Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with gsgfdh virus/worm


  • This topic is locked This topic is locked
4 replies to this topic

#1 kelly e

kelly e

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 04 January 2010 - 08:29 PM

Over the weekend started experiencing problems with my computer. Would be on one of my sites that I visit regularly and would click to go to the next game or site and i would start getting redirected to either search sites or random websites. Is getting worse and worse no matter what i do. Have run continous scans with norton 2010 internet security but it doesn't seem to be able to catch it and quarantine it. Have run the scans and they are posted below. Please take a look and tell me what you think and how i can remove this malicious virus. Thank you for your help. :(

DDS (Ver_09-12-01.01) - NTFSx86
Run by Kelly at 18:49:24.64 on Mon 01/04/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.985 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iWin Games\iWinTrusted.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kelly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.earthlink.net/
uSearch Page =
uSearch Bar =
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uURLSearchHooks: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi0.dll
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\fast browser search\ie\tbhelper.dll
mURLSearchHooks: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi0.dll
BHO: MRI_DISABLED - No File
BHO: Symantec NCO BHO - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\17.1.0.19\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\17.1.0.19\IPSBHO.DLL
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\progra~1\iwinga~1\IWINGA~1.DLL
BHO: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi0.dll
BHO: Fast Browser Search Toolbar Helper: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\fast browser search\ie\FBStoolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi0.dll
TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\17.1.0.19\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [\YURCA5F.exe] c:\windows\system32\YURCA5F.exe
uRun: [\YUR4681.exe] c:\windows\system32\YUR4681.exe
uRun: [\YUR965.exe] c:\windows\system32\YUR965.exe
uRun: [\YUR9D2F.exe] c:\windows\system32\YUR9D2F.exe
uRun: [\YUR31E2.exe] c:\windows\system32\YUR31E2.exe
uRun: [\YURD087.exe] c:\windows\system32\YURD087.exe
uRun: [\YUR52E0.exe] c:\windows\system32\YUR52E0.exe
uRun: [\YURDF4A.exe] c:\windows\system32\YURDF4A.exe
uRun: [\YUR7989.exe] c:\windows\system32\YUR7989.exe
uRun: [\YUR106E.exe] c:\windows\system32\YUR106E.exe
uRun: [\YURBA18.exe] c:\windows\system32\YURBA18.exe
uRun: [\YUR1F14.exe] c:\windows\system32\YUR1F14.exe
uRun: [\YURB666.exe] c:\windows\system32\YURB666.exe
uRun: [\YUR44D3.exe] c:\windows\system32\YUR44D3.exe
uRun: [\YURCE11.exe] c:\windows\system32\YURCE11.exe
uRun: [\YUR5D1A.exe] c:\windows\system32\YUR5D1A.exe
uRun: [\YUR2857.exe] c:\windows\system32\YUR2857.exe
uRun: [\YURC332.exe] c:\windows\system32\YURC332.exe
uRun: [\YUR5B30.exe] c:\windows\system32\YUR5B30.exe
uRun: [\YURE5E5.exe] c:\windows\system32\YURE5E5.exe
