Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a virus


  • This topic is locked This topic is locked
33 replies to this topic

#1 koolnerderica

koolnerderica

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 19 September 2009 - 11:58 PM

I don't know what type of virus it is but my system restore is removed, the registry editor is gone, among other things that i haven't checked out yet. I also think I get more random pop-ups than normal.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Erica at 20:10:43.26 on Sat 09/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:program filesaim toolbaraimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:progra~1yahoo!companioninstallscpnyt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:program filesaim toolbaraimtb.dll
mWinlogon: Userinit=c:windowssystem32userinit.exe,c:documents and settingsericaqeo.exe s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:progra~1yahoo!companioninstallscpnyt.dll
BHO: c:windowssystem32nzfiu3h78di.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:windowssystem32nzfiu3h78di.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:progra~1yahoo!companioninstallscpnyt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:program filesmsntoolbar3.0.1125.0msneshellx.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:program filesaskbardisbarbinaskBar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:program filesaim toolbaraimtb.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Aim] "c:program filesaimaim.exe" /d locale=en-US
uRun: [Messenger (Yahoo!)] "c:program filesyahoo!messengerYahooMessenger.exe" -quiet
uRun: [msnmsgr] "c:program fileswindows livemessengermsnmsgr.exe" /background
uRun: [DriverUpdaterPro] c:program filesixi toolsdriver updater proDriverUpdaterPro.exe -t
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [Login Software 2009] c:docume~1ericalocals~1tempavv5s.exe
uRun: [WIndows Rescue Disk] c:docume~1ericalocals~1templsass.exe
mRun: [Broadcom Wireless Manager UI] c:windowssystem32bcmntray
mRun: [ATIPTA] "c:program filesati technologiesati control panelatiptaxx.exe"
mRun: [GrooveMonitor] "c:program filesmicrosoft officeoffice12GrooveMonitor.exe"
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [QlbCtrl.exe] c:program fileshewlett-packardhp quick launch buttonsQlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [Microsoft Default Manager] "c:program filesmicrosoftsearch enhancement packdefault managerDefMgr.exe" -resume
mRun: [Corel File Shell Monitor] c:program filescorelcorel paint shop pro photo x2CorelIOMonitor.exe
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Corel Photo Downloader] "c:program filescommon filescorelcorel photodownloaderCorel Photo Downloader.exe" -startup
mRun: [xdssev] c:windowssystem32xdssev.exe u
mRun: [s5f7v7wutwkt] c:windowssystem32s5f7v7tutw4u.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: Save YouTube Video - c:program filescommon filesdvdvideosoftdllIEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:program filescommon filesdvdvideosoftdllIEContextMenuY.dll/scriptY2MP3.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
LSP: c:windowssystem32s5f7v7uutwku.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:program filesyahoo!commonYinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_sit

Merged post: I'm sorry, I didn't mean to double post, but the ark.txt file won't upload and I'm not sure why, so can I paste it here or is that to risky?

Attached Files


Edited by The weatherman, 20 September 2009 - 08:43 AM.
Merged post to keep the member in the "0".~Tw


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:38 PM

Posted 06 October 2009 - 08:40 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 koolnerderica

koolnerderica
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 07 October 2009 - 07:18 PM

Here's my second DDS and Attach file you told me to do again.


DDS (Ver_09-09-29.01) - NTFSx86
Run by Erica at 17:04:13.09 on Wed 10/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\erica\qeo.exe \s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: c:\windows\system32\nzfiu3h78di.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\nzfiu3h78di.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Login Software 2009] c:\docume~1\erica\locals~1\temp\tj3mnc .exe
uRun: [WIndows Rescue Disk] c:\docume~1\erica\locals~1\temp\login.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\erica\locals~1\temp\install.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\bcmntray
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [xdssev] c:\windows\system32\xdssev.exe \u
mRun: [s5f7v7wutwkt] c:\windows\system32\s5f7v7tutw4u.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243456089781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: ZLIkizocOg - {B4D10FA4-1E7B-A50E-E3B6-1C88A3FE8AA4} - c:\windows\system32\joepm.dll
STS: c:\windows\system32\nzfiu3h78di.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\nzfiu3h78di.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\erica\applic~1\mozilla\firefox\profiles\7roc279a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p=
FF - component: c:\program files\common files\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false
FF - user.js: browser.sessionstore.resume_from_crash - false

