.000
2009-06-25 01:27 0 a------- c:\windows\SETUP.LST
2009-06-25 00:58 <DIR> --d----- c:\docume~1\robyn\applic~1\FrostWire
2009-06-25 00:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-25 00:55 <DIR> --d----- c:\program files\FrostWire

==================== Find3M ====================

2009-05-24 06:00 530,083 a------- C:\HC4DecommissionScheduler.exe
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-02-17 13:46 17,144 a------- c:\docume~1\robyn\applic~1\GDIPFONTCACHEV1.DAT
2002-09-11 09:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 0:11:35.81 ===============


dds attached

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 03 July 2009 - 06:30 AM

Hi!

My name is etavares and I will be helping you with your log.

Please give me a little time to go through your log. I'd also like to let you know that I am in training here at BC. At each stage of the process, my work will be checked by an expert coach. That means there may be a slight delay between my responses as they check it. Don't worry, we won't leave you.

Here's a few things to get started:
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you, within the next day or two.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. I see you've mentioned that you haven't since you're following the instructions. Thanks! That will make it easier for us to work to solve the issues.



Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 03 July 2009 - 11:27 AM

Hi note_eater


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Frostwire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care.



So, let's start to attack the malware.


We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :processes
    msgup900_2162_us_v2.exe
    msgup_us.exe
    :files
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\msgup900_2162_us_v2.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\nsg3C8.tmp\
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F4DBD5.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F6B891E1.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FA5F509E.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FBE6EE86.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FC52FD7D.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FD5E8AF5.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FE5399F1.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F1117B5B3.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F11A12626.exe
    C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F11A79D2D.exe
    c:\windows\system32\drmclien32.dll
    c:\windows\system32\__c004A961.dat
    C:\windows\system32\__c0077D9.dat
    c:\windows\system32\__c001753B.dat
    c:\windows\system32\__c008D3CD.dat
    c:\windows\system32\__c00D34E4.dat
    C:\windows\system32\__c00E78DF.dat
    c:\windows\system32\__c00E1B2A.dat
    c:\windows\system32\__c00F0031.dat
    c:\windows\system32\__c0091809.dat
    c:\windows\system32\__c00D7A6B.dat
    c:\windows\system32\__c003089.dat
    c:\windows\system32\34D.tmp
    c:\windows\system32\qMgjlvGlRK6bDm5.vbs
    c:\windows\system32\uqjkWemk45G0m.vbs
    c:\windows\system32\MmEreUOMmr367xC.vbs
    c:\windows\system32\gqVfGa2Oxpa96.vbs
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "A00F4DBD5.exe"=-
    "A00F6B891E1.exe"=-
    "A00FA5F509E.exe"=-
    "A00FBE6EE86.exe"=-
    "A00FC52FD7D.exe"=-
    "A00FD5E8AF5.exe"=-
    "A00FE5399F1.exe"=-
    "A00F1117B5B3.exe"=-
    "A00F11A12626.exe"=-
    "A00F11A79D2D.exe"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\b3b1584623]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004A961]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0077D9]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    :commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Please also post a fresh RSIT log as well.




Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you are unable to run MBAM, please go to this folder: C:\Program Files\Malwarebytes' Anti-Malware\ and rename MBAM.exe to noteeater.exe or something else, then double-click that file to run it.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Please reply to this post with:
  • OTM log
  • MBAM log
  • GMER log
  • a new DDS log
  • list of any remaining issues and symptoms on the computer
Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 note_eater

note_eater
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 04 July 2009 - 12:45 AM

no antivir or antimalware will run. I imagine the virus or malware stops it from running. Although I could probably do the rest and get rid of it. I might want to just reformat to be safe. I have no op disk as this computer was given to my children. What is my best solution. I do have xp on my other computer.

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 04 July 2009 - 03:10 PM

Hi note_eater-

The choice to reformat is yours. If you do have an XP disc laying around somewhere, you could use that to install, although you'll probably need to purchase a new key (e.g. you'll have to buy a new XP license). Here's some information on properly reformatting.
Clean Reformat
When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?


