Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP with Google redirecting to ad sites!! Hidden Trojan???


  • Please log in to reply
19 replies to this topic

#1 LadyNakedneSS

LadyNakedneSS

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:09:55 PM

Posted 20 August 2009 - 02:35 PM

Hi There,

I am really hoping you can help. I have been fighting this machine all week and neither myself nor my employees can do any work until this is fixed. :)

I started having an issue with popups and adware on tuesday night. I tried to do a system restore, but there were no restore points, even though it is on. It will not allow me to manually create a restore point either. I ended up using the google pack which included both Spyware Doctor and Norton Security Scan. I used both programs and removed several threats. Upon completion of one of the scans, I suddenly also has AV Care now running. I was able to run the scans again and remove the threat, but was still having the redirect issue. After a ridiculous amount of searching for fixes, I ended up also getting and running MalwareBytes, Windows Maliscious Software Removal Tool and Panda Internet Security. Needless to say, after several scans and fixes, the redirect issue is still there.

FYI - I found a file that was created in my system32 folder that was created around the same time my issues started. The file name is uacmal.db. I know that one of the scans cleaned a UAC virus. I moved the db to my desktop, but nothing has changed. The only other file in that folder that was modified on the 18th is d3dpcaps.dat.

I keep running Spyware Doctor, MalwareBytes and Panda scans almost constantly. Most of the time they are coming up clean, but every couple of scans one or the other might find something again...usually Spyware Doctor. Always the redirect is still there. PLEASE HELP ME!!

I have downloaded and run both DDS and RootRepeal per the instructions. (Please note I got an image error message when starting RootRepeal, but scanned anyway.) I have attached the DDS.txt, ark.txt and Attach.txt files to this email.

Here is the DDS.txt:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Mary at 14:05:08.14 on Thu 08/20/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_06
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2280 [GMT -4:00]

AV: Panda Internet Security 2010 *On-access scanning disabled* (Updated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost -k Panda
C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\PsImSvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\PskSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\PavBckPT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\WebProxy.exe
C:\Documents and Settings\Mary\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [APVXDWIN] "c:\program files\panda security\panda internet security 2010\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda internet security 2010\Inicio.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\mary\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\xfire.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
Trusted Zone: caldirectsecuredocs.com\www
Trusted Zone: com\pennwest-edocs
Trusted Zone: ditechsecuredocs.com\www
Trusted Zone: ditechsecuredocs.net\www
Trusted Zone: elynx.net\ctest
Trusted Zone: elynx.net\forms
Trusted Zone: elynx.net\gmacforms
Trusted Zone: elynx.net\pro
Trusted Zone: elynx.net\secure
Trusted Zone: elynx.net\usign
Trusted Zone: elynx.net\webpost
Trusted Zone: gmacmsecuredocs.com\www
Trusted Zone: gmacmsecuredocs.net\www
Trusted Zone: gmamcsecuredocs.com\www
Trusted Zone: irs.gov\sa1.www4
Trusted Zone: ss3.swiftsend.com\loandocs
Trusted Zone: swiftsend.com\docs
Trusted Zone: swiftsend.com\loandocs
Trusted Zone: swiftsend2.com\docs
Trusted Zone: swiftsend2.com\loandocs
Trusted Zone: swiftview.com\www
Trusted Zone: wamuloandocs.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\book of legends\images\stg_drm.ocx
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210131614703
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210287179578
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - hxxps://chf.isentry.com/svinstall/svinstall_green.exe
DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F127} - hxxps://secure.elynx.net/viewer/installers/svinstall_t_zhp_ss.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-winter-edition/zylomplayer.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\book of legends\images\armhelper.ocx
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://customerseminars.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mary\applic~1\mozilla\firefox\profiles\qcz2ue7n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2009-8-19 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-18 130936]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2009-8-19 41144]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k panda --> c:\windows\system32\svchost -k Panda [?]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda internet security 2010\PsCtrlS.exe [2009-8-19 173312]
R2 PAVDRV;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2009-8-19 84024]
R2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda internet security 2010\PavFnSvr.exe [2009-8-19 169216]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2009-8-19 177416]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda security\pavshld\PavPrSrv.exe [2009-8-19 62768]
R2 PAVSRV;Panda On-Access Anti-Malware Service;c:\program files\panda security\panda internet security 2010\PAVSRV51.EXE [2009-8-19 290048]
R2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda internet security 2010\psksvc.exe [2009-8-19 28928]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-13 24652]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-18 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-8-18 1095560]
S4 GEST Service;GEST Service for program management.;c:\program files\gigabyte\gest\GSvr.exe [2008-5-6 47624]
S4 iWinGamesInstaller;iWinGamesInstaller;c:\program files\iwin games\iwingamesinstaller.exe --> c:\program files\iwin games\iWinGamesInstaller.exe [?]
S4 iWinTrusted;iWinTrusted;c:\progra~1\iwinga~1\iWinTrusted.exe [2009-1-4 78104]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]

