Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spybot, Malware & other programs won't start


  • This topic is locked This topic is locked
4 replies to this topic

#1 anabat1

anabat1

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 16 July 2009 - 04:12 AM

internet works in safe mode w/ networking but doesn't work in "normal" mode. cmd box keeps appearing and protection system program is installing itself. Also porn desktop icons showed up. 3 of them.
i changed the names of malwarebytes and spybot and got it to work but after restarting and going back to "normal" mode, wimdows was still slow and malbytes amd spybot doesn't work anymore after chaning to their original names. tried it again in safe mode but it didn't workd anymore even after name change.

DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by Administrator at 4:02:33.35 on Thu 07/16/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1.#QNAN.141 [GMT -5:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net1.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7171
uSearchAssistant =
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Protection System] c:\program files\protection system\psystem.exe
uRunOnce: [SpybotDeletingD1283] cmd.exe /c del "c:\windows\system32\UACdnqqfoafucxngwwej.dll_old"
uRunOnce: [SpybotDeletingB3995] command.com /c del "c:\windows\system32\UACdnqqfoafucxngwwej.dll"
uRunOnce: [SpybotDeletingD124] cmd.exe /c del "c:\windows\system32\UACdnqqfoafucxngwwej.dll"
uRunOnce: [SpybotDeletingB1565] command.com /c del "c:\windows\system32\UACevpokyxufyqbpjwrk.dll"
uRunOnce: [SpybotDeletingD4425] cmd.exe /c del "c:\windows\system32\UACevpokyxufyqbpjwrk.dll"
uRunOnce: [SpybotDeletingB2854] command.com /c del "c:\windows\system32\uacinit.dll_old"
uRunOnce: [SpybotDeletingD4055] cmd.exe /c del "c:\windows\system32\uacinit.dll_old"
uRunOnce: [SpybotDeletingB6418] command.com /c del "c:\windows\system32\uacinit.dll"
uRunOnce: [SpybotDeletingD602] cmd.exe /c del "c:\windows\system32\uacinit.dll"
uRunOnce: [SpybotDeletingB1480] command.com /c del "c:\windows\system32\UACqskdprdvwelnyiqkf.dll_old"
uRunOnce: [SpybotDeletingD7583] cmd.exe /c del "c:\windows\system32\UACqskdprdvwelnyiqkf.dll_old"
uRunOnce: [SpybotDeletingB759] command.com /c del "c:\windows\system32\UACqskdprdvwelnyiqkf.dll"
uRunOnce: [SpybotDeletingD1840] cmd.exe /c del "c:\windows\system32\UACqskdprdvwelnyiqkf.dll"
uRunOnce: [SpybotDeletingB8266] command.com /c del "c:\windows\system32\UACrndpmalmnlgtpmkxa.dll_old"
uRunOnce: [SpybotDeletingD931] cmd.exe /c del "c:\windows\system32\UACrndpmalmnlgtpmkxa.dll_old"
uRunOnce: [SpybotDeletingB3764] command.com /c del "c:\windows\system32\UACrndpmalmnlgtpmkxa.dll"
uRunOnce: [SpybotDeletingD1379] cmd.exe /c del "c:\windows\system32\UACrndpmalmnlgtpmkxa.dll"
uRunOnce: [SpybotDeletingB1794] command.com /c del "c:\windows\system32\UACrrihetyeobqrtjkca.dll_old"
uRunOnce: [SpybotDeletingD9809] cmd.exe /c del "c:\windows\system32\UACrrihetyeobqrtjkca.dll_old"
uRunOnce: [SpybotDeletingB1233] command.com /c del "c:\windows\system32\UACrrihetyeobqrtjkca.dll"
uRunOnce: [SpybotDeletingD8234] cmd.exe /c del "c:\windows\system32\UACrrihetyeobqrtjkca.dll"
uRunOnce: [SpybotDeletingB9250] command.com /c del "c:\windows\system32\UACtowlhxnowpujrdeau.dll_old"
uRunOnce: [SpybotDeletingD2901] cmd.exe /c del "c:\windows\system32\UACtowlhxnowpujrdeau.dll_old"
uRunOnce: [SpybotDeletingB2000] command.com /c del "c:\windows\system32\UACtowlhxnowpujrdeau.dll"