uRun: [\YUR74CF.exe] c:\windows\system32\YUR74CF.exe
uRun: [\YUR4E.exe] c:\windows\system32\YUR4E.exe
uRun: [\YUR85B6.exe] c:\windows\system32\YUR85B6.exe
uRun: [\YUR74.exe] c:\windows\system32\YUR74.exe
uRun: [\YUR1FBF.exe] c:\windows\system32\YUR1FBF.exe
uRun: [\YUR1151.exe] c:\windows\system32\YUR1151.exe
uRun: [\YURA5A7.exe] c:\windows\system32\YURA5A7.exe
uRun: [\YUR30FE.exe] c:\windows\system32\YUR30FE.exe
uRun: [\YURBC40.exe] c:\windows\system32\YURBC40.exe
uRun: [\YUR4502.exe] c:\windows\system32\YUR4502.exe
uRun: [\YUR2BE0.exe] c:\windows\system32\YUR2BE0.exe
uRun: [\YURB148.exe] c:\windows\system32\YURB148.exe
uRun: [\YUR6203.exe] c:\windows\system32\YUR6203.exe
uRun: [\YUR2CA5.exe] c:\windows\system32\YUR2CA5.exe
uRun: [\YUR2470.exe] c:\windows\system32\YUR2470.exe
uRun: [\YURCD6F.exe] c:\windows\system32\YURCD6F.exe
uRun: [\YUR5C78.exe] c:\windows\system32\YUR5C78.exe
uRun: [\YURE365.exe] c:\windows\system32\YURE365.exe
uRun: [\YUR6D7F.exe] c:\windows\system32\YUR6D7F.exe
uRun: [\YURFC1A.exe] c:\windows\system32\YURFC1A.exe
uRun: [\YUR30EF.exe] c:\windows\system32\YUR30EF.exe
uRun: [\YURB9D0.exe] c:\windows\system32\YURB9D0.exe
uRun: [\YUR6CDC.exe] c:\windows\system32\YUR6CDC.exe
uRun: [\YUR25A.exe] c:\windows\system32\YUR25A.exe
uRun: [\YURA179.exe] c:\windows\system32\YURA179.exe
uRun: [\YUR2EED.exe] c:\windows\system32\YUR2EED.exe
uRun: [\YUR279C.exe] c:\windows\system32\YUR279C.exe
uRun: [\YURC831.exe] c:\windows\system32\YURC831.exe
uRun: [\YUR5824.exe] c:\windows\system32\YUR5824.exe
uRun: [\YURF5FB.exe] c:\windows\system32\YURF5FB.exe
uRun: [\YUR901B.exe] c:\windows\system32\YUR901B.exe
uRun: [\YUR30D0.exe] c:\windows\system32\YUR30D0.exe
uRun: [\YUR3E37.exe] c:\windows\system32\YUR3E37.exe
uRun: [\YUR1B3D.exe] c:\windows\system32\YUR1B3D.exe
uRun: [\YURAB7E.exe] c:\windows\system32\YURAB7E.exe
uRun: [\YUR21C2.exe] c:\windows\system32\YUR21C2.exe
uRun: [\YUR230A.exe] c:\windows\system32\YUR230A.exe
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [notepad] rundll32.exe c:\users\kelly\ntload.dll,_IWMPEvents@0
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~3.0_0\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: msn.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1101000.013\SymDS.sys [2009-12-15 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1101000.013\SymEFA.sys [2009-12-15 171056]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20091205.001\BHDrvx86.sys [2009-12-4 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1101000.013\cchpx86.sys [2009-12-15 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20091230.004\IDSvix86.sys [2010-1-4 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1101000.013\Ironx86.sys [2009-12-15 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1101000.013\symtdiv.sys [2009-12-15 339504]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-9-20 297472]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-11-24 78104]
R2 NIS;Norton Internet Security.;c:\program files\norton internet security\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-12-15 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-1 21504]