=============== Created Last 30 ================

2009-08-20 12:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-08-20 12:44 <DIR> --d----- c:\program files\Security Task Manager
2009-08-19 22:08 8,627 a------- c:\windows\system32\PAV_FOG.OPC
2009-08-19 22:00 262 a------- c:\windows\system32\PavCPL.dat
2009-08-19 22:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Backup
2009-08-19 21:59 54,832 a------- c:\windows\system32\pavcpl.cpl
2009-08-19 21:59 446,464 a------- c:\windows\system32\HHActiveX.dll
2009-08-19 21:59 193,792 a------- c:\windows\system32\TpUtil.dll
2009-08-19 21:59 518,400 a------- c:\windows\system32\PavSHook.dll
2009-08-19 21:59 107,568 a------- c:\windows\system32\SYSTOOLS.DLL
2009-08-19 21:59 87,296 a------- c:\windows\system32\PavLspHook.dll
2009-08-19 21:59 55,552 a------- c:\windows\system32\pavipc.dll
2009-08-19 21:59 84,024 a------- c:\windows\system32\drivers\pavdrv51.sys
2009-08-19 21:59 58,672 a------- c:\windows\system32\avldr.dll
2009-08-19 21:59 <DIR> --d----- c:\windows\system32\PAV
2009-08-19 21:59 <DIR> --d----- c:\program files\Panda Security
2009-08-19 21:59 <DIR> --d----- c:\docume~1\mary\applic~1\Panda Security
2009-08-19 21:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Panda Security
2009-08-19 21:54 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-08-19 21:53 177,416 a------- c:\windows\system32\drivers\PavProc.sys
2009-08-19 21:53 41,144 a------- c:\windows\system32\drivers\ShlDrv51.sys
2009-08-19 21:53 <DIR> --d----- c:\program files\common files\Panda Security
2009-08-19 15:38 <DIR> --d----- C:\f0121503a5ca104d1f
2009-08-19 15:37 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-19 15:02 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-19 13:24 <DIR> --d----- c:\docume~1\mary\applic~1\Malwarebytes
2009-08-19 13:24 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 13:24 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-19 13:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 13:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-18 22:51 <DIR> --d----- c:\temp\google
2009-08-18 21:50 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-18 21:50 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-18 21:50 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-18 21:50 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-18 21:50 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-18 21:50 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-18 21:50 <DIR> --d----- c:\docume~1\mary\applic~1\PC Tools
2009-08-18 21:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-08-18 21:49 <DIR> --d----- c:\windows\system32\drivers\NSS
2009-08-18 21:49 <DIR> --d----- c:\program files\Norton Security Scan
2009-08-18 21:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-08-18 21:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-18 21:49 <DIR> --d----- c:\program files\NortonInstaller
2009-08-18 21:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-18 19:25 <DIR> --d----- c:\docume~1\mary\applic~1\Logs
2009-08-13 15:53 41,872 a------- c:\windows\system32\xfcodec.dll
2009-08-05 05:11 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-22 13:28 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 14:39 34,744 ac------ c:\docume~1\mary\applic~1\GDIPFONTCACHEV1.DAT
2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-08 02:29 203,776 a------- c:\windows\system32\clrviddc.dll
2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 12:18 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-22 07:34 92,544 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 07:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 02:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 11:07 61,224 a------- c:\documents and settings\mary\GoToAssistDownloadHelper.exe
2009-06-01 18:58 142,067 a------- c:\windows\hpwins05.dat
2009-04-29 23:13 22,328 a------- c:\docume~1\mary\applic~1\PnkBstrK.sys
2008-05-29 14:27 0 ac------ c:\program files\temp01
2002-08-29 08:00 94,784 -c-sh--- c:\windows\twain.dll
2004-08-04 03:56 50,688 -c-sh--- c:\windows\twain_32.dll
2004-08-04 03:56 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2004-08-04 03:56 54,784 ---sh--- c:\windows\system32\msvcirt.dll
2004-08-04 03:56 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2004-08-04 03:56 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2007-12-04 14:38 550,912 ---sh--- c:\windows\system32\oleaut32.dll
2004-08-04 03:56 83,456 ---sh--- c:\windows\system32\olepro32.dll
2004-08-04 03:56 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 14:06:02.92 ===============


Here is the RootRepeal ark.txt:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/20 14:14
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: av5flt.sys
Image Path: C:\WINDOWS\system32\drivers\av5flt.sys
Address: 0xB30B0000 Size: 98432 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4B1E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85DC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xB8760000 Size: 2560 File Visible: No Signed: -
Status: -

Name: PavSRK.sys
Image Path: C:\WINDOWS\system32\PavSRK.sys
Address: 0xB39FD000 Size: 12160 File Visible: No Signed: -
Status: -

Name: PavTPK.sys
Image Path: C:\WINDOWS\system32\PavTPK.sys
Address: 0xB474B000 Size: 57344 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB288F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\kbiwkmpvtexmkxpb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmajgydelq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmgoadtqmb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmjbmnjnwl.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmkrsvdxie.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\AOL Games\Lucy's Expedition\LucysExpedition.exe:{E38214C2-5252-5D7A-E55C-A6BCA87811EB}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\kbiwkmocyxslvc.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\mary\cookies\index.dat
Status: Allocation size mismatch (API: 647168, Raw: 651264)