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-04 23:26 <DIR> --d----- C:\DVDVideoSoft
2009-10-03 23:20 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2009-10-03 14:52 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-10-03 14:34 286,720 a--shr-- c:\docume~1\erica\applic~1\s5f7v7uutwku.dll
2009-09-30 13:43 61,604 a---h--- c:\windows\system32\mlfcache.dat
2009-09-25 22:53 262,144 a------- C:\ntuser.dat
2009-09-25 17:18 <DIR> --d----- c:\program files\iPod
2009-09-25 17:18 <DIR> --d----- c:\program files\iTunes
2009-09-21 22:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 19:38 <DIR> --d----- c:\windows\system32\NtmsData
2009-09-19 14:21 286,720 -------- c:\windows\system32\s5f7v7uutwku.dll
2009-09-19 14:20 46 a------- c:\windows\system32\p2hhr.bat
2009-09-19 14:20 18,432 a------- c:\windows\system32\tdisp.sys
2009-09-19 14:20 15,000 a------- c:\windows\system32\nzfiu3h78di.dll
2009-09-19 14:19 28,160 a------- c:\windows\system32\xdssev.exe
2009-09-19 14:19 28,160 ----h--- c:\documents and settings\erica\qeo.exe
2009-09-19 14:19 333,824 a--shr-- c:\windows\system32\s5f7v7tutw4u .exe
2009-09-19 14:19 26,112 a------- c:\windows\system32\s5f7v7tutw4u.exe6478
2009-09-19 14:19 26,112 a------- c:\windows\system32\s5f7v7tutw4u.exe23538
2009-09-19 14:19 26,112 a------- c:\windows\system32\s5f7v7tutw4u.exe
2009-09-19 14:19 10 a------- c:\windows\system32\kr_done1
2009-09-18 22:59 <DIR> --d----- c:\docume~1\erica\applic~1\OpenCandy
2009-09-17 21:57 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-09-17 21:53 <DIR> --d--r-- c:\program files\Skype
2009-09-15 19:16 <DIR> --d----- c:\program files\common files\Software Update Utility
2009-09-14 07:06 <DIR> --d----- c:\program files\MSXML 4.0
2009-09-13 18:12 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-09-13 18:08 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-09-13 18:08 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-09-13 18:08 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-09-13 18:08 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-09-13 18:08 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-09-13 18:08 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-09-13 18:08 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-09-13 18:08 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-09-13 18:08 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-13 18:08 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-13 18:08 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-13 18:07 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-13 18:07 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-09-13 18:07 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-09-13 18:07 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-09-13 18:06 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-09-13 18:06 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-09-13 18:04 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-09-13 18:03 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-09-13 18:03 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-13 18:03 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-09-13 18:03 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-09-13 18:03 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-09-13 18:01 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-09-13 17:58 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-09-13 17:57 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-09-13 17:54 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-09-13 17:54 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-09-13 17:53 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-09-13 17:44 268,648 a------- c:\windows\system32\mucltui.dll
2009-09-13 17:44 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-09-13 12:47 7 a------- c:\windows\system32\Class11
2009-09-13 12:47 5 a------- c:\windows\system32\Band4
2009-09-11 21:27 0 a------- c:\windows\iPlayer.INI
2009-09-11 21:24 <DIR> --d----- c:\program files\InterActual

==================== Find3M ====================

2009-10-04 16:44 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-09-03 20:36 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-01 13:09 2,855 a------- c:\windows\pif\Downloaded from PSPSlimHacks.com.PIF
2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-05-28 12:15 8 ---shr-- c:\docume~1\alluse~1\applic~1\BE8C8422E8.sys
2009-05-27 15:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051820090525\index.dat
2009-05-27 15:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052720090528\index.dat

============= FINISH: 17:06:34.89 ===============

Attached Files



#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:38 PM

Posted 08 October 2009 - 08:01 PM

Hello, and :( to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :(
  • As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be two people helping you instead of just one, but responses may be somewhat delayed so please be patient!!!!
Please give me a little time to go through your logs. My instructions will be forthcoming.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 koolnerderica

koolnerderica
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 08 October 2009 - 10:10 PM

No problem. Thanks for the help.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:38 PM

Posted 10 October 2009 - 07:58 AM

Hello again. :(

First, please answer the following question:
What Antivirus program do you use?

Next, we need to run a rootkit scan.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
What Antivirus do you use?
GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 koolnerderica

koolnerderica
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 10 October 2009 - 06:25 PM

I use a program my cousin installed for me, it's called Ad-Aware SE Professional.
And when I try to run the GMER scanner, my computer shuts down and restarts. It shows a blue screen for like a micro second, not long enough for me to see what it says.
The first time, the scanner popped up and detected RootKit activity so I pressed yes, then that's when it shut down and restarted....and it left a RootRepeal report ( I don't think that's what you want....but I'll attach it anyway in case it's important )

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:38 PM

Posted 11 October 2009 - 05:14 AM

Just mistakenly posted a reply here.