=============== Created Last 30 ================

2010-01-04 22:38:42 0 d-----w- c:\users\kelly\appdata\roaming\Tific
2010-01-04 21:26:26 0 d-----w- c:\program files\Windows Portable Devices
2010-01-04 21:26:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-01-04 21:21:47 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-01-04 21:20:11 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-01-04 21:20:11 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-01-04 21:20:11 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-01-03 23:00:11 0 d-----w- c:\windows\system32\vi-VN
2010-01-03 23:00:11 0 d-----w- c:\windows\system32\eu-ES
2010-01-03 23:00:11 0 d-----w- c:\windows\system32\ca-ES
2010-01-03 22:41:36 0 d-----w- c:\windows\system32\EventProviders
2010-01-01 23:44:16 0 d-----w- c:\users\kelly\appdata\roaming\blg
2010-01-01 23:44:16 0 d-----w- c:\programdata\blg
2009-12-29 00:16:13 0 d-----w- c:\users\kelly\appdata\roaming\FlyWheelGames
2009-12-28 00:38:02 0 d-----w- c:\users\kelly\appdata\roaming\BrokenHearts
2009-12-25 20:23:31 0 d-----w- c:\users\kelly\appdata\roaming\Runes of Avalon 2
2009-12-20 22:06:45 0 d-----w- c:\users\kelly\appdata\roaming\Gamers Digital
2009-12-20 22:06:45 0 d-----w- c:\programdata\Gamers Digital
2009-12-20 19:50:14 0 d-----w- c:\program files\MSECache
2009-12-17 17:30:50 0 d-----w- c:\programdata\MumboJumbo
2009-12-17 15:13:09 0 d-----w- C:\Games
2009-12-17 15:12:22 0 d-----w- c:\program files\RealArcade
2009-12-14 20:09:26 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-09 00:34:12 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 00:34:10 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 00:34:09 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 23:55:42 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-07 20:48:15 0 d-----w- c:\users\kelly\appdata\roaming\Gogii Games
2009-12-07 20:48:15 0 d-----w- c:\programdata\Gogii Games
2009-12-06 22:49:19 0 d-----w- c:\programdata\Meridian93
2009-12-06 22:48:50 0 d-----w- c:\users\kelly\appdata\roaming\Meridian93