Path: C:\Documents and Settings\Mary\My Documents\Ancient Secrets\AncientSecrets.exe:{CD63D90F-835F-0935-F84A-F27755647586}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Mary\My Documents\Nancy Drew® - Dossier™ - Lights, Camera, Curses!\Curses.exe:{CE9870AB-08B6-53E2-1333-E8B95F378CD6}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Mary\My Documents\The Great Chocolate Chase™ - A Chocolatier® Twist\GreatChocolateChase.exe:{B60CBD95-1EE3-EA57-5B10-7795B751765D}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Mary\My Documents\Leeloo's Talent Agency\LeeloosTalentAgency.exe:{E409AE2F-BDBC-7C89-0778-3B9F7307060D}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Mary\My Documents\Detective Stories - Hollywood\ds-hollywood.exe:{D437A5F0-8277-4907-AD5D-D0D20A410EC7}
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\mary\local settings\history\history.ie5\index.dat
Status: Allocation size mismatch (API: 389120, Raw: 380928)

Path: C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\I2VVTWM9\search[38]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\ODWKYY0T\search[36]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\UPW3YZO7\search[6].htm
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmkrsvdxie.dll]
Process: svchost.exe (PID: 1000) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: kbiwkmgoadtqmb.dll]
Process: Explorer.EXE (PID: 3228) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: kbiwkmgoadtqmb.dll]
Process: iexplore.exe (PID: 460) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: kbiwkmgoadtqmb.dll]
Process: iexplore.exe (PID: 3108) Address: 0x10000000 Size: 28672

Hidden Services
-------------------
Service Name: kbiwkmjsorxnjy
Image Path: C:\WINDOWS\system32\drivers\kbiwkmocyxslvc.sys

Shadow SSDT
-------------------
#: 343 Function Name: NtUserCreateWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\PavProc.sys" at address 0xb39469f4

#: 355 Function Name: NtUserDestroyWindow
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\PavProc.sys" at address 0xb3946bba

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\PavProc.sys" at address 0xb3946bfa

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\PavProc.sys" at address 0xb3946d86

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\PavProc.sys" at address 0xb3946edc

==EOF==

Thank you so much in advance for your help. :thumbup2:

Attached Files


Edited by LadyNakedneSS, 20 August 2009 - 09:58 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:55 PM

Posted 22 August 2009 - 03:01 PM

Hello LadyNakedneSS,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.



We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Panda Internet Security 2010 before running ComboFix, as it will prevent it from running.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:09:55 PM

Posted 22 August 2009 - 04:32 PM

Hi SifuMike,

Thank you so much for getting back to me so quickly. :thumbup2:

Following are both the checkup.txt and ComboFix log as you requested. I have also attached them for your reference.

FYI: I disabled Panda per the instructions. ComboFix restarted a second time when it was preparing the log. When the machine restarted, Panda was activated again and I got a message saying "Dangerous Operation Blocked". I disabled it again, but do not know if that affected the log at all.

