Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde


  • This topic is locked This topic is locked
3 replies to this topic

#1 rchestney

rchestney

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 03 October 2009 - 09:08 PM

DDS (Ver_09-09-29.01) - NTFSx86
Run by Chestney at 20:58:49.96 on Sat 10/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1242 [GMT -5:00]

AV: Quick Heal 10.00 *On-access scanning enabled* (Updated) {05C1329D-F0E0-4B19-9D15-54F9BC3ADE87}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\OnlineNT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Chestney\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?rls=ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [EasyTuneVPro] c:\program files\gigabyte\et5pro\ETcall.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Creative WebCam Tray] c:\program files\creative\shared files\CAMTRAY.EXE
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [SaiVolume] c:\program files\saitek\cyborgkeyboard\SaiVolume.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Email Protection] c:\progra~1\quickh~1\quickh~1\EMLPROUI.EXE
mRun: [Scanner Reminder] c:\progra~1\quickh~1\quickh~1\remind.exe
mRun: [Update Scheduler] c:\progra~1\quickh~1\quickh~1\UPSCHD.EXE /CHECK
mRun: [On-Line Protection] c:\progra~1\quickh~1\quickh~1\cateye.exe
mRun: [Startup Scan] c:\progra~1\quickh~1\quickh~1\Sensor.EXE /LOADRUN
mRun: [ResumeQuickupDownload] c:\progra~1\quickh~1\quickh~1\acappaa.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Startup Scan] c:\progra~1\quickh~1\quickh~1\Sensor.EXE /check
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: aol.com\free
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chestney\applic~1\mozilla\firefox\profiles\lhja14c3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 catflt;catflt;c:\windows\system32\drivers\catflt.sys [2009-9-27 65144]
R2 EMLSS;EMLSS;c:\windows\system32\drivers\EMLTDI.SYS [2009-9-27 28656]
R2 Online Protection System;Online Protection System;c:\progra~1\quickh~1\quickh~1\opssvc.exe [2009-9-27 17272]
R2 Quick Heal Antivirus Plus Mail Protection;Quick Heal Antivirus Plus Mail Protection;c:\progra~1\quickh~1\quickh~1\EMLPROXY.EXE [2009-9-27 50552]
R2 Quick Update Service;Quick Update Service;c:\progra~1\quickh~1\quickh~1\quhlpsvc.exe [2009-9-27 58744]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2009-1-19 22784]
R3 SaiK0728;SaiK0728;c:\windows\system32\drivers\SaiK0728.sys [2008-2-18 104960]
S3 CyUsb;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2009-1-19 31104]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-9-15 25832]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2005-4-24 13225]
S3 SaiH0728;SaiH0728;c:\windows\system32\drivers\SaiH0728.sys [2009-1-10 136448]
S4 usbctl;Microsoft USB Bus Controller; [x]
SUnknown GVTDrv;GVTDrv; [x]

