Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with something...Netsky?


  • This topic is locked This topic is locked
3 replies to this topic

#1 tepidarium

tepidarium

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 24 December 2009 - 01:59 PM

I believe my computer is infected with multiple viruses. Early this week, I believe we had the worm.win32.netsky virus. The screen wallpaper was replaced witha blue screen that said something to the effect of "you have spyware installed." I got an error message stating that I had the worm.win32.netsky virus. There was a red "x" in my system try that said "click here to protect your computer from spyware" I could not right click to the task manager. Also, firefox would automatically load a page about making money by posting ads in google. Also, safemode was disabled -when I tried to login to safe mode, I got the blue screen of death.

I followed these instructions: http://www.myantispyware.com/2009/12/02/re...-spyware-alert/

and it seemed to get rid of the problem.

Now, today, the problem has returned. The red "x" in the system tray is back. FIrefox is loading pop-ups for making money selling google ads. I'm getting pop ups that say I should download "registry defender for windows" I looked in hijack this and winlogon86.exe is back.

I decided to join this forum for more help. I've run the logs from dds.scr. I used rootrepeal, but rootrepeal keeps crashing on my machine before it finishes. I do have the file it creates up until the crash.

Here is the copy from dds.txt (attach.txt is attached to the message as well). If you can help, I would really appreciate it.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Family at 12:53:56.89 on Thu 12/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.992.486 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\System32\ezSP_Px.exe
D:\programs\adobesuite\Adobe Acrobat 7.0\Distillr\Acrotray.exe
D:\programs\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\sistray.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\programs\acivesync42\wcescomm.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\programs\acivesync42\rapimgr.exe
D:\programs\firefox\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Family\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
mWinlogon: Userinit=c:\windows\system32\winlogon86.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\programs\adobesuite\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {b7e50cfe-42d0-4537-9808-b3c7bf6532ed} - petonuho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ErrorRepairPro] c:\program files\error repair professional\autostart.exe
uRun: [H/PC Connection Agent] "d:\programs\acivesync42\wcescomm.exe"
uRun: [notepad] rundll32.exe c:\docume~1\family\ntload.dll,_IWMPEvents@0
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe Version Cue CS2] "d:\programs\adobesuite\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "d:\programs\adobesuite\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [ClamWin] "d:\programs\clamwin\bin\ClamTray.exe" --logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SiS Tray] c:\windows\system32\sistray.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
mRun: [yojoyidigi] Rundll32.exe "tanetezo.dll",s
mRun: [tqammy] RUNDLL32.EXE c:\windows\system32\msaouahn.dll,w
mRun: [fapumarom] Rundll32.exe "c:\windows\system32\yolufeta.dll",a
dRun: [notepad] rundll32.exe c:\windows\system32\config\system~1\ntload.dll,_IWMPEvents@0
dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\jxtez.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\mdm.exe
StartupFolder: c:\documents and settings\family\start menu\programs\startup\scandisk.dll
StartupFolder: c:\docume~1\family\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobe acrobat speed launcher.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: Convert link target to Adobe PDF - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\programs\adobesuite\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\programs\microsoft office\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\programs\acivesync42\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\programs\acivesync42\INetRepl.dll
LSP: c:\windows\system32\betsp.dll
Trusted Zone: aol.com\free
Trusted Zone: lsac.org
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05317530-B882-449D-9421-18D94FA3ED34} - hxxp://www.sis.com/ocis/OSInfo.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {16095503-786F-4097-AED6-5D567A26D760} - hxxp://www.sis.com/ocis/SiSAutodetectNT.cab
DPF: {22D4879A-92DB-470D-8A83-E158797D8176} - file:///F:/components/Liquid.ocx
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {320B04E4-B55B-11D2-A9BA-444553540001} - hxxp://www2.seamlessweb.com/components/SeamlessPrinting.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - hxxps://viper.gartner.com/postauthI/epi.cab
DPF: {5F2AD7EC-B98B-4D4D-BE1E-659B357342BA} - hxxp://146.245.210.20/cms/Controls/RDDragDrop.ocx
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} - hxxps://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5E12E21-262C-49EC-BC9F-097936AA1672} - hxxp://146.245.210.20/cms/Controls/RDControlActivator.ocx
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://www.driveragent.com/files/driveragent.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: tiwujupot - {65014745-afad-4b75-866c-a545582df5b4} - c:\windows\system32\yolufeta.dll
STS: gahurihor: {65014745-afad-4b75-866c-a545582df5b4} - c:\windows\system32\yolufeta.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - d:\programs\eudora7\EuShlExt.dll
LSA: Notification Packages = scecli nalayafi.dll
mASetup: {26KLN5J0-4OPX-11WE-AAX3-24EF1F387272} - c:\recycler\k-1-3542-4232123213-7676767-8888886\hn.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\family\applic~1\mozilla\firefox\profiles\9sifi892.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: d:\programs\adobesuite\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: d:\programs\firefox\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: d:\programs\firefox\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: d:\programs\real\netscape6\nppl3260.dll
FF - plugin: d:\programs\real\netscape6\nprjplug.dll
FF - plugin: d:\programs\real\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - trued:\programs\firefox\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2006-4-10 309829]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-8-3 815819]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2006-4-10 18432]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [2006-4-10 68096]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2006-4-10 15360]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2002-8-16 98452]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-12 24652]