uRunOnce: [SpybotDeletingD5943] cmd.exe /c del "c:\windows\system32\UACtowlhxnowpujrdeau.dll"
uRunOnce: [SpybotDeletingB652] command.com /c del "c:\windows\system32\UACwfctvkbpxtolxhoex.dat_old"
uRunOnce: [SpybotDeletingD9164] cmd.exe /c del "c:\windows\system32\UACwfctvkbpxtolxhoex.dat_old"
uRunOnce: [SpybotDeletingB5776] command.com /c del "c:\windows\system32\UACwfctvkbpxtolxhoex.dat"
uRunOnce: [SpybotDeletingD4783] cmd.exe /c del "c:\windows\system32\UACwfctvkbpxtolxhoex.dat"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunServices: [winfw] wmisrv32.exe
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\xfire.lnk - c:\documents and settings\administrator\my documents\joshua's documents\music\xfire\xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\belkin\bluetooth software\BTTray.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Bluetooth ??? ???(&:thumbup2:... - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\lsp.dll
DPF: {0A96E961-0499-4E9B-8B50-E2FC9BED2941} - hxxp://www.certpia.com/upfile/ocx/certpia.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1A970B76-B976-4A93-9CCE-E67D13C77645} - hxxp://box.inhard.com/IHLauncher/cab/1,0,1,4/IHLauncher.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
DPF: {2086592C-34CB-46BC-A042-715910AFBE81} - hxxp://img.ebs.co.kr/ActiveX/Session/EBSSessionCheck.CAB
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxps://mpi.dacom.net/XMPI/js/XacsPop.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} - hxxp://mpi.dacom.net/XPayMPI/Xecure_LiveUpdate_XPayMPIOCX.cab
DPF: {49EA1597-4149-42FC-A01D-A03E07980D37} - hxxp://ebook.ebs.co.kr/wiseinstaller/WiseInstaller.dll
DPF: {518419D1-F74F-48E5-9D98-599EC0DAFBEA} - hxxps://kspay.ksnet.to/ksmpi/KSNetMPI.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7114AB1F-A8FE-4EB8-8AEB-0D0C47E866AD} - hxxp://mpi.dacom.net/XMPI/js/XacsPlugin.cab
DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://vbv.lgcard.com/XecureObject/xw_install.cab
DPF: {8433215B-425D-44F8-9479-322A8E780EA6} - hxxp://www.vaccine7.com/pc/v7act.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
DPF: {999A4982-61C2-4BF8-8094-30CEF9A6BAB9} - hxxp://www.bomul.com/include/InnoFD.cab
DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
DPF: {9AEBAA67-8B4D-4884-9EB7-8C6BEA20CE5C} - hxxp://club.nate.com/NetEditor.cab
DPF: {9B72B706-C578-4B7A-9C05-2324C95970A4} - hxxps://kspay.ksnet.to/newmpi/KSNetMPI.cab
DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} - hxxps://plugin.inicis.com/wallet50/INIwallet50.cab
DPF: {A2134278-B404-4B78-B751-8FB923B31935} - hxxp://contents.booktopia.com/video/wisebook/experience/ibook/WiseLoader.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} - hxxps://kspay.ksnet.to/newmpi/KSNetMPI.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,2
DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.lgcard.com/infovine/VineTransfer.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxps://vbv.lgcard.com/popup/npkcx_lg.cab
DPF: {E1AC9563-A1E3-45B8-A5CE-5C19E34EC6AC} - hxxp://www.arirangtv.com/AlwaysTop.cab
DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} - hxxp://cafeimg.hanmail.net/activex/dmcm.cab?Version=1,0,0,22
DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxps://pay.kcp.co.kr/plugin/file/payplus.cab
DPF: {E5A02FD2-A8EF-4E5B-80C1-CB386F95E049} - hxxps://pg.banktown.com/wallet/plugin/BtPmntClient.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
DPF: {FFD77E35-1C34-4EAC-B5A7-414CC5D007DA} - hxxps://www.isaackorea.net/update/ansim/ilkactx.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL