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Panda Internet Security 2010
Panda Internet Security 2010


``````````````````````````````
Anti-malware/Other Utilities Check:

Spyware Doctor 6.0
Malwarebytes' Anti-Malware
Java™ 6 Update 6
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.6
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent



``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

____________________________________________________________________________________________

ComboFix 09-08-22.06 - Mary 08/22/2009 16:53.1.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2597 [GMT -4:00]
Running from: c:\documents and settings\Mary\Desktop\ComboFix.exe
AV: Panda Internet Security 2010 *On-access scanning disabled* (Updated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mary\Application Data\.#
c:\windows\Installer\71b87.msi
c:\windows\Installer\8a9f2c3.msi
c:\windows\Installer\ce24a2d4.msp
c:\windows\run.log
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\drivers\kbiwkmocyxslvc.sys
c:\windows\system32\kbiwkmajgydelq.dat
c:\windows\system32\kbiwkmgoadtqmb.dll
c:\windows\system32\kbiwkmjbmnjnwl.dat
c:\windows\system32\kbiwkmkrsvdxie.dll
c:\windows\system32\ntos.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmjsorxnjy
-------\Legacy_kbiwkmjsorxnjy
-------\Legacy_IWINGAMESINSTALLER
-------\Service_iWinGamesInstaller


((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-20 20:46 . 2009-08-20 20:46 -------- d-----w- c:\documents and settings\Mary\Application Data\Image Zone Express
2009-08-20 16:44 . 2009-08-20 16:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SecTaskMan
2009-08-20 16:44 . 2009-08-20 16:53 -------- d-----w- c:\program files\Security Task Manager
2009-08-20 02:00 . 2009-08-20 02:00 262 ----a-w- c:\windows\system32\PavCPL.dat
2009-08-20 02:00 . 2009-08-20 02:00 -------- d-----w- c:\documents and settings\Mary\Local Settings\Application Data\Panda Security
2009-08-20 02:00 . 2009-08-20 02:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Backup
2009-08-20 01:59 . 2003-10-22 22:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll
2009-08-20 01:59 . 2009-03-30 22:23 193792 ----a-w- c:\windows\system32\TpUtil.dll
2009-08-20 01:59 . 2009-03-30 22:22 87296 ----a-w- c:\windows\system32\PavLspHook.dll
2009-08-20 01:59 . 2009-03-30 22:22 518400 ----a-w- c:\windows\system32\PavSHook.dll
2009-08-20 01:59 . 2009-03-30 22:22 55552 ----a-w- c:\windows\system32\pavipc.dll
2009-08-20 01:59 . 2007-02-08 14:53 107568 ----a-w- c:\windows\system32\SYSTOOLS.DLL
2009-08-20 01:59 . 2009-08-20 01:59 -------- d-----w- c:\program files\Panda Security
2009-08-20 01:59 . 2009-08-20 01:59 -------- d-----w- c:\windows\system32\PAV
2009-08-20 01:59 . 2009-08-20 01:59 -------- d-----w- c:\documents and settings\Mary\Application Data\Panda Security
2009-08-20 01:59 . 2009-08-20 01:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Panda Security
2009-08-20 01:59 . 2008-04-28 21:35 84024 ----a-w- c:\windows\system32\drivers\pavdrv51.sys
2009-08-20 01:59 . 2008-03-18 20:58 58672 ----a-w- c:\windows\system32\avldr.dll
2009-08-20 01:54 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-20 01:53 . 2009-08-20 01:53 -------- d-----w- c:\program files\Common Files\Panda Security
2009-08-20 01:53 . 2009-06-02 17:12 177416 ----a-w- c:\windows\system32\drivers\PavProc.sys
2009-08-20 01:53 . 2008-03-04 19:59 41144 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys
2009-08-19 19:38 . 2009-08-19 19:38 -------- d-----w- C:\f0121503a5ca104d1f
2009-08-19 19:37 . 2009-08-19 20:07 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-19 19:02 . 2009-08-19 19:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-19 17:24 . 2009-08-19 17:24 -------- d-----w- c:\documents and settings\Mary\Application Data\Malwarebytes
2009-08-19 17:24 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 17:24 . 2009-08-19 17:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 17:24 . 2009-08-19 17:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-19 17:24 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-19 02:51 . 2009-08-19 08:04 -------- d-----w- c:\temp\google
2009-08-19 01:50 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-19 01:50 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-19 01:50 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-19 01:50 . 2009-08-19 01:50 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-19 01:50 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-19 01:50 . 2009-08-21 15:22 -------- d-----w- c:\program files\Spyware Doctor
2009-08-19 01:50 . 2009-08-19 01:50 -------- d-----w- c:\documents and settings\Mary\Application Data\PC Tools
2009-08-19 01:50 . 2009-08-19 01:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Tools
2009-08-19 01:49 . 2009-08-19 01:49 -------- d-----w- c:\windows\system32\drivers\NSS
2009-08-19 01:49 . 2009-08-19 01:49 -------- d-----w- c:\program files\Norton Security Scan
2009-08-19 01:49 . 2009-08-19 01:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-08-19 01:49 . 2009-08-19 01:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Norton
2009-08-19 01:49 . 2009-08-19 01:49 -------- d-----w- c:\program files\NortonInstaller
2009-08-19 01:49 . 2009-08-19 01:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\NortonInstaller
2009-08-19 01:48 . 2009-08-19 01:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-08-19 01:48 . 2009-08-19 01:48 -------- d-----w- c:\program files\Google
2009-08-18 23:25 . 2009-08-18 23:25 -------- d-----w- c:\documents and settings\Mary\Application Data\Logs
2009-08-13 19:53 . 2009-08-13 19:53 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 21:13 . 2008-09-13 06:16 -------- d-----w- c:\program files\4 Elements
2009-08-22 21:13 . 2008-05-07 12:26 -------- d-----w- c:\documents and settings\Mary\Application Data\Xfire
2009-08-22 20:37 . 2008-05-29 18:30 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-21 21:56 . 2008-05-08 23:30 -------- d-----w- c:\program files\COD4AdminPanel