If you do want to continue, just let me know what works and what doesn't work in the posts and we should be able to regain control of the machine. If you do that, please follow the instructions above...if we can't install an antivirus, then we'll worry about that later. Renaming MBAM should get it to run.

Either way, please let me know what you decide.

Thanks,
-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 note_eater

note_eater
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 05 July 2009 - 02:56 AM

Ok, Thank you for helping me. I have decided to test your merit..lol. I am attempting to clean without a reformat. so here is what you asked for.

OTM log

All processes killed
========== PROCESSES ==========
No active process named msgup900_2162_us_v2.exe was found!
No active process named msgup_us.exe was found!
========== FILES ==========
C:\DOCUME~1\Robyn\LOCALS~1\Temp\msgup900_2162_us_v2.exe moved successfully.
Folder C:\DOCUME~1\Robyn\LOCALS~1\Temp\nsg3C8.tmp not found.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F4DBD5.exe moved successfully.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F6B891E1.exe moved successfully.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FA5F509E.exe moved successfully.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FBE6EE86.exe moved successfully.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FC52FD7D.exe moved successfully.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FD5E8AF5.exe moved successfully.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00FE5399F1.exe moved successfully.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F1117B5B3.exe moved successfully.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F11A12626.exe moved successfully.
C:\DOCUME~1\Robyn\LOCALS~1\Temp\_A00F11A79D2D.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\drmclien32.dll
c:\windows\system32\drmclien32.dll NOT unregistered.
c:\windows\system32\drmclien32.dll moved successfully.
File/Folder c:\windows\system32\__c004A961.dat not found.
File move failed. C:\windows\system32\__c0077D9.dat scheduled to be moved on reboot.
c:\windows\system32\__c001753B.dat moved successfully.
c:\windows\system32\__c008D3CD.dat moved successfully.
c:\windows\system32\__c00D34E4.dat moved successfully.
C:\windows\system32\__c00E78DF.dat moved successfully.
c:\windows\system32\__c00E1B2A.dat moved successfully.
c:\windows\system32\__c00F0031.dat moved successfully.
c:\windows\system32\__c0091809.dat moved successfully.
c:\windows\system32\__c00D7A6B.dat moved successfully.
c:\windows\system32\__c003089.dat moved successfully.
c:\windows\system32\34D.tmp moved successfully.
c:\windows\system32\qMgjlvGlRK6bDm5.vbs moved successfully.
c:\windows\system32\uqjkWemk45G0m.vbs moved successfully.
c:\windows\system32\MmEreUOMmr367xC.vbs moved successfully.
c:\windows\system32\gqVfGa2Oxpa96.vbs moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00F4DBD5.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00F6B891E1.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00FA5F509E.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00FBE6EE86.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00FC52FD7D.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00FD5E8AF5.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00FE5399F1.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00F1117B5B3.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00F11A12626.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00F11A79D2D.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\b3b1584623\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004A961\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0077D9\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Administrator.NEWKIDS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: colby
->Temp folder emptied: 130307431 bytes
->Temporary Internet Files folder emptied: 118861550 bytes
->Java cache emptied: 2142959 bytes
->FireFox cache emptied: 66972043 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: kids
->Temp folder emptied: 137197416 bytes
->Temporary Internet Files folder emptied: 41929523 bytes
->FireFox cache emptied: 83661434 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Robyn
File delete failed. C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\OCLEAN.DLL scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\OCLNCORE.OPC scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\OCLNCUST.OPC scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\OFFCLN.EXE scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\EXTRACT.EXE scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\MLANG.DAT scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\MLANG.DLL scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\MSXML.DLL scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\T2EMBED.DLL scheduled to be deleted on reboot.
->Temp folder emptied: 426905530 bytes
->Temporary Internet Files folder emptied: 529910429 bytes
->FireFox cache emptied: 89661245 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 88986858 bytes

RecycleBin emptied: 68071662 bytes

Total Files Cleaned = 1704.11 mb


OTM by OldTimer - Version 3.0.0.3 log created on 07052009_014317

Files moved on Reboot...
C:\windows\system32\__c0077D9.dat moved successfully.
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\OCLEAN.DLL not found!
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\OCLNCORE.OPC not found!
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\OCLNCUST.OPC not found!
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\OFFCLN.EXE not found!
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\EXTRACT.EXE not found!
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\MLANG.DAT not found!
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\MLANG.DLL not found!
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\MSXML.DLL not found!
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\SYSTEM\T2EMBED.DLL not found!