============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2009-12-24 16:36:25 707072 ----a-w- c:\windows\system32\drivers\cwvzlzgx.sys
2009-12-24 16:36:13 915968 ----a-w- c:\windows\system32\AVR10.exe
2009-12-24 16:36:12 16896 ----a-w- c:\windows\system32\winhelper86.dll
2009-12-24 16:34:58 2854 ----a-w- c:\windows\system32\critical_warning.html
2009-12-24 16:34:37 32768 ----a-w- c:\windows\system32\msaouahn.dll
2009-12-24 16:34:17 15000 ----a-w- c:\windows\system32\mnybxafs.dll
2009-12-24 16:34:08 31232 ----a-w- c:\windows\system32\winupdate86.exe
2009-12-24 16:34:08 31232 ----a-w- c:\windows\system32\winlogon86.exe
2009-12-24 16:33:57 52736 ----a-w- C:\uwlwfa.exe
2009-12-24 16:33:55 50688 ----a-w- C:\haypsixd.exe
2009-12-24 16:33:55 31232 ----a-w- C:\waxfhosk.exe
2009-12-24 16:33:55 16384 ----a-w- C:\nmjhv.exe
2009-12-23 01:04:47 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-22 07:13:46 0 d-s---w- C:\ComboFix
2009-12-22 04:31:17 3152 ----a-w- c:\windows\system32\tmp.reg
2009-12-22 04:16:56 0 d-----w- c:\program files\Enigma Software Group
2009-12-22 03:15:37 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-12-22 03:15:37 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-12-22 03:15:37 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-22 03:15:15 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-22 01:02:40 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-22 01:02:10 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-22 01:02:10 0 d-----w- c:\docume~1\family\applic~1\SUPERAntiSpyware.com
2009-12-21 18:07:25 14336 ----a-w- c:\windows\system32\drivers\OLDC20.tmp
2009-12-21 18:07:17 14336 ----a-w- c:\windows\system32\drivers\OLDC1E.tmp
2009-12-21 18:07:15 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2009-12-21 18:06:34 156160 ----a-w- C:\oqnqso.exe
2009-12-11 16:19:05 0 d-----w- c:\program files\Times Reader

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2007-01-18 18:00:33 508 ----a-w- c:\program files\Mozilla Firefox.lnk
2000-12-12 16:17:40 100432 ------w- c:\program files\Win2000PPAHotfix.exe
2001-08-18 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2009-09-24 16:40:57 39424 --sha-w- c:\windows\system32\diyobela.dll
2002-08-29 10:41:08 401462 --sha-w- c:\windows\system32\msvcp60(2)(2).dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2009-09-24 16:34:32 52736 --sha-w- c:\windows\system32\nalayafi.dll
2009-03-21 14:06:58 27136 --sha-w- c:\windows\system32\notepad.dll
2009-09-24 16:34:32 52736 --sha-w- c:\windows\system32\petonuho.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2009-09-24 16:40:57 45568 --sha-w- c:\windows\system32\tajokigu.dll
2009-09-24 16:34:32 52736 --sha-w- c:\windows\system32\tanetezo.dll
2009-09-24 16:40:57 92672 --sha-w- c:\windows\system32\yolufeta.dll
2009-03-21 14:06:58 27136 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2009-03-21 14:06:58 27136 --sha-w- c:\windows\system32\config\systemprofile\start menu\programs\startup\scandisk.dll

============= FINISH: 12:57:09.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:39 AM

Posted 24 December 2009 - 06:58 PM

Hi tepidarium,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c dir /a c:\windows\system32\userinit.exe > log.txt&start log.txt

A text file (log.txt) will be open. Please post its content to your reply.

#3 tepidarium

tepidarium
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 26 December 2009 - 01:09 AM

Hi,

Thank you for responding to my query. Today, I decided to reinstall windows, so I will not need to proceed with the help. I want to thank you and the volunteer staff here for making this service available. It really is a great service.


One again, thanks for your offer of help. This thread can be closed.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:39 AM

Posted 26 December 2009 - 06:27 AM

Thanks for letting us know tepidarium and you are very welcome. :(

This thread will now be closed since the issue seems to be resolved.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users