Edited by farbar, 11 October 2009 - 08:30 AM.
Removing the post


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:38 PM

Posted 11 October 2009 - 10:25 AM

Hello again.

I use a program my cousin installed for me, it's called Ad-Aware SE Professional.

Ad-Aware is an Anti-Spyware program. It is NOT an Antivirus. Anti-Spyware programs are meant to be used in addition to an Antivirus. Once we get you clean I will direct you to some Antivirus programs which are free for non-commercial use. An Antivirus is an absolute essential when it comes to internet safety.

***************************************************

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Double click on renamed.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt in your next reply so we can continue cleaning the system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 koolnerderica

koolnerderica
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 11 October 2009 - 04:48 PM

Oh alright. I didn't know it wasn't an anti-virus software. Does that mean I can no longer use it....or can I still use it but I need an anti-virus program as well?

Oh I was wondering if you could remove my attachments when you are finished with them. They're being downloaded. Thanks.


ComboFix 09-10-11.01 - Erica 10/11/2009 14:05.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.156 [GMT -7:00]
Running from: c:\documents and settings\Erica\Desktop\Renamed.exe.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Erica\LOCALS~1\Temp\csrss.exe
c:\docume~1\Erica\LOCALS~1\Temp\lsass.exe
c:\docume~1\Erica\LOCALS~1\Temp\services.exe
c:\docume~1\Erica\LOCALS~1\Temp\svchost.exe
c:\docume~1\Erica\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Erica\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Erica\Application Data\wiaserva.log
c:\recycler\k-1-3542-4232123213-7676767-8888886
c:\windows\system32\ctfmon .exe
c:\windows\system32\drivers\gasfkyapahelil.sys
c:\windows\system32\gasfkyjpiqqhes.dat
c:\windows\system32\gasfkymlqfswng.dat
c:\windows\system32\gasfkymxnretcq.dll
c:\windows\system32\gasfkyppepxxyi.dll
c:\windows\system32\gasfkyqltabrpu.dll
c:\windows\system32\gasfkyrmaxrmta.dll
c:\windows\system32\gasfkyxbqqfqii.dll
c:\windows\system32\kr_done1
c:\windows\system32\nzFIu3h78di.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\s5f7v7tutw4u .exe
c:\windows\system32\wbem\grpconv.exe

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\system volume information\_restore{0F84F4D8-A515-40FA-B868-4B7B397273D2}\RP102\A0028922.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyvypeycpb
-------\Legacy_gasfkyvypeycpb