============= SERVICES / DRIVERS ===============

S0 winrx38;winrx38;c:\windows\system32\drivers\winrx38.sys --> c:\windows\system32\drivers\Winrx38.sys [?]
S1 854a763f;854a763f;c:\windows\system32\drivers\854a763f.sys --> c:\windows\system32\drivers\854a763f.sys [?]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\program files\ansys inc\shared files\licensing\intel\lmgrd.exe [2007-3-29 659456]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
S2 qroejw;qroejw;c:\windows\system32\drivers\fyhyfi.sys --> c:\windows\system32\drivers\fyhyfi.sys [?]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
S2 zvlctfstfpgqo;zvlctfstfpgqo;c:\windows\system32\drivers\owdruuphpahxnp.sys [2009-7-15 71808]
S3 eraserutildrvi7;EraserUtilDrvI7;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi7.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI7.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090710.003\naveng.sys [2009-7-10 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090710.003\navex15.sys [2009-7-10 876144]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 XDva143;XDva143;\??\c:\windows\system32\xdva143.sys --> c:\windows\system32\XDva143.sys [?]

=============== Created Last 30 ================

2009-07-16 03:59 31,232 a------- c:\windows\system32\wingenocx.dll
2009-07-16 03:59 <DIR> --d----- c:\program files\Protection System
2009-07-16 03:30 213,024 a------- c:\windows\system32\drivers\str.sys
2009-07-15 23:53 552 a------- c:\windows\system32\d3d8caps.dat
2009-07-15 21:58 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 21:58 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-15 18:15 <DIR> --d----- c:\documents and settings\administrator\DoctorWeb
2009-07-15 18:06 <DIR> --d----- C:\Rooter$
2009-07-15 10:48 <DIR> --d----- c:\program files\WordSmart Vocabulary
2009-07-15 10:39 761,344 a------- c:\windows\system32\wscsvc32.exe
2009-07-15 10:39 257,536 a------- c:\windows\system32\resdll.dll
2009-07-15 10:39 71,808 a------- c:\windows\system32\drivers\owdruuphpahxnp.sys
2009-07-02 13:55 41,808 a------- c:\windows\system32\xfcodec.dll

==================== Find3M ====================

2009-06-11 19:00 183,296 a------- c:\windows\system32\lsp.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 19:07 6 a------- c:\docume~1\admini~1\applic~1\mmrpzlic.dat
2009-03-07 14:47 4,210 a------- c:\documents and settings\administrator\loocalhost.exe
2009-03-07 14:20 4,210 a------- c:\documents and settings\administrator\svvvc32.exe
2009-03-06 21:43 34 a------- c:\documents and settings\administrator\jagex_runescape_preferences.dat

============= FINISH: 4:04:26.01 ===============

Attached Files


Edited by anabat1, 16 July 2009 - 04:16 AM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:40 AM

Posted 16 July 2009 - 07:20 AM

Hi, anabat1 :thumbup2:

Welcome.

Please read and follow all these instructions very carefully.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 anabat1

anabat1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 16 July 2009 - 09:15 AM

ComboFix 09-07-14.08 - Administrator 07/16/2009 8:32.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.314 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\93887806.ini
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM.cfg
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM0.che
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM1.che
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM2.che
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM3.che
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM4.che
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM5.che
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM6.che
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM7.che
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM8.che
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\SKBGM9.che
C:\System
c:\system\INSTALL.LOG
c:\windows\Installer\5c6e6.msp
c:\windows\system32\BtWizar.dll
c:\windows\system32\drivers\owdruuphpahxnp.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\UACnyreettappjtagvxt.sys
c:\windows\system32\lsp.dll
c:\windows\system32\muzapp.exe
c:\windows\system32\resdll.dll
c:\windows\system32\UACbxsrxhismsjimxbqb.db
c:\windows\system32\UACdnqqfoafucxngwwej.dll
c:\windows\system32\UACevpokyxufyqbpjwrk.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACqskdprdvwelnyiqkf.dll
c:\windows\system32\UACrndpmalmnlgtpmkxa.dll
c:\windows\system32\UACrrihetyeobqrtjkca.dll
c:\windows\system32\UACtowlhxnowpujrdeau.dll
c:\windows\system32\UACwfctvkbpxtolxhoex.dat
c:\windows\system32\wscsvc32.exe
c:\windows\wiaserviv.log
C:\xcrashdump.dat
E:\autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{686A53BB-F75D-46C6-A508-CEC0EC8230F7}\RP695\A0110758.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZVLCTFSTFPGQO
-------\Service_UACd.sys
-------\Service_zvlctfstfpgqo