==================== Find3M ====================

2010-01-04 21:26:18 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-04 21:26:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-04 21:26:18 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-04 21:26:18 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-03 22:50:10 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-12-15 15:12:40 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-15 15:12:40 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-15 15:12:40 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2008-07-03 14:45:20 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-04-29 22:10:38 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-06-06 16:46:55 2152 --sha-w- c:\windows\system32\GroupPolicy000.dat
2009-04-11 06:28:20 27136 --sha-w- c:\windows\system32\notepad.dll
2009-09-21 00:36:36 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 18:50:39.69 ===============

DDS (Ver_09-12-01.01) - NTFSx86
Run by Kelly at 18:49:24.64 on Mon 01/04/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.985 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iWin Games\iWinTrusted.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kelly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.earthlink.net/
uSearch Page =
uSearch Bar =
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uURLSearchHooks: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi0.dll
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\fast browser search\ie\tbhelper.dll
mURLSearchHooks: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi0.dll
BHO: MRI_DISABLED - No File
BHO: Symantec NCO BHO - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\17.1.0.19\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\17.1.0.19\IPSBHO.DLL
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\progra~1\iwinga~1\IWINGA~1.DLL
BHO: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi0.dll
BHO: Fast Browser Search Toolbar Helper: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\fast browser search\ie\FBStoolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi0.dll
TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\17.1.0.19\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [\YURCA5F.exe] c:\windows\system32\YURCA5F.exe
uRun: [\YUR4681.exe] c:\windows\system32\YUR4681.exe
uRun: [\YUR965.exe] c:\windows\system32\YUR965.exe
uRun: [\YUR9D2F.exe] c:\windows\system32\YUR9D2F.exe
uRun: [\YUR31E2.exe] c:\windows\system32\YUR31E2.exe
uRun: [\YURD087.exe] c:\windows\system32\YURD087.exe
uRun: [\YUR52E0.exe] c:\windows\system32\YUR52E0.exe
uRun: [\YURDF4A.exe] c:\windows\system32\YURDF4A.exe
uRun: [\YUR7989.exe] c:\windows\system32\YUR7989.exe
uRun: [\YUR106E.exe] c:\windows\system32\YUR106E.exe
uRun: [\YURBA18.exe] c:\windows\system32\YURBA18.exe
uRun: [\YUR1F14.exe] c:\windows\system32\YUR1F14.exe
uRun: [\YURB666.exe] c:\windows\system32\YURB666.exe
uRun: [\YUR44D3.exe] c:\windows\system32\YUR44D3.exe
uRun: [\YURCE11.exe] c:\windows\system32\YURCE11.exe
uRun: [\YUR5D1A.exe] c:\windows\system32\YUR5D1A.exe
uRun: [\YUR2857.exe] c:\windows\system32\YUR2857.exe
uRun: [\YURC332.exe] c:\windows\system32\YURC332.exe
uRun: [\YUR5B30.exe] c:\windows\system32\YUR5B30.exe
uRun: [\YURE5E5.exe] c:\windows\system32\YURE5E5.exe
uRun: [\YUR74CF.exe] c:\windows\system32\YUR74CF.exe
uRun: [\YUR4E.exe] c:\windows\system32\YUR4E.exe
uRun: [\YUR85B6.exe] c:\windows\system32\YUR85B6.exe
uRun: [\YUR74.exe] c:\windows\system32\YUR74.exe
uRun: [\YUR1FBF.exe] c:\windows\system32\YUR1FBF.exe
uRun: [\YUR1151.exe] c:\windows\system32\YUR1151.exe
uRun: [\YURA5A7.exe] c:\windows\system32\YURA5A7.exe
uRun: [\YUR30FE.exe] c:\windows\system32\YUR30FE.exe
uRun: [\YURBC40.exe] c:\windows\system32\YURBC40.exe
uRun: [\YUR4502.exe] c:\windows\system32\YUR4502.exe
uRun: [\YUR2BE0.exe] c:\windows\system32\YUR2BE0.exe
uRun: [\YURB148.exe] c:\windows\system32\YURB148.exe
uRun: [\YUR6203.exe] c:\windows\system32\YUR6203.exe
uRun: [\YUR2CA5.exe] c:\windows\system32\YUR2CA5.exe
uRun: [\YUR2470.exe] c:\windows\system32\YUR2470.exe
uRun: [\YURCD6F.exe] c:\windows\system32\YURCD6F.exe
uRun: [\YUR5C78.exe] c:\windows\system32\YUR5C78.exe
uRun: [\YURE365.exe] c:\windows\system32\YURE365.exe
uRun: [\YUR6D7F.exe] c:\windows\system32\YUR6D7F.exe
uRun: [\YURFC1A.exe] c:\windows\system32\YURFC1A.exe
uRun: [\YUR30EF.exe] c:\windows\system32\YUR30EF.exe
uRun: [\YURB9D0.exe] c:\windows\system32\YURB9D0.exe
uRun: [\YUR6CDC.exe] c:\windows\system32\YUR6CDC.exe
uRun: [\YUR25A.exe] c:\windows\system32\YUR25A.exe
uRun: [\YURA179.exe] c:\windows\system32\YURA179.exe
uRun: [\YUR2EED.exe] c:\windows\system32\YUR2EED.exe
uRun: [\YUR279C.exe] c:\windows\system32\YUR279C.exe
uRun: [\YURC831.exe] c:\windows\system32\YURC831.exe
uRun: [\YUR5824.exe] c:\windows\system32\YUR5824.exe
uRun: [\YURF5FB.exe] c:\windows\system32\YURF5FB.exe
uRun: [\YUR901B.exe] c:\windows\system32\YUR901B.exe
uRun: [\YUR30D0.exe] c:\windows\system32\YUR30D0.exe
uRun: [\YUR3E37.exe] c:\windows\system32\YUR3E37.exe
uRun: [\YUR1B3D.exe] c:\windows\system32\YUR1B3D.exe
uRun: [\YURAB7E.exe] c:\windows\system32\YURAB7E.exe
uRun: [\YUR21C2.exe] c:\windows\system32\YUR21C2.exe
uRun: [\YUR230A.exe] c:\windows\system32\YUR230A.exe
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [notepad] rundll32.exe c:\users\kelly\ntload.dll,_IWMPEvents@0
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~3.0_0\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: msn.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1101000.013\SymDS.sys [2009-12-15 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1101000.013\SymEFA.sys [2009-12-15 171056]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20091205.001\BHDrvx86.sys [2009-12-4 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1101000.013\cchpx86.sys [2009-12-15 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20091230.004\IDSvix86.sys [2010-1-4 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1101000.013\Ironx86.sys [2009-12-15 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1101000.013\symtdiv.sys [2009-12-15 339504]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-9-20 297472]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-11-24 78104]
R2 NIS;Norton Internet Security.;c:\program files\norton internet security\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-12-15 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-1 21504]