2009-08-20 02:08 . 2008-10-04 04:12 -------- d-----w- c:\program files\iWin Games
2009-08-20 01:59 . 2008-05-07 03:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-19 20:08 . 2008-05-07 10:54 34744 -c--a-w- c:\documents and settings\Mary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 20:07 . 2008-06-29 20:19 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-19 04:38 . 2008-05-07 12:26 -------- d-----w- c:\program files\Xfire
2009-08-19 02:41 . 2008-06-26 02:27 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-12 03:40 . 2008-05-29 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2009-08-05 09:11 . 2002-08-29 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2002-08-29 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:53 . 2002-08-29 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-22 17:28 . 2009-07-22 17:28 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-22 17:28 . 2008-05-21 02:36 -------- d-----w- c:\program files\Common Files\Real
2009-07-17 18:55 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-09 08:33 . 2009-07-09 08:33 -------- d-----w- c:\documents and settings\Mary\Application Data\Enlightenus
2009-07-09 07:38 . 2009-07-09 07:26 -------- d-----w- c:\program files\The Magician's Handbook II - BlackLore
2009-07-09 07:35 . 2009-07-09 07:35 -------- d-----w- c:\program files\G.H.O.S.T Chronicles - Phantom of the Renaissance Faire
2009-07-09 07:32 . 2009-07-09 07:32 -------- d-----w- c:\program files\Enlightenus
2009-07-09 06:22 . 2008-05-29 22:01 -------- d-----w- c:\documents and settings\Mary\Application Data\PlayFirst
2009-07-08 06:29 . 2009-07-08 06:29 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-07-07 03:28 . 2009-07-07 03:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\IntDreams
2009-07-07 03:23 . 2008-11-11 06:07 -------- d-----w- c:\program files\RealArcade
2009-07-03 22:14 . 2009-07-03 22:14 -------- d-----w- c:\documents and settings\Mary\Application Data\Quirky Games
2009-07-03 22:06 . 2009-07-03 22:06 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\RealArcade
2009-06-29 02:58 . 2009-06-29 02:47 -------- d-----w- c:\documents and settings\Mary\Application Data\HuruBeachParty
2009-06-29 02:13 . 2009-06-29 02:13 -------- d-----w- c:\program files\Huru Beach Party
2009-06-29 02:12 . 2009-06-29 02:12 -------- d-----w- c:\documents and settings\Mary\Application Data\BlamGames
2009-06-28 21:56 . 2009-06-28 21:56 -------- d-----w- c:\program files\Lovely Kitchen
2009-06-28 21:55 . 2009-06-28 21:55 -------- d-----w- c:\program files\Rangy Lil's Wild West Adventure
2009-06-28 21:48 . 2009-06-28 21:48 -------- d-----w- c:\program files\Dream Sleuth
2009-06-28 21:46 . 2009-06-28 21:46 -------- d-----w- c:\program files\Mystic Diary - Lost Brother
2009-06-28 21:44 . 2009-06-28 21:44 -------- d-----w- c:\program files\Youda Legend - The Curse of the Amsterdam Diamond
2009-06-28 21:28 . 2008-06-29 04:15 -------- d-----w- c:\program files\DivX
2009-06-26 16:18 . 2006-06-23 15:33 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 21:37 . 2009-03-29 06:49 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-25 08:44 . 2005-06-15 17:50 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2002-08-29 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2002-08-29 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2002-08-29 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2002-08-29 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2002-08-29 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 05:36 . 2009-06-25 05:36 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-24 15:16 . 2009-06-24 15:16 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\HP Product Assistant
2009-06-22 11:34 . 2002-08-29 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 11:19 . 2009-06-16 11:19 127 ----a-w- c:\documents and settings\Mary\Local Settings\Application Data\fusioncache.dat
2009-06-12 11:50 . 2002-08-29 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2002-08-29 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2002-08-29 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2008-05-07 02:49 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2005-08-30 04:02 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 15:07 . 2009-06-03 15:07 61224 ----a-w- c:\documents and settings\Mary\GoToAssistDownloadHelper.exe
2009-06-01 22:58 . 2009-06-01 22:36 142067 ----a-w- c:\windows\hpwins05.dat
2008-05-29 18:27 . 2008-05-29 18:27 0 -c--a-w- c:\program files\temp01
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2002-08-29 12:00 . 2002-08-29 12:00 94784 -csh--w- c:\windows\twain.dll
2004-08-04 07:56 . 2002-08-29 12:00 50688 -csh--w- c:\windows\twain_32.dll
2004-08-04 07:56 . 2002-08-29 12:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 07:56 . 2002-08-29 12:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2002-08-29 12:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2004-08-04 07:56 . 2002-08-29 12:00 343040 --sh--w- c:\windows\system32\msvcrt.dll
2007-12-04 18:38 . 2002-08-29 12:00 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 07:56 . 2002-08-29 12:00 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 07:56 . 2002-08-29 12:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2010\APVXDWIN.EXE" [2009-06-05 574720]
"SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2010\Inicio.exe" [2009-04-21 56064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-22 198160]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]

c:\documents and settings\Mary\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-8-13 3109264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 20:58 58672 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=c:\windows\pss\CallWave.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\Mary\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"QuickBooksDB18"=2 (0x2)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"NBService"=3 (0x3)
"LightScribeService"=2 (0x2)
"iWinTrusted"=2 (0x2)
"iWinGamesInstaller"=2 (0x2)