((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-16 13:47 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-16 08:59 . 2009-07-16 09:21 31232 ----a-w- c:\windows\system32\wingenocx.dll
2009-07-16 04:53 . 2009-07-16 04:53 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-16 04:53 . 2009-07-16 04:53 552 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\d3d8caps.dat
2009-07-16 02:58 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-16 02:58 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 23:15 . 2009-07-15 23:15 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-15 23:06 . 2009-07-15 23:07 -------- d-----w- C:\Rooter$
2009-07-15 15:48 . 2009-07-15 15:48 -------- d-----w- c:\program files\WordSmart Vocabulary
2009-07-04 03:45 . 2009-07-04 03:45 -------- d-----w- c:\documents and settings\NetworkService\Application Data\GRETECH
2009-07-03 03:49 . 2009-07-03 03:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-07-02 18:55 . 2009-07-02 18:55 41808 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 13:51 . 2009-03-07 02:13 -------- d-----w- c:\program files\DNA
2009-07-16 13:51 . 2009-03-07 02:13 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\DNA
2009-07-16 08:55 . 2009-01-26 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-16 08:52 . 2009-01-27 00:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-16 08:38 . 2007-03-25 03:44 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-15 22:28 . 2007-10-03 04:20 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-07-15 16:19 . 2009-05-15 02:54 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\uTorrent
2009-07-12 23:17 . 2008-01-08 01:53 -------- d-----w- c:\program files\Starcraft
2009-07-08 15:57 . 2008-03-08 20:14 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-06 22:14 . 2008-06-11 02:23 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Xfire
2009-07-02 04:10 . 2008-12-03 03:22 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\U3
2009-06-03 03:05 . 2007-10-04 04:07 92848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-02 04:11 . 2009-06-02 04:11 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-01 02:36 . 2009-06-01 02:36 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-29 04:40 . 2008-01-06 22:32 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Canon
2009-05-18 22:01 . 2008-04-25 21:19 -------- d-----w- c:\program files\Google
2009-05-18 20:10 . 2008-12-07 23:19 -------- d-----w- c:\program files\Coupons
2009-05-17 22:02 . 2009-05-17 22:02 -------- d-----w- c:\program files\Enigma Software Group
2009-05-13 05:15 . 2004-08-04 05:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 05:56 345600 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-15 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-07 342848]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Xfire.lnk - c:\documents and settings\Administrator\My Documents\Joshua's Documents\Music\Xfire\xfire.exe [2009-7-2 3190096]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
BTTray.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2006-6-7 553021]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winrx38.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Joshua's Documents\\Music\\Xfire\\xfire.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\SPBBC\\SPBBCSvc.exe"=