Registry entries deleted on Reboot...


MBAM log

Malwarebytes' Anti-Malware 1.38
Database version: 2375
Windows 5.1.2600 Service Pack 2

7/5/2009 2:30:18 AM
mbam-log-2009-07-05 (02-30-18).txt

Scan type: Quick Scan
Objects scanned: 108921
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Robyn\Local Settings\Temp\9.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drmclien32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\b3b1584623 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\drmclien32.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Robyn\Local Settings\Temp\9.tmp (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\systemx86\213.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\213.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\214.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\214.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\215.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\215.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\216.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\216.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\217.music.au (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\217.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\218.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\218.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\219.music3.au (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\219.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\220.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\220.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drmclien32.dll (Trojan.Agent) -> Delete on reboot.


GMER log

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-05 02:47:29
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT 85392FA8 ZwAllocateVirtualMemory
SSDT 85354F88 ZwCreateKey
SSDT 85352878 ZwCreateProcess
SSDT 85352800 ZwCreateProcessEx
SSDT 85352620 ZwCreateThread
SSDT 85352AD0 ZwDeleteKey
SSDT 853528F0 ZwDeleteValueKey
SSDT 85392020 ZwQueueApcThread
SSDT 85392EB8 ZwReadVirtualMemory
SSDT 85352A58 ZwRenameKey
SSDT 853524B8 ZwSetContextThread
SSDT 853529E0 ZwSetInformationKey
SSDT 85352710 ZwSetInformationProcess
SSDT 85352530 ZwSetInformationThread
SSDT 85352968 ZwSetValueKey
SSDT 85352698 ZwSuspendProcess
SSDT 85352440 ZwSuspendThread
SSDT 85352788 ZwTerminateProcess
SSDT 853525A8 ZwTerminateThread
SSDT 85392F30 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? zqbbrnv.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 85392C78
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 85392D70
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 85392D70
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 85392C78
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 85392C78
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 85392D70
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 85392D70
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 85392C78
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 85392D70
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 85392C78
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 85392D70
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 85392D70
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 85392C78

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AF3] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601767] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [63601616] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [63602099] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FCE] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6360206F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AF3] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [63602099] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6360206F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FCE] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [63601616] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 8494EB70
Device \Driver\Tcpip \Device\Tcp 8494EB70
Device \Driver\Tcpip \Device\Udp 8494EB70
Device \Driver\Tcpip \Device\RawIp 8494EB70
Device \Driver\Tcpip \Device\IPMULTICAST 8494EB70

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\WINDOWS\HELP\OSP.HLP 14230 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\OSP\1033\FILES\WINDOWS\HELP\PSS10.TXT 20501 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\COMMON\MSSHARED\OFFICE10\1033 0 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\COMMON\MSSHARED\OFFICE10\1033\DWINTL.DLL 54688 bytes executable
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\COMMON\MSSHARED\OFFICE10\DW.EXE 165280 bytes executable
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\ACREAD10.HTM 37770 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\FILTERS.TXT 2086 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\FPREAD10.HTM 12438 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\ID_019.DPC 414 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\ID_028.DPC 414 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\OCLNINTL.OPC 135 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\OFREAD10.HTM 11866 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\OLREAD10.HTM 19826 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\PBREAD10.HTM 12606 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\PPREAD10.HTM 15765 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\PSS10O.CHM 12998 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\PSS10R.CHM 26391 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\SETUP.HLP 23663 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\WDREAD10.HTM 23128 bytes
File C:\Documents and Settings\Robyn\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\Microsoft Office XP Publisher 2003\Publisher XP\FILES\PFILES\MSOFFICE\OFFICE10\1033\XLREAD10.HTM 11660 bytes