"GEST Service"=3 (0x3)
"NMIndexingService"=3 (0x3)
"TapiSrv"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"wuauserv"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"Net Driver HPZ12"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
"c:\\Program Files\\COD4AdminPanel\\AdminPanel.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sierra Entertainment\\FEAR Perseus Mandate\\FEARXP2.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\WBGames\\Monolith Productions\\F.E.A.R. 2 SP Demo\\FEAR2SPDemo.exe"=
"c:\\Program Files\\WBGames\\Monolith Productions\\F.E.A.R. 2\\FEAR2.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\COD4AdminPanel\\pbucon.exe"=

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [8/19/2009 9:54 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/18/2009 9:50 PM 130936]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [8/19/2009 9:53 PM 41144]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda --> c:\windows\system32\svchost -k Panda [?]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [8/19/2009 9:53 PM 177416]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/13/2008 7:34 PM 24652]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]
S2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2010\psksvc.exe [8/19/2009 9:59 PM 28928]
S2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/18/2009 9:50 PM 348752]
S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [5/6/2008 11:24 PM 47624]
S4 iWinTrusted;iWinTrusted;c:\progra~1\IWINGA~1\iWinTrusted.exe [1/4/2009 10:24 PM 78104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
panda REG_MULTI_SZ Gwmsrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: caldirectsecuredocs.com\www
Trusted Zone: com\pennwest-edocs
Trusted Zone: ditechsecuredocs.com\www
Trusted Zone: ditechsecuredocs.net\www
Trusted Zone: elynx.net\ctest
Trusted Zone: elynx.net\forms
Trusted Zone: elynx.net\gmacforms
Trusted Zone: elynx.net\pro
Trusted Zone: elynx.net\secure
Trusted Zone: elynx.net\usign
Trusted Zone: elynx.net\webpost
Trusted Zone: gmacmsecuredocs.com\www
Trusted Zone: gmacmsecuredocs.net\www
Trusted Zone: gmamcsecuredocs.com\www
Trusted Zone: irs.gov\sa1.www4
Trusted Zone: ss3.swiftsend.com\loandocs
Trusted Zone: swiftsend.com\docs
Trusted Zone: swiftsend.com\loandocs
Trusted Zone: swiftsend2.com\docs
Trusted Zone: swiftsend2.com\loandocs
Trusted Zone: swiftview.com\www
Trusted Zone: wamuloandocs.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F127} - hxxps://secure.elynx.net/viewer/installers/svinstall_t_zhp_ss.exe
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-winter-edition/zylomplayer.cab
FF - ProfilePath - c:\docume~1\Mary\APPLIC~1\Mozilla\Firefox\Profiles\qcz2ue7n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 17:12
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2000478354-1897051121-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:67,0a,f5,f3,d5,d7,d9,5e,27,81,45,d8,75,49,c7,f9,d6,5f,41,d7,2a,
17,1a,47,3f,6d,90,54,5b,3d,9e,6e,87,9f,47,64,53,be,2e,85,16,cb,a3,bb,89,57,\
"rkeysecu"=hex:5d,77,e4,de,e2,ef,a8,50,93,03,34,90,5f,38,0b,ec
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\avldr.dll

- - - - - - - > 'explorer.exe'(1536)
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Panda Security\Panda Internet Security 2010\TPSrv.exe
c:\program files\Panda Security\Panda Internet Security 2010\PsCtrlS.exe
c:\program files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe
c:\program files\Common Files\Panda Security\PavShld\PavPrSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Panda Security\Panda Internet Security 2010\PsImSvc.exe
c:\program files\Panda Security\Panda Internet Security 2010\PAVSRV51.EXE
c:\program files\Panda Security\Panda Internet Security 2010\AVENGINE.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Panda Security\Panda Internet Security 2010\PavBckPT.exe
c:\program files\Panda Security\Panda Internet Security 2010\WebProxy.exe
.
**************************************************************************
.
Completion time: 2009-08-22 17:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 21:19

Pre-Run: 379,427,012,608 bytes free
Post-Run: 383,520,710,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

363 --- E O F --- 2009-06-14 02:58


Thank you again. I look forward to hearing from you soon. :)

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:55 PM

Posted 22 August 2009 - 06:16 PM

Hi LadyNakedneSS,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 6
    Java 6 Update 3
    Java 6 Update 5

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
*******************

Lets look for stagglers. :thumbup2:

Be sure to disable your Panda Internet Security 2010 before running Kaspersky Online Scanner.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:09:55 PM

Posted 23 August 2009 - 06:41 AM

Again, thanks so much for getting back to me so soon. Sorry it took me a little bit to respond...I fell asleep during the 8 hour Kaspersky scan...lol :thumbup2:

JAVA has been updated.

Following are the results of the Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 23, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 23, 2009 02:29:21
Records in database: 2678833
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 526532
Threats found: 15
Infected objects found: 16
Suspicious objects found: 0
Scan duration: 07:48:17


File name / Threat / Threats count
C:\Program Files\Fenomen Games Downloader\4Elements.exe Infected: Trojan-Downloader.Win32.Agent.awja 1
C:\Program Files\Fenomen Games Downloader\Downloader.exe Infected: not-a-virus:WebToolbar.Win32.FenomenGame.ojw 1
C:\Program Files\Fenomen Games Downloader\HawaiianExplorerLostIsland.exe Infected: Trojan-Downloader.Win32.Agent.ataj 1
C:\Program Files\Fenomen Games Downloader\SlingoSupreme.exe Infected: Trojan-Downloader.Win32.Agent.avei 1
C:\Program Files\Forgotten Riddles The Moonlight Sonatas\Forgotten Riddles - The Moonlight Sonatas.exe Infected: Trojan-Downloader.Win32.Agent.cipk 1