((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 21:14 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-10-10 22:27 . 2009-10-10 22:27 -------- d-----w- C:\gmer
2009-10-10 22:23 . 2009-10-10 22:23 282312 ----a-w- C:\gmer.zip
2009-10-08 03:25 . 2009-10-08 03:25 -------- d-----w- C:\spoolerlogs
2009-10-05 06:26 . 2009-10-05 06:26 -------- d-----w- C:\DVDVideoSoft
2009-10-04 06:20 . 2009-10-04 06:20 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-10-03 22:18 . 2009-10-03 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-10-03 22:03 . 2009-10-03 22:03 -------- d-----w- c:\program files\Adobe Media Player
2009-10-03 08:22 . 2009-10-03 09:27 -------- d-----w- c:\documents and settings\Erica\Application Data\Download Manager
2009-10-03 02:57 . 2009-10-03 02:57 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\Yahoo
2009-09-30 20:43 . 2009-09-30 20:43 61604 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-26 05:53 . 2009-09-26 05:53 262144 ----a-w- C:\ntuser.dat
2009-09-26 00:18 . 2009-09-26 00:18 -------- d-----w- c:\program files\iPod
2009-09-26 00:18 . 2009-09-26 00:19 -------- d-----w- c:\program files\iTunes
2009-09-22 05:29 . 2009-09-22 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-22 05:25 . 2009-09-22 05:26 -------- d-----w- c:\program files\QuickTime
2009-09-21 22:35 . 2009-09-21 22:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-20 20:23 . 2009-09-20 20:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-20 02:38 . 2009-09-20 02:39 -------- d-----w- c:\windows\system32\NtmsData
2009-09-19 21:21 . 2009-09-19 21:21 286720 ------w- c:\windows\system32\s5f7v7uutwku.dll
2009-09-19 21:20 . 2009-10-11 20:22 18432 ----a-w- c:\windows\system32\tdisp.sys
2009-09-19 21:19 . 2009-09-19 21:19 28160 ----a-w- c:\windows\system32\xdssev.exe
2009-09-19 21:19 . 2009-09-19 21:19 28160 ---ha-w- c:\documents and settings\Erica\qeo.exe
2009-09-19 21:19 . 2009-10-11 20:22 26112 ----a-w- c:\windows\system32\s5f7v7tutw4u.exe
2009-09-19 05:59 . 2009-09-19 06:00 -------- d-----w- c:\documents and settings\Erica\Local Settings\Application Data\OpenCandy
2009-09-19 05:59 . 2009-09-19 05:59 -------- d-----w- c:\documents and settings\Erica\Application Data\OpenCandy
2009-09-18 04:57 . 2009-09-18 04:57 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-18 04:57 . 2009-10-05 09:19 -------- d-----w- c:\documents and settings\Erica\Application Data\skypePM
2009-09-18 04:56 . 2009-10-05 10:23 -------- d-----w- c:\documents and settings\Erica\Application Data\Skype
2009-09-18 04:53 . 2009-09-18 04:53 -------- d-----w- c:\program files\Common Files\Skype
2009-09-18 04:53 . 2009-09-18 04:55 -------- d-----r- c:\program files\Skype
2009-09-18 04:52 . 2009-09-18 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-16 02:16 . 2009-09-16 02:16 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-09-14 23:39 . 2009-09-14 23:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-14 14:06 . 2009-09-14 14:06 -------- d-----w- c:\program files\MSXML 4.0
2009-09-14 01:12 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-09-14 01:08 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-09-14 01:08 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-09-14 01:08 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-09-14 01:08 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-09-14 01:08 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-09-14 01:08 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-09-14 01:08 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-09-14 01:08 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-09-14 01:08 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-14 01:08 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-14 01:08 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-14 01:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-14 01:07 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-09-14 01:07 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-09-14 01:07 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-09-14 01:06 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-09-14 01:04 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-14 01:03 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-14 01:03 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-14 01:03 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-14 01:03 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-14 01:03 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-14 01:01 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-09-14 00:58 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-09-14 00:57 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-09-14 00:54 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-09-14 00:53 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-09-14 00:44 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-12 04:24 . 2009-09-12 04:58 -------- d-----w- c:\program files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 01:51 . 2009-05-22 07:53 -------- d-----w- c:\documents and settings\Erica\Application Data\FileZilla
2009-10-11 00:04 . 2009-05-28 19:15 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-10-10 08:50 . 2009-07-06 06:21 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-10 06:30 . 2009-05-21 16:47 84000 ----a-w- c:\documents and settings\Erica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 06:11 . 2009-05-21 22:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-08 06:59 . 2009-06-25 09:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-10-03 21:34 . 2009-10-03 21:34 286720 --sha-r- c:\documents and settings\Erica\Application Data\s5f7v7uutwku.dll
2009-10-03 02:52 . 2009-08-01 18:28 -------- d-----w- c:\documents and settings\Aaron\Application Data\LimeWire
2009-10-03 02:50 . 2009-07-31 16:21 -------- d-----w- c:\documents and settings\Aaron\Application Data\Yahoo!
2009-09-30 21:46 . 2009-05-21 21:43 -------- d-----w- c:\documents and settings\Erica\Application Data\LimeWire
2009-09-27 10:16 . 2009-05-21 07:01 -------- d-----w- c:\documents and settings\Erica\Application Data\foobar2000
2009-09-26 05:54 . 2009-05-21 16:53 -------- d-----w- c:\documents and settings\Erica\Application Data\Yahoo!
2009-09-26 05:53 . 2009-05-21 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-26 05:52 . 2009-05-21 16:52 -------- d-----w- c:\program files\Yahoo!
2009-09-26 05:45 . 2009-05-21 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-26 00:18 . 2009-05-21 17:35 -------- d-----w- c:\program files\Common Files\Apple
2009-09-22 05:37 . 2009-05-21 17:40 -------- d-----w- c:\documents and settings\Erica\Application Data\Apple Computer
2009-09-16 03:33 . 2009-08-19 03:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-16 02:16 . 2009-07-20 18:24 -------- d-----w- c:\program files\AIM Toolbar
2009-09-14 14:14 . 2009-05-21 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-12 05:02 . 2009-05-22 03:13 -------- d-----w- c:\program files\Corel
2009-09-10 18:49 . 2009-09-10 18:45 -------- d-----w- c:\documents and settings\Erica\Application Data\MSN6
2009-09-10 18:45 . 2009-09-10 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-09-04 03:36 . 2009-05-22 03:16 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-04 03:36 . 2009-05-22 03:16 88 --sh--r- c:\windows\system32\BE8C8422E8.sys
2009-08-18 05:26 . 2009-08-18 05:26 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-08-17 01:51 . 2009-08-17 01:32 -------- d-----w- c:\program files\Common Files\Real
2009-08-17 01:33 . 2009-08-17 01:33 -------- d-----w- c:\program files\Common Files\Logitech
2009-08-14 02:28 . 2009-06-25 09:12 -------- d-----w- c:\program files\DVDVideoSoft
2009-08-13 05:43 . 2009-07-07 22:48 -------- d-----w- c:\program files\AIM
2009-08-05 09:01 . 2004-08-04 07:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 04:56 . 2009-07-31 04:56 80408 ----a-w- c:\documents and settings\Aaron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-29 04:37 . 2004-08-04 07:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2001-08-23 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-25 12:23 . 2009-05-21 17:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 07:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