=============== Created Last 30 ================

2009-09-29 20:11 <DIR> --d----- c:\program files\iTunes
2009-09-27 19:22 <DIR> --d----- c:\windows\pss
2009-09-27 19:08 <DIR> --d----- C:\temp
2009-09-27 17:57 <DIR> --d----- c:\program files\Research In Motion
2009-09-27 17:57 <DIR> --d----- c:\program files\common files\Research In Motion
2009-09-27 17:20 6,223 a------- c:\windows\RegAct.dat
2009-09-27 13:04 0 a------- c:\windows\sensor.INI
2009-09-27 13:03 0 a------- c:\windows\hqstat.mtl
2009-09-27 13:03 0 a------- c:\windows\hqstat.mnt
2009-09-27 13:03 28,656 a------- c:\windows\system32\drivers\EMLTDI.SYS
2009-09-27 13:03 65,144 a------- c:\windows\system32\drivers\catflt.sys
2009-09-27 13:03 <DIR> --d----- c:\program files\Quick Heal
2009-09-27 13:02 56 a------- c:\windows\QH32.INI
2009-09-24 12:46 18,908 a------- c:\windows\jydodady.vbs
2009-09-24 12:46 16,992 a------- c:\program files\common files\ahukoluli.dll
2009-09-24 12:46 15,825 a------- c:\windows\efutofoqo.sys
2009-09-24 12:46 14,559 a------- c:\program files\common files\uwox.com
2009-09-24 12:46 14,289 a------- c:\program files\common files\zevahysal.dat
2009-09-24 12:46 14,144 a------- c:\windows\cobypar.bin
2009-09-24 12:46 13,486 a------- c:\windows\fesotun.dat
2009-09-24 12:46 12,949 a------- c:\docume~1\alluse~1\applic~1\apuleresec.com
2009-09-24 12:46 11,546 a------- c:\windows\ydoziz.bat
2009-09-24 12:46 10,288 a------- c:\windows\system32\hiqevys.pif
2009-09-22 16:13 208,744 a------- c:\windows\system32\muweb.dll
2009-09-22 12:15 <DIR> --d----- c:\docume~1\chestney\applic~1\Office Genuine Advantage
2009-09-21 22:24 <DIR> --d----- c:\program files\Trend Micro
2009-09-21 21:44 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-21 21:44 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-21 08:32 <DIR> --d----- c:\program files\WinPcap
2009-09-21 08:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\11809684
2009-09-20 09:01 <DIR> --d----- c:\program files\iPhone Configuration Utility
2009-09-20 08:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 20:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BioWare
2009-09-15 19:50 <DIR> --d----- c:\windows\system32\AGEIA
2009-09-15 19:35 <DIR> --d----- c:\program files\Dragon Age
2009-09-15 19:35 <DIR> --d----- c:\program files\common files\BioWare
2009-09-12 10:40 <DIR> --d----- c:\docume~1\chestney\applic~1\Turbine
2009-09-11 23:53 <DIR> --d----- c:\program files\Turbine
2009-09-11 19:10 <DIR> --d----- c:\program files\DDO
2009-09-11 19:10 <DIR> --d----- c:\program files\Pando Networks
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-10-03 09:59 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-09-24 12:46 18,275 a------- c:\program files\common files\afeluw.db
2009-09-24 12:46 10,656 a------- c:\program files\common files\uhorut._sy
2009-09-10 22:54 138,696 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-10 22:54 201,816 a------- c:\windows\system32\PnkBstrB.exe
2009-08-30 15:18 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-08-30 15:18 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-08-09 15:41 22,328 a------- c:\docume~1\chestney\applic~1\PnkBstrK.sys
2009-08-09 15:40 2,250,024 a------- c:\windows\system32\pbsvc.exe
2009-08-09 15:40 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-08-07 23:44 2,818 a------- c:\windows\system32\ealregsnapshot1.reg
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-14 17:17 15,308,440 a------- c:\windows\system32\xlive.dll
2009-07-14 17:17 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2008-09-19 08:12 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080915\index.dat
2008-09-19 08:12 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 21:00:20.17 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/03 21:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB5847000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA638000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB38DA000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkykybnrsdk.dll]
Process: svchost.exe (PID: 972) Address: 0x10000000 Size: 53248

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 rchestney

rchestney
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 03 October 2009 - 09:29 PM

Okay, reading other posts here, I saw the suggestion to run Malwarebytes' Anti-Malware. I ran that, and the report indicates that the problems were removed. here is the log, please tell me if anyone still thinks I have a problem.

Malwarebytes' Anti-Malware 1.41
Database version: 2902
Windows 5.1.2600 Service Pack 3

10/3/2009 9:21:05 PM
mbam-log-2009-10-03 (21-21-05).txt

Scan type: Quick Scan
Objects scanned: 114946
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\gasfkycxovmcal.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\MyID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\11809684 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\gasfkycxovmcal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\lizkavd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chestney\Local Settings\Temporary Internet Files\Content.IE5\RVF5BIMS\lol[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11809684\11809684 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11809684\pc11809684ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chestney\Local Settings\Temp\_check32.bat (Malware.Trace) -> Quarantined and deleted successfully.

#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:53 AM

Posted 21 October 2009 - 03:52 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still have symptoms left post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:53 AM

Posted 29 October 2009 - 11:42 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users