C:\Program Files\Hawaiian Explorer The Lost Island\LostIsland.exe Infected: Trojan-Downloader.Win32.Agent.ataj 1
C:\Program Files\Hidden Expedition Amazon\Hidden Expedition Amazon.exe Infected: Trojan-Downloader.Win32.Agent.buyr 1
C:\Program Files\iWin.com\Nancy Drew The White Wolf of Icicle Creek\GameLauncher.exe Infected: Trojan-Dropper.Win32.Irsd.aj 1
C:\Program Files\iWin.com\Nancy Drew The White Wolf of Icicle Creek\GLWorker.exe Infected: Trojan-Spy.Win32.SCKeyLog.fa 1
C:\Program Files\Kindergarten\vxqdnvx.exe Infected: Backdoor.Win32.Mex.s 1
C:\Program Files\Liong - The Lost Amulets\liong2.exe Infected: Backdoor.Win32.Mex.aa 1
C:\Program Files\Mystery PI The Vegas Heist\MysteryPIVegas.exe Infected: Trojan-Downloader.Win32.Agent.ckwp 1
C:\Program Files\The Princess Bride\dlrqbhq.exe Infected: Backdoor.Win32.Mex.y 1
E:\Documents and Settings\User\.housecall6.6\Quarantine\gnida[1].swf.bac_a06332 Infected: Trojan-Downloader.SWF.Gida.a 1
E:\Documents and Settings\User\Desktop\JunkDrawer\EVERYTHING IS HERE\Reverendsetup1601.EXE Infected: Packed.Win32.PolyCrypt.d 1
E:\Documents and Settings\User\Local Settings\Temp\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1

Selected area has been scanned.

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:55 PM

Posted 23 August 2009 - 12:18 PM

Hi LadyNakedneSS,

Your very welcome. :)

Many are your downloaded games are infected. :thumbup2:

Please close FireFox and Internet Explorer browser before running OTM.

Please download OTM by OldTimer and save it to your desktop.
Double click the icon on your desktop to run it.
(Note: If you are running on Vista, right-click on the file and choose Run As Administrator).


Copy the lines in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C[/b] (or, after highlighting, right-click and choose Copy):
Do not include the word "Code".


:files
C:\Program Files\Fenomen Games Downloader\4Elements.exe 
C:\Program Files\Fenomen Games Downloader\Downloader.exe
C:\Program Files\Fenomen Games Downloader\HawaiianExplorerLostIsland.exe 
C:\Program Files\Fenomen Games Downloader\SlingoSupreme.exe 
C:\Program Files\Forgotten Riddles The Moonlight Sonatas\Forgotten Riddles - The Moonlight Sonatas.exe
C:\Program Files\Hawaiian Explorer The Lost Island\LostIsland.exe 
C:\Program Files\Hidden Expedition Amazon\Hidden Expedition Amazon.exe 
C:\Program Files\iWin.com\Nancy Drew The White Wolf of Icicle Creek\GameLauncher.exe 
C:\Program Files\iWin.com\Nancy Drew The White Wolf of Icicle Creek\GLWorker.exe 
C:\Program Files\Kindergarten\vxqdnvx.exe 
C:\Program Files\Liong - The Lost Amulets\liong2.exe 
C:\Program Files\Mystery PI The Vegas Heist\MysteryPIVegas.exe 
C:\Program Files\The Princess Bride\dlrqbhq.exe 
E:\Documents and Settings\User\.housecall6.6\Quarantine\gnida[1].swf.bac_a06332 
E:\Documents and Settings\User\Desktop\JunkDrawer\EVERYTHING IS HERE\Reverendsetup1601.EXE 
:commands
[emptytemp]
[Reboot]


Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Edited by SifuMike, 23 August 2009 - 12:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:09:55 PM

Posted 23 August 2009 - 01:18 PM

Hi SifuMike,

Yeah, I noticed a lot of those entries were for some of the little game trials. Guess I won't be downloading any of those anymore. :thumbup2:

Here is the OTM log you requested:

All processes killed
========== FILES ==========
C:\Program Files\Fenomen Games Downloader\4Elements.exe moved successfully.
C:\Program Files\Fenomen Games Downloader\Downloader.exe moved successfully.
C:\Program Files\Fenomen Games Downloader\HawaiianExplorerLostIsland.exe moved successfully.
C:\Program Files\Fenomen Games Downloader\SlingoSupreme.exe moved successfully.
C:\Program Files\Forgotten Riddles The Moonlight Sonatas\Forgotten Riddles - The Moonlight Sonatas.exe moved successfully.
C:\Program Files\Hawaiian Explorer The Lost Island\LostIsland.exe moved successfully.
C:\Program Files\Hidden Expedition Amazon\Hidden Expedition Amazon.exe moved successfully.
C:\Program Files\iWin.com\Nancy Drew The White Wolf of Icicle Creek\GameLauncher.exe moved successfully.
C:\Program Files\iWin.com\Nancy Drew The White Wolf of Icicle Creek\GLWorker.exe moved successfully.
C:\Program Files\Kindergarten\vxqdnvx.exe moved successfully.
C:\Program Files\Liong - The Lost Amulets\liong2.exe moved successfully.
C:\Program Files\Mystery PI The Vegas Heist\MysteryPIVegas.exe moved successfully.
C:\Program Files\The Princess Bride\dlrqbhq.exe moved successfully.
E:\Documents and Settings\User\.housecall6.6\Quarantine\gnida[1].swf.bac_a06332 moved successfully.
E:\Documents and Settings\User\Desktop\JunkDrawer\EVERYTHING IS HERE\Reverendsetup1601.EXE moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: Mary
->Temp folder emptied: 79803277 bytes
->Temporary Internet Files folder emptied: 102448741 bytes
->Java cache emptied: 128200992 bytes
->FireFox cache emptied: 40871453 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: QBDataServiceUser18
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\1C4551A64743409391E41477CD655043.TMP folder deleted successfully.
C:\WINDOWS\NV35441340.TMP folder deleted successfully.
%systemroot% .tmp files removed: 12021988 bytes
%systemroot%\System32 .tmp files removed: 64656213 bytes
File delete failed. C:\WINDOWS\temp\f4d4851e8935eebef0f2eb52b3212bc9PSK_PLUGINS_0 scheduled to be deleted on reboot.
Windows Temp folder emptied: 10027420 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 417.77 mb


OTM by OldTimer - Version 3.0.0.6 log created on 08232009_140458

Files moved on Reboot...
C:\WINDOWS\temp\f4d4851e8935eebef0f2eb52b3212bc9PSK_PLUGINS_0 moved successfully.

Registry entries deleted on Reboot...


As always, thank you so much for your time. ;)

Attached Files



#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:55 PM

Posted 23 August 2009 - 01:26 PM

Hi LadyNakedneSS,

I think we have you clean. :thumbup2:

Please tell me how the computer is running.

We still have to do the program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:09:55 PM