------- Sigcheck -------

[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 14848 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[7] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2009-02-06 . D41D8CD98F00B204E9800998ECF8427E . 113152 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
[7] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\services.exe

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 58880 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2005-10-14 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe

[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 17408 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe

[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 512000 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . B1C3909B79891B64812E07B9A7889B79 . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2005-10-15 . 45757077A47C68A603A79B03A1A836AB . 1032192 . . [6.00.2900.2649] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2009-09-14 3634024]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-13 4351216]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-10-11 26112]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-10-11 26112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-08 26112]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2009-10-11 26112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]
"xdssev"="c:\windows\system32\xdssev.exe" [2009-09-19 28160]
"s5f7v7wutwkt"="c:\windows\system32\s5f7v7tutw4u.exe" [2009-10-11 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-10-11 26112]

c:\documents and settings\Aaron\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

c:\documents and settings\Erica\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ZLIkizocOg"= {B4D10FA4-1E7B-A50E-E3B6-1C88A3FE8AA4} - c:\windows\system32\joepm.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Ntreev USA\\Grand Chase\\main.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\xdssev.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Erica\\qeo.exe"=

R1 tdisp.sys;tdisp.sys;c:\windows\system32\tdisp.sys [9/19/2009 2:20 PM 18432]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-11 c:\windows\Tasks\User_Feed_Synchronization-{6E40E742-E049-453F-98BB-D75DA182AE00}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]

2009-10-11 c:\windows\Tasks\User_Feed_Synchronization-{DD9FC4B6-0448-4597-A2C1-0CCD4A681DC0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
FF - ProfilePath - c:\documents and settings\Erica\Application Data\Mozilla\Firefox\Profiles\7roc279a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p=
FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 14:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-11 14:21
ComboFix-quarantined-files.txt 2009-10-11 21:20

Pre-Run: 18,202,853,376 bytes free
Post-Run: 20,304,289,792 bytes free

291 --- E O F --- 2009-10-11 20:30

Edited by koolnerderica, 11 October 2009 - 06:34 PM.


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:38 PM

Posted 12 October 2009 - 04:30 PM

Hello again.

Does that mean I can no longer use it....or can I still use it but I need an anti-virus program as well?

You can still use it. You just need to install an Antivirus once we're done cleaning you up. Please don't install one yet though.

***************************************************

We need to get the Recovery Console installed. Normally ComboFix will download and install the Recovery Console on it's own unless there is a problem. For some reason ComboFix did not do this automatically, so we are redoing it manually. Please report back any errors if they occur.

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named to your Desktop.

Note: If you have SP3, use the SP2 package.

***************************************************

VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Posted Image
  • Drag the setup package onto renamed.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 koolnerderica

koolnerderica
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 12 October 2009 - 06:51 PM

After cleaning, is it okay for me to delete everything used?



ComboFix 09-10-11.01 - Erica 10/12/2009 16:14.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.89 [GMT -7:00]
Running from: c:\documents and settings\Erica\Desktop\Renamed.exe.exe
Command switches used :: c:\documents and settings\Erica\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ctfmon .exe
c:\windows\system32\s5f7v7tutw4u .exe