=============== Created Last 30 ================

2010-01-04 22:38:42 0 d-----w- c:\users\kelly\appdata\roaming\Tific
2010-01-04 21:26:26 0 d-----w- c:\program files\Windows Portable Devices
2010-01-04 21:26:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-01-04 21:21:47 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-01-04 21:20:11 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-01-04 21:20:11 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-01-04 21:20:11 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-01-03 23:00:11 0 d-----w- c:\windows\system32\vi-VN
2010-01-03 23:00:11 0 d-----w- c:\windows\system32\eu-ES
2010-01-03 23:00:11 0 d-----w- c:\windows\system32\ca-ES
2010-01-03 22:41:36 0 d-----w- c:\windows\system32\EventProviders
2010-01-01 23:44:16 0 d-----w- c:\users\kelly\appdata\roaming\blg
2010-01-01 23:44:16 0 d-----w- c:\programdata\blg
2009-12-29 00:16:13 0 d-----w- c:\users\kelly\appdata\roaming\FlyWheelGames
2009-12-28 00:38:02 0 d-----w- c:\users\kelly\appdata\roaming\BrokenHearts
2009-12-25 20:23:31 0 d-----w- c:\users\kelly\appdata\roaming\Runes of Avalon 2
2009-12-20 22:06:45 0 d-----w- c:\users\kelly\appdata\roaming\Gamers Digital
2009-12-20 22:06:45 0 d-----w- c:\programdata\Gamers Digital
2009-12-20 19:50:14 0 d-----w- c:\program files\MSECache
2009-12-17 17:30:50 0 d-----w- c:\programdata\MumboJumbo
2009-12-17 15:13:09 0 d-----w- C:\Games
2009-12-17 15:12:22 0 d-----w- c:\program files\RealArcade
2009-12-14 20:09:26 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-09 00:34:12 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 00:34:10 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 00:34:09 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 23:55:42 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-07 20:48:15 0 d-----w- c:\users\kelly\appdata\roaming\Gogii Games
2009-12-07 20:48:15 0 d-----w- c:\programdata\Gogii Games
2009-12-06 22:49:19 0 d-----w- c:\programdata\Meridian93
2009-12-06 22:48:50 0 d-----w- c:\users\kelly\appdata\roaming\Meridian93

==================== Find3M ====================

2010-01-04 21:26:18 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-04 21:26:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-04 21:26:18 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-04 21:26:18 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-03 22:50:10 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-12-15 15:12:40 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-15 15:12:40 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-15 15:12:40 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2008-07-03 14:45:20 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-04-29 22:10:38 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-06-06 16:46:55 2152 --sha-w- c:\windows\system32\GroupPolicy000.dat
2009-04-11 06:28:20 27136 --sha-w- c:\windows\system32\notepad.dll
2009-09-21 00:36:36 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 18:50:39.69 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:01 PM

Posted 07 January 2010 - 11:08 PM

Hi kelly e
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up. I am a student here at BC so all my posts will be checked by one of our experts, so there may be a slight delay between posts.

I see you have P2P software ( Limewire, BitTorrent, uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,

Please do this.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page: one at a time
    • c:\windows\system32\YURCA5F.exe
      c:\windows\system32\YURB666.exe
  • Click on the submit button
  • Please post the results in your next reply.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Please let me know what you decided about Limewire also.

Thanks
maranatha

Edited by maranatha, 08 January 2010 - 07:57 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 kelly e

kelly e
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 10 January 2010 - 03:00 PM

Dear maranatha and group
Thank you for your help. I'm sorry it took so long to get back to you as I work retail and have no set hours and sometimes it is hard to immediately answer. Apparently while I was waiting for your answer and the time it took to get back to you it seems that my Norton antivirus finally located the problem and has since quarantined it. So far I have not experienced any more hijacks. I really appreciate you answering and realize you must be extremely busy as it seems this particular worm/virus attacked a lot of people over the new year's weekend. Thank you once again for your help. I will retain my account in case I come across any more problems. Have a good day! :(

#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:01 PM

Posted 10 January 2010 - 06:53 PM

Hi kelly e

That's good that you are not being redirected, But the truth is that you may still be infected.

I would recommend that you still post the logs I asked for, to be on the safe side.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:01 AM

Posted 17 January 2010 - 11:30 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users