Posted 23 August 2009 - 01:35 PM

Hello again :)

I am so glad to hear that!!!

The computer is running much much better. I don't seem to have the redirect problem anymore, and it is running a lot faster than it has pretty much since I built it last year. A HUGE Thank You for everything you've done so far. :thumbup2:

I am ready and waiting for your next instructions, Sir...lol

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:55 PM

Posted 23 August 2009 - 01:45 PM

Hi LadyNakedneSS,

Well, that is music to my ears! :)

Now we just need to do the program clean up.

Delete Security Check from your desktop.


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTM3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

If OTM is still on your desktop, then
open OTM and click the CleanUp! button on top.
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present.
They are not needed anymore, so OtM will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer.


Please read and follow

Simple and easy ways to keep your computer safe and secure on the Internet
as well
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.

Now you are good to go! :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:09:55 PM

Posted 23 August 2009 - 03:29 PM

You are the BEST SifuMike! :)

I followed your instructions, as well as the tutorials you provided.

Just a couple of follow up questions:

1. I uninstalled ComboFix per the instructions. However, after I did so, there was still the ComboFix folder with a c:/ file in it. I went ahead and deleted the folder. Just want to make sure that was right, and find out if it uninstalled correctly, or if there's something else I should do.

2. I now have the following programs still on my computer and files still on my desktop ( not including the .txt. files created):

- Malwarebytes'
- Spyware Doctor
- RootRepeal
- Norton Security Scanner
- Panda Internet Security

- settings.dat
- JavaSetup6u15


Which ones should I get rid of and which ones should I keep? Some are from the fix process, and some are from the tutorials. I'm always confused about which programs work together and which ones conflict. :)

3. I have 2 computers and a laptop networked with this one, as well as files on this computer that are accessed by everyone on the network. Should I be concerned and check all of the other computers as a result of these infections?


I can't thank you enough for all of your time and assistance. There are a lot of forums like this out there, and I think I looked at all of them at some point...LOL I am very confident that I chose the right one. I have to say that I found bleepingcomputer to be the most organized and the most helpful of all of the sites that I came across. Not to say the other sites are not helpful, but the posts from you and the many volunteers are always consistent and detailed, with clearly stated responses and instructions, as well as custom tailored solutions. It was very clear to me that you are a group of dedicated volunteers who have a genuine interest in helping people. I am so glad that I found you guys, and will be donating to your cause to help ensure that your valued service continues. :thumbup2:

Edited by LadyNakedneSS, 23 August 2009 - 04:05 PM.


#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:55 PM

Posted 23 August 2009 - 04:25 PM

1. I uninstalled ComboFix per the instructions. However, after I did so, there was still the ComboFix folder with a c:/ file in it. I went ahead and deleted the folder. Just want to make sure that was right, and find out if it uninstalled correctly, or if there's something else I should do.


You did the right thing. Nothing else to do.


2. I now have the following programs still on my computer and files still on my desktop ( not including the .txt. files created):

- Malwarebytes'
- Spyware Doctor
- RootRepeal
- Norton Security Scanner
- Panda Internet Security
- settings.dat
- JavaSetup6u15

Which ones should I get rid of and which ones should I keep?


I would keep Malwarebytes and Spyware Doctor (assuming you paid for it)
You can get rid of (delete) RootRepeal, Norton Security Scanner, JavaSetup6u15.

I am not sure what what program made setting.dat. Probably uTorrent. I would leave it.


3. I have 2 computers and a laptop networked with this one, as well as files on this computer that are accessed by everyone on the network. Should I be concerned and check all of the other computers as a result of these infections?



It is a good idea to check them for malware.:thumbup2:
I would run your antivirus program and both Malwarebytes and Spyware Doctor to make sure they are clean.
If no problems with them then there is no need to post a thread at the this forum.
Dont post them to this thread, as I only do one computer per thread; otherwise it gets too confusing.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:09:55 PM

Posted 23 August 2009 - 05:09 PM

Will do. I'll post a new thread if I find any issues.

Thank you again for everything! :thumbup2:

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:55 PM

Posted 23 August 2009 - 07:07 PM

Your very welcome. I hope your computer continues to run smoothly. :thumbup2:
And thank you for your donation.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:09:55 PM

Posted 24 August 2009 - 04:14 PM

OK...another quick question. It seems my computer is still infected with something after we finished cleaning it yesterday. :thumbup2:

I started getting infection hits with Malwarebytes' and Spyware Doctor and Panda this morning...and now I have AntiVirus System Pro and Microsoft AntiSpyware popping up. At least one of them is now on the additional hard drive and not the main drive. I told each program to go ahead and clean whatever it found...but it almost seems as if every time I remove stuff, I have more stuff when it's done.

Do I need to start a whole new thread, or post new logs here?

Edited by LadyNakedneSS, 24 August 2009 - 04:22 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users