.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-11 21:14 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-10-10 22:27 . 2009-10-10 22:27 -------- d-----w- C:\gmer
2009-10-10 22:23 . 2009-10-10 22:23 282312 ----a-w- C:\gmer.zip
2009-10-08 03:25 . 2009-10-08 03:25 -------- d-----w- C:\spoolerlogs
2009-10-05 06:26 . 2009-10-05 06:26 -------- d-----w- C:\DVDVideoSoft
2009-10-04 06:20 . 2009-10-04 06:20 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-10-03 22:18 . 2009-10-03 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-10-03 22:03 . 2009-10-03 22:03 -------- d-----w- c:\program files\Adobe Media Player
2009-10-03 08:22 . 2009-10-03 09:27 -------- d-----w- c:\documents and settings\Erica\Application Data\Download Manager
2009-10-03 02:57 . 2009-10-03 02:57 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\Yahoo
2009-09-30 20:43 . 2009-09-30 20:43 61604 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-26 05:53 . 2009-09-26 05:53 262144 ----a-w- C:\ntuser.dat
2009-09-26 00:18 . 2009-09-26 00:18 -------- d-----w- c:\program files\iPod
2009-09-26 00:18 . 2009-09-26 00:19 -------- d-----w- c:\program files\iTunes
2009-09-22 05:29 . 2009-09-22 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-22 05:25 . 2009-09-22 05:26 -------- d-----w- c:\program files\QuickTime
2009-09-21 22:35 . 2009-09-21 22:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-20 20:23 . 2009-09-20 20:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-20 02:38 . 2009-09-20 02:39 -------- d-----w- c:\windows\system32\NtmsData
2009-09-19 21:21 . 2009-09-19 21:21 286720 ------w- c:\windows\system32\s5f7v7uutwku.dll
2009-09-19 21:20 . 2009-10-11 20:22 18432 ----a-w- c:\windows\system32\tdisp.sys
2009-09-19 21:19 . 2009-09-19 21:19 28160 ----a-w- c:\windows\system32\xdssev.exe
2009-09-19 21:19 . 2009-09-19 21:19 28160 ---ha-w- c:\documents and settings\Erica\qeo.exe
2009-09-19 21:19 . 2009-10-11 21:35 26112 ----a-w- c:\windows\system32\s5f7v7tutw4u.exe
2009-09-19 05:59 . 2009-09-19 06:00 -------- d-----w- c:\documents and settings\Erica\Local Settings\Application Data\OpenCandy
2009-09-19 05:59 . 2009-09-19 05:59 -------- d-----w- c:\documents and settings\Erica\Application Data\OpenCandy
2009-09-18 04:57 . 2009-09-18 04:57 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-18 04:57 . 2009-10-05 09:19 -------- d-----w- c:\documents and settings\Erica\Application Data\skypePM
2009-09-18 04:56 . 2009-10-05 10:23 -------- d-----w- c:\documents and settings\Erica\Application Data\Skype
2009-09-18 04:53 . 2009-09-18 04:53 -------- d-----w- c:\program files\Common Files\Skype
2009-09-18 04:53 . 2009-09-18 04:55 -------- d-----r- c:\program files\Skype
2009-09-18 04:52 . 2009-09-18 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-16 02:16 . 2009-09-16 02:16 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-09-14 23:39 . 2009-09-14 23:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-14 14:06 . 2009-09-14 14:06 -------- d-----w- c:\program files\MSXML 4.0
2009-09-14 01:12 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-09-14 01:08 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-09-14 01:08 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-09-14 01:08 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-09-14 01:08 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-09-14 01:08 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-09-14 01:08 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-09-14 01:08 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-09-14 01:08 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-09-14 01:08 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-14 01:08 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-14 01:08 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-14 01:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-14 01:07 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-09-14 01:07 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-09-14 01:07 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-09-14 01:06 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-09-14 01:04 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-14 01:03 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-14 01:03 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-14 01:03 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-14 01:03 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-14 01:03 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-14 01:01 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-09-14 00:58 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-09-14 00:57 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-09-14 00:54 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-09-14 00:53 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-09-14 00:44 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 04:07 . 2009-05-28 19:15 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-10-11 21:33 . 2009-06-16 04:33 -------- d-----w- c:\documents and settings\Mom\Application Data\Yahoo!
2009-10-11 01:51 . 2009-05-22 07:53 -------- d-----w- c:\documents and settings\Erica\Application Data\FileZilla
2009-10-10 08:50 . 2009-07-06 06:21 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-10 06:30 . 2009-05-21 16:47 84000 ----a-w- c:\documents and settings\Erica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 06:11 . 2009-05-21 22:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-08 06:59 . 2009-06-25 09:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-10-03 21:34 . 2009-10-03 21:34 286720 --sha-r- c:\documents and settings\Erica\Application Data\s5f7v7uutwku.dll
2009-10-03 02:52 . 2009-08-01 18:28 -------- d-----w- c:\documents and settings\Aaron\Application Data\LimeWire
2009-10-03 02:50 . 2009-07-31 16:21 -------- d-----w- c:\documents and settings\Aaron\Application Data\Yahoo!
2009-09-30 21:46 . 2009-05-21 21:43 -------- d-----w- c:\documents and settings\Erica\Application Data\LimeWire
2009-09-27 10:16 . 2009-05-21 07:01 -------- d-----w- c:\documents and settings\Erica\Application Data\foobar2000
2009-09-26 05:54 . 2009-05-21 16:53 -------- d-----w- c:\documents and settings\Erica\Application Data\Yahoo!
2009-09-26 05:53 . 2009-05-21 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-26 05:52 . 2009-05-21 16:52 -------- d-----w- c:\program files\Yahoo!
2009-09-26 05:45 . 2009-05-21 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-26 00:18 . 2009-05-21 17:35 -------- d-----w- c:\program files\Common Files\Apple
2009-09-22 05:37 . 2009-05-21 17:40 -------- d-----w- c:\documents and settings\Erica\Application Data\Apple Computer
2009-09-16 03:33 . 2009-08-19 03:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-16 02:16 . 2009-07-20 18:24 -------- d-----w- c:\program files\AIM Toolbar
2009-09-14 14:14 . 2009-05-21 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-12 05:02 . 2009-05-22 03:13 -------- d-----w- c:\program files\Corel
2009-09-12 04:58 . 2009-09-12 04:24 -------- d-----w- c:\program files\InterActual
2009-09-10 18:49 . 2009-09-10 18:45 -------- d-----w- c:\documents and settings\Erica\Application Data\MSN6
2009-09-10 18:45 . 2009-09-10 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-09-04 03:36 . 2009-05-22 03:16 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-04 03:36 . 2009-05-22 03:16 88 --sh--r- c:\windows\system32\BE8C8422E8.sys
2009-08-18 05:26 . 2009-08-18 05:26 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-08-17 01:51 . 2009-08-17 01:32 -------- d-----w- c:\program files\Common Files\Real
2009-08-17 01:33 . 2009-08-17 01:33 -------- d-----w- c:\program files\Common Files\Logitech
2009-08-14 02:28 . 2009-06-25 09:12 -------- d-----w- c:\program files\DVDVideoSoft
2009-08-05 09:01 . 2004-08-04 07:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 04:56 . 2009-07-31 04:56 80408 ----a-w- c:\documents and settings\Aaron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-29 04:37 . 2004-08-04 07:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2001-08-23 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-25 12:23 . 2009-05-21 17:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 07:56 58880 ----a-w- c:\windows\system32\atl.dll
.