---- EOF - GMER 1.0.15 ----


DDS text


DDS (Ver_09-06-26.01) - NTFSx86
Run by Robyn at 2:50:24.42 on Sun 07/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.171 [GMT -5:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robyn\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.bearshare.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\companion\modules\messmod4\v6\yhexbmes.dll
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [BellSouthAlertManager.exe] c:\program files\bellsouth\alert manager\BellSouthAlertManager.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [HelpCenter4.1] c:\program files\fastaccessdsl\helpcenter43\bin\sprtcmd.exe /P HelpCenter4.1
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robyn\applic~1\mozilla\firefox\profiles\fw3sdo23.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/note_eater/index
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-6-25 1205760]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

=============== Created Last 30 ================

2009-07-05 02:20 <DIR> --d----- c:\docume~1\robyn\applic~1\Malwarebytes
2009-07-05 02:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 02:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-05 02:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-05 02:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 01:43 <DIR> --d----- C:\_OTM
2009-07-04 13:02 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-07-04 13:02 <DIR> --d----- c:\program files\Belarc
2009-07-02 00:09 <DIR> --d-h--- c:\windows\PIF
2009-06-28 01:06 56 a------- C:\xcrashdump.dat
2009-06-26 03:36 <DIR> --d----- c:\program files\ESET
2009-06-26 03:24 <DIR> --dsh--- c:\documents and settings\robyn\PrivacIE
2009-06-26 03:21 <DIR> --d----- c:\program files\Panda Security
2009-06-26 03:20 <DIR> --dsh--- c:\documents and settings\robyn\IETldCache
2009-06-26 02:32 <DIR> --d----- c:\windows\ie8updates
2009-06-26 02:31 <DIR> -cd-h--- c:\windows\ie8
2009-06-26 02:29 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-26 02:29 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 02:29 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-26 02:29 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-26 02:29 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-25 11:04 <DIR> --d----- c:\program files\MSSOAP
2009-06-25 11:03 1,563,008 a------- c:\windows\WRSetup.dll
2009-06-25 11:03 <DIR> --d----- c:\program files\Webroot
2009-06-25 11:03 <DIR> --d----- c:\docume~1\robyn\applic~1\Webroot
2009-06-25 11:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-06-25 10:59 164 a------- c:\windows\install.dat
2009-06-25 10:13 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-25 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-25 10:03 127 a------- c:\windows\system32\MRT.INI
2009-06-25 10:03 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-06-25 01:47 17,428 a------- c:\windows\GnuHashes.ini
2009-06-25 01:39 1,837 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-06-25 01:27 750 a------- c:\windows\ST5UNST.000
2009-06-25 01:27 0 a------- c:\windows\SETUP.LST
2009-06-25 00:58 <DIR> --d----- c:\docume~1\robyn\applic~1\FrostWire
2009-06-25 00:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-25 00:55 <DIR> --d----- c:\program files\FrostWire

==================== Find3M ====================

2009-05-24 06:00 530,083 a------- C:\HC4DecommissionScheduler.exe
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-02-17 13:46 17,144 a------- c:\docume~1\robyn\applic~1\GDIPFONTCACHEV1.DAT
2002-09-11 09:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 2:50:36.32 ===============



and I also attached the attached file


The computer seems to be running quicker and My anti virus and anti spyware/malware are now working

Attached Files



#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 05 July 2009 - 11:00 AM

Hi note_eater,

Your log looks much better. Now we need to take care of a few things to ensure your computer is protected.

1. We create and run a batch file.
Please open Notepad.

Copy and paste this text (but please do not include the word "CODE" in the title) into Notepad:
@echo off
cd\
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar" /v "{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}" >> C:\info.txt
reg delete "HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser" /v "{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}"  >> C:\info.txt
exit
(it's important to copy and paste to make sure the line breaks are correct. Please do not type this in manually.)


Save it to your desktop as custom.bat. Double-click to run it. A black command prompt window will briefly pop up then close.

Please copy and paste the contents of C:\info.txt to your next reply.