R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\program files\Ansys Inc\Shared Files\Licensing\intel\lmgrd.exe [3/29/2007 10:56 PM 659456]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 9:02 PM 101936]
S0 winrx38;winrx38;c:\windows\system32\Drivers\Winrx38.sys --> c:\windows\system32\Drivers\Winrx38.sys [?]
S1 854a763f;854a763f;c:\windows\system32\drivers\854a763f.sys --> c:\windows\system32\drivers\854a763f.sys [?]
S2 qroejw;qroejw;c:\windows\system32\drivers\fyhyfi.sys --> c:\windows\system32\drivers\fyhyfi.sys [?]
S3 eraserutildrvi7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 11:33 PM 116464]
S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys --> c:\windows\system32\XDva143.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Debug - (no file)
Toolbar-SITEguard - (no file)
HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe
SafeBoot-winvc84.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Bluetooth ??? ???(&:thumbup2:... - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {0A96E961-0499-4E9B-8B50-E2FC9BED2941} - hxxp://www.certpia.com/upfile/ocx/certpia.cab
DPF: {1A970B76-B976-4A93-9CCE-E67D13C77645} - hxxp://box.inhard.com/IHLauncher/cab/1,0,1,4/IHLauncher.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
DPF: {2086592C-34CB-46BC-A042-715910AFBE81} - hxxp://img.ebs.co.kr/ActiveX/Session/EBSSessionCheck.CAB
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxps://mpi.dacom.net/XMPI/js/XacsPop.cab
DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} - hxxp://mpi.dacom.net/XPayMPI/Xecure_LiveUpdate_XPayMPIOCX.cab
DPF: {49EA1597-4149-42FC-A01D-A03E07980D37} - hxxp://ebook.ebs.co.kr/wiseinstaller/WiseInstaller.dll
DPF: {518419D1-F74F-48E5-9D98-599EC0DAFBEA} - hxxps://kspay.ksnet.to/ksmpi/KSNetMPI.cab
DPF: {7114AB1F-A8FE-4EB8-8AEB-0D0C47E866AD} - hxxp://mpi.dacom.net/XMPI/js/XacsPlugin.cab
DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://vbv.lgcard.com/XecureObject/xw_install.cab
DPF: {8433215B-425D-44F8-9479-322A8E780EA6} - hxxp://www.vaccine7.com/pc/v7act.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
DPF: {999A4982-61C2-4BF8-8094-30CEF9A6BAB9} - hxxp://www.bomul.com/include/InnoFD.cab
DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
DPF: {9AEBAA67-8B4D-4884-9EB7-8C6BEA20CE5C} - hxxp://club.nate.com/NetEditor.cab
DPF: {9B72B706-C578-4B7A-9C05-2324C95970A4} - hxxps://kspay.ksnet.to/newmpi/KSNetMPI.cab
DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} - hxxps://plugin.inicis.com/wallet50/INIwallet50.cab
DPF: {A2134278-B404-4B78-B751-8FB923B31935} - hxxp://contents.booktopia.com/video/wisebook/experience/ibook/WiseLoader.cab
DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} - hxxps://kspay.ksnet.to/newmpi/KSNetMPI.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,2
DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.lgcard.com/infovine/VineTransfer.cab
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
DPF: {E1AC9563-A1E3-45B8-A5CE-5C19E34EC6AC} - hxxp://www.arirangtv.com/AlwaysTop.cab
DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} - hxxp://cafeimg.hanmail.net/activex/dmcm.cab?Version=1,0,0,22
DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxps://pay.kcp.co.kr/plugin/file/payplus.cab
DPF: {E5A02FD2-A8EF-4E5B-80C1-CB386F95E049} - hxxps://pg.banktown.com/wallet/plugin/BtPmntClient.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 08:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset002\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1035525444-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e9,89,c3,19,9c,6a,3b,4f,8f,94,08,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,da,8d,a7,4b,7a,78,4c,a4,de,da,\

[HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]
@DACL=(02 0000)
@="bootstrap.xaml.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]
@DACL=(02 0000)
@="bootstrap.xbap.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xps\bootstrap]
@DACL=(02 0000)
@="bootstrap.xps.1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1576)
c:\windows\system32\WININET.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
c:\program files\Belkin\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\npkcmsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\SoftwareDistribution\Download\a8f719597d97278e8d5205d44676da41\update\update.exe
.
**************************************************************************
.
Completion time: 2009-07-16 9:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 14:10

Pre-Run: 50,566,606,848 bytes free
Post-Run: 55,610,580,992 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
253 --- E O F --- 2009-06-10 19:07










i can run malbytes and spybot now but the porn icons are still there.

Edited by anabat1, 16 July 2009 - 09:18 AM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:40 AM

Posted 16 July 2009 - 01:31 PM

Hi, anabat1 :thumbup2:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

http://www.bleepingcomputer.com/forums/top...ml#entry1343326

Collect::[4]
c:\windows\system32\wingenocx.dll
c:\windows\system32\Drivers\Winrx38.sys
c:\windows\system32\drivers\854a763f.sys
c:\windows\system32\drivers\fyhyfi.sys
c:\windows\system32\XDva143.sys

Driver::
winrx38
854a763f
qroejw
XDva143


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.


===============================================================


Additionally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:40 AM

Posted 07 August 2009 - 07:25 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users