------- Sigcheck -------

[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 14848 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[7] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2009-02-06 . D41D8CD98F00B204E9800998ECF8427E . 113152 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
[7] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\services.exe

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 58880 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2005-10-14 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe

[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 17408 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe

[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 512000 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . B1C3909B79891B64812E07B9A7889B79 . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2005-10-15 . 45757077A47C68A603A79B03A1A836AB . 1032192 . . [6.00.2900.2649] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2009-09-14 3634024]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-13 4351216]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-10-12 26112]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-10-12 26112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-12 26112]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2009-10-12 26112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]
"xdssev"="c:\windows\system32\xdssev.exe" [2009-09-19 28160]
"s5f7v7wutwkt"="c:\windows\system32\s5f7v7tutw4u.exe" [2009-10-11 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-10-12 26112]

c:\documents and settings\Aaron\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

c:\documents and settings\Erica\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ZLIkizocOg"= {B4D10FA4-1E7B-A50E-E3B6-1C88A3FE8AA4} - c:\windows\system32\joepm.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Ntreev USA\\Grand Chase\\main.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Erica\\qeo.exe"=
"c:\\WINDOWS\\system32\\xdssev.exe"=

R1 tdisp.sys;tdisp.sys;c:\windows\system32\tdisp.sys [9/19/2009 2:20 PM 18432]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-12 c:\windows\Tasks\User_Feed_Synchronization-{6E40E742-E049-453F-98BB-D75DA182AE00}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]

2009-10-12 c:\windows\Tasks\User_Feed_Synchronization-{DD9FC4B6-0448-4597-A2C1-0CCD4A681DC0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
FF - ProfilePath - c:\documents and settings\Erica\Application Data\Mozilla\Firefox\Profiles\7roc279a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p=
FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false
FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 16:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(816)
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-12 16:26
ComboFix-quarantined-files.txt 2009-10-12 23:25
ComboFix2.txt 2009-10-11 21:21

Pre-Run: 20,107,001,856 bytes free
Post-Run: 20,180,852,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

268 --- E O F --- 2009-10-11 20:30

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:38 PM

Posted 13 October 2009 - 04:49 AM

Hello.