2. Enable real time scanning of your antivirus.
It does not appear that the real-time protection of Webroot Antivirus with Antispyware is enabled. Please open the program, then select Options in the Icon panel. Click the Shields tab. Ensure the Protect against viruses option is enabled and the shields above it are active.


3. Install a third-party firewall.
Please now install a third-party firewall. Here are some free ones that work very well.The main reason to use a third-party firewall over the Windows XP Firewall is because Windows Firewall only stops incoming signals from accessing your computer. However, it will not stop programs (possibly ones that could intrude your privacy) from sending outgoing signals to the Internet or to other networks.

After you have installed one of the above firewalls, please disable your Windows Firewall, if you had it enabled.


4. Update Adobe Acrobat Reader and Java
I see you are using Adobe Acrobat Reader 6. This version is no longer supported and may have security holes. I also see that your Java is outdated. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

First, let's download the programs.

To update Adobe reader, please download Adobe Reader 9.1 from this link:
http://get.adobe.com/reader/
Save it to your desktop.

Please follow these steps to download the latest version of Java:
  • Download the latest version of Java Runtime Environment (JRE) Version 14 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
Next, we need to uninstall the previous versions of Java and Adobe.
First, please close any programs you have running, and especially make sure your web browser is not open. Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.
Adobe Reader 6.0
J2SE Runtime Environment 5.0 Update 8
Java™ 6 Update 7


Be sure to reboot when done.

Next, we need to update Java. First, close any programs you may have running - especially your web browser. Then, from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

Once that's complete, double-click the Adobe Reader file on your desktop to install Adobe Reader 9.1.


5. Adobe Acrobat
I see you have Adobe Acrobat 4 installed. This program is 10 years old and Adobe no longer actively supports it. As a result, there are known vulnerabilities in it that could be exploited by malicious PDFs. I strongly recommend to uninstall this and either purchase the new Adobe Acrobat 9, or try the free Foxit Editor. You can get it here:
http://www.foxitsoftware.com/

6. Run this scan as a double-check
WARNING: This scan may take some time to run, depending on your internet connection and amount of used space on your hard drive.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
7. In your reply, please attach the following:
  • C:\info.txt
  • fresh DDS log
  • Kapersky online scan log
Please let me know how those steps went and please post another DDS log so we can ensure your computer is staying clean.

Thanks!

Edited by etavares, 05 July 2009 - 11:01 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 note_eater

note_eater
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 05 July 2009 - 06:28 PM

ok, The Bat file just opened the box and nothing happened.... I copied and pasted and tried it twice..... I let it run for over 45 min.... nothing.

I had already run both spybot and found 15 and moved those files, ran again and it was clean.
I ran Antivir, and got rid of webroot.... I ran anti vir and found 30, and moved and cleaned those.

I ran your online scan and cannot post a log because they all came back clean.

ran a new dds here it is


DDS (Ver_09-06-26.01) - NTFSx86
Run by Robyn at 18:24:42.78 on Sun 07/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.111 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Robyn\Local Settings\Temp\jkos-Robyn\binaries\ScanningProcess.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Documents and Settings\Robyn\Desktop\Virus cleaning\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.bearshare.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\companion\modules\messmod4\v6\yhexbmes.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [BellSouthAlertManager.exe] c:\program files\bellsouth\alert manager\BellSouthAlertManager.exe
mRun: [HelpCenter4.1] c:\program files\fastaccessdsl\helpcenter43\bin\sprtcmd.exe /P HelpCenter4.1
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robyn\applic~1\mozilla\firefox\profiles\fw3sdo23.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/note_eater/index
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-5 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-5 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-5 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-5 55640]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-07-05 14:02 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-05 14:02 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-05 13:31 60,496 a------- c:\windows\system32\drivers\Teefer.sys
2009-07-05 13:31 14,568 a------- c:\windows\system32\drivers\wg6n.sys
2009-07-05 13:31 14,568 a------- c:\windows\system32\drivers\wg5n.sys
2009-07-05 13:31 14,568 a------- c:\windows\system32\drivers\wg4n.sys
2009-07-05 13:31 14,568 a------- c:\windows\system32\drivers\wg3n.sys
2009-07-05 13:31 21,075 a------- c:\windows\system32\drivers\wpsdrvnt.sys
2009-07-05 13:31 83,096 a------- c:\windows\system32\SSSensor.dll
2009-07-05 13:31 <DIR> --d----- c:\program files\Sygate
2009-07-05 03:05 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-05 03:05 <DIR> --d----- c:\program files\Avira
2009-07-05 03:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-05 02:20 <DIR> --d----- c:\docume~1\robyn\applic~1\Malwarebytes
2009-07-05 02:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 02:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-05 02:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-05 02:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 01:43 <DIR> --d----- C:\_OTM
2009-07-04 13:02 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-07-04 13:02 <DIR> --d----- c:\program files\Belarc
2009-07-02 00:09 <DIR> --d-h--- c:\windows\PIF
2009-06-28 01:06 56 a------- C:\xcrashdump.dat
2009-06-26 03:24 <DIR> --dsh--- c:\documents and settings\robyn\PrivacIE
2009-06-26 03:21 <DIR> --d----- c:\program files\Panda Security
2009-06-26 03:20 <DIR> --dsh--- c:\documents and settings\robyn\IETldCache
2009-06-26 02:32 <DIR> --d----- c:\windows\ie8updates
2009-06-26 02:31 <DIR> -cd-h--- c:\windows\ie8
2009-06-26 02:29 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-26 02:29 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 02:29 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-26 02:29 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-26 02:29 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-25 11:04 <DIR> --d----- c:\program files\MSSOAP
2009-06-25 10:59 164 a------- c:\windows\install.dat
2009-06-25 10:13 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-25 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-25 10:03 127 a------- c:\windows\system32\MRT.INI
2009-06-25 10:03 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-06-25 01:47 17,428 a------- c:\windows\GnuHashes.ini
2009-06-25 01:27 750 a------- c:\windows\ST5UNST.000
2009-06-25 01:27 0 a------- c:\windows\SETUP.LST
2009-06-25 00:58 <DIR> --d----- c:\docume~1\robyn\applic~1\FrostWire
2009-06-25 00:55 <DIR> --d----- c:\program files\FrostWire

==================== Find3M ====================

2009-05-24 06:00 530,083 a------- C:\HC4DecommissionScheduler.exe
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-02-17 13:46 17,144 a------- c:\docume~1\robyn\applic~1\GDIPFONTCACHEV1.DAT
2002-09-11 09:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 18:25:30.17 ===============

Attached Files



#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 06 July 2009 - 07:27 AM

Hi note_eater-

Ok, your log looks clean and you're much more secure with the changes to the programs. Now, we need to fix one last remnant since the batch file didn't work.

First, please disable any antivirus and Spybot's teatimer feature.

Next, please open Notepad.
Copy and paste the information below into it, excluding the word "code" as before.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}"=-

[HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"=-

Save that as fixme.reg to your desktop.

Double-click fixme.reg to run it.

You will be asked if you want to add the information to the registry. Select Yes.

You will get confirmation that it was successfully added to the registry.

Reboot.

Please post an updated DDS log after the reboot in your next reply. Please also let me know how your computer seems to be running.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 note_eater

note_eater
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 06 July 2009 - 12:52 PM

Computer is running much better.

I disabled tea timer and spybot and antvir. I ran the batch file then rebooted and turned back on spybot and tea timer and ran dds