After cleaning, is it okay for me to delete everything used?

Once I've declared you clean, we'll clean up everything we used during the fix. But you aren't clean yet. There is still malware on your system, and things still aren't running normally.

***************************************************

We would like to take a look at the following files:
  • c:\windows\system32\winlogon.exe
    c:\windows\explorer.exe
  • Zip them first, to do that:
    • Go to the directory where are located and copy them to the desktop.
    • Hold down the Ctrl key and select the files one by one until you have selected all of them.
    • Right-click one of the selected file and select Send To from the Context menu => select Compressed (zip) Folder
    • Click Yes to any prompt. A zip file will be created on the desktop.
  • Click on this link: http://www.bleepingcomputer.com/submit-mal....php?channel=66
  • Click Browse... and navigate to the zip file and highlight it to select.
  • Click Open.
  • Copy the link to this topic in the appropriate box.
  • Click Send File.
***************************************************

Please open a Notepad file: (From the Start Menu, click Run and type notepad in the window that appears.)
  • Copy the contents of the below code box into the notepad window.
  • Save the file as fixit.bat on your desktop: (Important! make sure you change the "Save As Type" to "All Files")
    @Echo off
    listsvc >Log.txt
    START Log.txt
    DEL %0
  • Close the notepad window and click on the fixit.bat file on your Desktop
    • A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file that appears as a reply to this post.
***************************************************

1. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/258880/infected-with-a-virus/

Collect::
c:\windows\system32\joepm.dll
c:\windows\system32\tdisp.sys

File::
c:\windows\system32\s5f7v7uutwku.dll
c:\windows\system32\xdssev.exe
c:\documents and settings\Erica\qeo.exe
c:\windows\system32\s5f7v7tutw4u.exe
c:\windows\system32\ezsidmv.dat
c:\documents and settings\Erica\Application Data\s5f7v7uutwku.dll

FCopy::
c:\windows\ServicePackFiles\i386\lsass.exe | c:\windows\system32\lsass.exe
c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe | c:\windows\system32\services.exe
c:\windows\ServicePackFiles\i386\spoolsv.exe | c:\windows\system32\spoolsv.exe
c:\windows\ServicePackFiles\i386\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xdssev"=-
"s5f7v7wutwkt"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ZLIkizocOg"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Erica\\qeo.exe"=-
"c:\\WINDOWS\\system32\\xdssev.exe"=-

Driver::
tdisp.sys


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
~Blade


In your next reply, please include the following:
Log.txt
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 koolnerderica

koolnerderica
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 13 October 2009 - 05:31 PM

Hello.

After cleaning, is it okay for me to delete everything used?

Once I've declared you clean, we'll clean up everything we used during the fix. But you aren't clean yet. There is still malware on your system, and things still aren't running normally.

***************************************************

We would like to take a look at the following files:
  • c:\windows\system32\winlogon.exe
    c:\windows\explorer.exe
  • Zip them first, to do that:
    • Go to the directory where are located and copy them to the desktop.
    • Hold down the Ctrl key and select the files one by one until you have selected all of them.
    • Right-click one of the selected file and select Send To from the Context menu => select Compressed (zip) Folder
    • Click Yes to any prompt. A zip file will be created on the desktop.
  • Click on this link: http://www.bleepingcomputer.com/submit-mal....php?channel=66
  • Click Browse... and navigate to the zip file and highlight it to select.
  • Click Open.
  • Copy the link to this topic in the appropriate box.
  • Click Send File.
***************************************************

Please open a Notepad file: (From the Start Menu, click Run and type notepad in the window that appears.)
  • Copy the contents of the below code box into the notepad window.
  • Save the file as fixit.bat on your desktop: (Important! make sure you change the "Save As Type" to "All Files")
    @Echo off
    listsvc >Log.txt
    START Log.txt
    DEL %0
  • Close the notepad window and click on the fixit.bat file on your Desktop
    • A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file that appears as a reply to this post.
***************************************************


I got this when doing the fixit.bat part.


And when the log popped up, it came up blank.
I didn't proceed with the rest of it because I didn't want to skip steps if one depended on the other.

Edited by koolnerderica, 14 October 2009 - 02:31 PM.


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:38 PM

Posted 13 October 2009 - 09:21 PM

Hello.

Thank you for checking with me before proceeding. :( Please go ahead with the remainder of the fix.

~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users