DDS log


DDS (Ver_09-06-26.01) - NTFSx86
Run by Robyn at 12:49:45.90 on Mon 07/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.124 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Robyn\Desktop\Virus cleaning\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.bearshare.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\companion\modules\messmod4\v6\yhexbmes.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [BellSouthAlertManager.exe] c:\program files\bellsouth\alert manager\BellSouthAlertManager.exe
mRun: [HelpCenter4.1] c:\program files\fastaccessdsl\helpcenter43\bin\sprtcmd.exe /P HelpCenter4.1
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robyn\applic~1\mozilla\firefox\profiles\fw3sdo23.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/note_eater/index
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-5 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-5 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-5 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-5 55640]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-07-05 14:02 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-05 14:02 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-05 13:31 60,496 a------- c:\windows\system32\drivers\Teefer.sys
2009-07-05 13:31 14,568 a------- c:\windows\system32\drivers\wg6n.sys
2009-07-05 13:31 14,568 a------- c:\windows\system32\drivers\wg5n.sys
2009-07-05 13:31 14,568 a------- c:\windows\system32\drivers\wg4n.sys
2009-07-05 13:31 14,568 a------- c:\windows\system32\drivers\wg3n.sys
2009-07-05 13:31 21,075 a------- c:\windows\system32\drivers\wpsdrvnt.sys
2009-07-05 13:31 83,096 a------- c:\windows\system32\SSSensor.dll
2009-07-05 13:31 <DIR> --d----- c:\program files\Sygate
2009-07-05 03:05 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-05 03:05 <DIR> --d----- c:\program files\Avira
2009-07-05 03:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-05 02:20 <DIR> --d----- c:\docume~1\robyn\applic~1\Malwarebytes
2009-07-05 02:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 02:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-05 02:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-05 02:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 01:43 <DIR> --d----- C:\_OTM
2009-07-04 13:02 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-07-04 13:02 <DIR> --d----- c:\program files\Belarc
2009-07-02 00:09 <DIR> --d-h--- c:\windows\PIF
2009-06-28 01:06 56 a------- C:\xcrashdump.dat
2009-06-26 03:24 <DIR> --dsh--- c:\documents and settings\robyn\PrivacIE
2009-06-26 03:21 <DIR> --d----- c:\program files\Panda Security
2009-06-26 03:20 <DIR> --dsh--- c:\documents and settings\robyn\IETldCache
2009-06-26 02:32 <DIR> --d----- c:\windows\ie8updates
2009-06-26 02:31 <DIR> -cd-h--- c:\windows\ie8
2009-06-26 02:29 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-26 02:29 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 02:29 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-26 02:29 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-26 02:29 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-25 11:04 <DIR> --d----- c:\program files\MSSOAP
2009-06-25 10:59 164 a------- c:\windows\install.dat
2009-06-25 10:13 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-25 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-25 10:03 127 a------- c:\windows\system32\MRT.INI
2009-06-25 10:03 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-06-25 01:47 17,428 a------- c:\windows\GnuHashes.ini
2009-06-25 01:27 750 a------- c:\windows\ST5UNST.000
2009-06-25 01:27 0 a------- c:\windows\SETUP.LST
2009-06-25 00:58 <DIR> --d----- c:\docume~1\robyn\applic~1\FrostWire
2009-06-25 00:55 <DIR> --d----- c:\program files\FrostWire

==================== Find3M ====================

2009-05-24 06:00 530,083 a------- C:\HC4DecommissionScheduler.exe
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-02-17 13:46 17,144 a------- c:\docume~1\robyn\applic~1\GDIPFONTCACHEV1.DAT
2002-09-11 09:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 12:50:28.18 ===============

Attached Files



#13 note_eater

note_eater
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 06 July 2009 - 12:55 PM

What is Keyhook? I notice it on there and when I google it , it shows its a keylogger. Should I remove?

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 07 July 2009 - 08:20 AM

Hi note_eater-

Good news...your log looks clean. Glad to hear your computer is running better.

Keyhook.exe is a legit process. It *is* a keylogger...in the sense that it needs to know when you press a hotkey. It's often found on Acer computers, but may be on others.
http://www.bleepingcomputer.com/startups/k...k.exe-4943.html

Now, we need to clean up our mess, and also wipe the system restore so that the virus can't accidently be restored.

You can delete the GMER file you downloaded, the batch file (.bat) and the registry file (.reg) that you created and saved. You can also delete the DDS file you saved.

Next, double click the Posted Image icon on your desktop. Push the CleanUp! button. THis will delete the moved malware we quarantined and delete some of OTM.

Next, we need to purge your system restore so you don't restore the viruses. We'll create a new one so you have a backup in case something goes wrong.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

We'll leave this thread open for a few days in case you have any issues.


Please take the time to read below to keep your system clean.

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:33 AM

Posted 11 July 2009 - 09:03 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users