Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer/Firefox.exe/Google Installer: has encountered a problem and needs to close.


  • This topic is locked This topic is locked
21 replies to this topic

#1 nevermindmi

nevermindmi

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 10 January 2010 - 11:31 PM

Hi there! I think there's something wrong with my computer.

Every 2-5 minutes or so, i get a pop up saying that "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." The funny thing is -- i was not using Internet Explorer at all. I'm using firefox. When I first started firefox, a pop up similar to the one with Internet Explorer popped up, but when ignored it firefox worked fine. When i start my computer, there is a google installer popup. After an hour or so, my computer would freeze up and i would have to restart it. I ran a symantec Antivirus Scan earlier today and no viruses/threats were found. I also ran MalwareBytes and two detections were found (rebooted computer to clear it). This happened today after i ran the scans. Yesterday, i had a problem with the fake Antivirus adware; which is now taken cared of.

When i clicked the error report for the Internet Explorer pop-up:
AppName: iexplore.exe
Appver: 8.0.6001.18702
ModName: unknown
Modver:0.0.0.0
Offset: 00ee1626

Google Installer:
AppName: googleupdate.exe
AppVer: 1.2131.7
ModName: googleupdate.exe
ModVer: 1.2131.7
Offset: 00006eef

Firefox
AppName: firefox.exe
AppVer: 1.9.0.3642
ModName: unknown
ModVer: 0.0.0.0
Offset: 00da1626

My DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Windows at 22:44:59.10 on 01/10/2010 Sun
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.703.69 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Windows Live\Messenger\wlcsdk.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Windows\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.earthle.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://sympatico.msn.ca/default.aspx?lang=en-ca
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Spam mapi] c:\docume~1\windows\applic~1\cityre~1\MESS PLUS.exe
uRun: [Google Update] "c:\documents and settings\windows\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AdobeBridge]
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [vancjtv] c:\windows\system32\vancjtv.exe
mRun: [Online chin internet bolt] c:\documents and settings\all users\application data\bags plus online chin\extra wipe.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} - hxxp://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\hikebaga.dll c:\windows\system32\vakuhimu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\windows\applic~1\mozilla\firefox\profiles\mstqgxa0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\documents and settings\windows\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-3 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100107.006\naveng.sys [2010-1-8 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100107.006\navex15.sys [2010-1-8 1323568]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 pl9hegyicqaiuio;CommServer;c:\windows\system32\jmoyrmijhlqoq.exe /service --> c:\windows\system32\jmoyrmijhlqoq.exe [?]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-01-09 06:55:31 0 d-----w- c:\docume~1\windows\applic~1\Malwarebytes
2010-01-09 06:50:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 06:50:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-09 06:50:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 06:50:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 03:48:44 0 d-----w- c:\program files\common files\DivX Shared
2009-12-25 03:48:43 0 d-----w- c:\program files\DivX
2009-12-20 05:50:49 0 d-----w- c:\docume~1\alluse~1\applic~1\pixelStorm
2009-12-18 06:15:48 0 d-----w- c:\windows\ServicePackFiles
2009-12-18 06:14:10 0 d-----w- c:\windows\ie8updates
2009-12-18 05:22:06 0 d-----w- c:\windows\system32\drivers\etc
2009-12-18 04:17:53 0 d-----w- c:\documents and settings\windows\Library
2009-12-18 04:17:53 0 d-----w- c:\docume~1\windows\applic~1\com.adobe.ExMan
2009-12-18 03:03:51 0 d-----w- c:\docume~1\alluse~1\applic~1\ALM
2009-12-18 02:47:24 0 d-----w- c:\program files\common files\Macrovision Shared
2009-12-17 21:00:27 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-17 21:00:27 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-17 20:17:54 0 d-----w- c:\program files\common files\Akamai
2009-12-15 22:46:11 0 d-----w- c:\program files\Microsoft SQL Server
2009-12-15 22:45:46 0 d-----w- c:\program files\Microsoft Synchronization Services
2009-12-15 22:42:48 0 d-----w- C:\Visual Studio 2008
2009-12-15 22:35:26 0 d-----w- c:\windows\system32\XPSViewer
2009-12-15 22:33:51 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-15 22:33:50 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-15 22:33:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-15 22:33:50 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-15 22:33:50 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-15 22:33:50 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-15 22:33:50 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-15 22:33:49 0 d-----w- C:\891ec1b347b298f12252
2009-12-15 22:22:08 0 d-----w- c:\program files\MSXML 6.0

==================== Find3M ====================

2009-12-27 22:51:23 39 ----a-w- c:\documents and settings\windows\jagex_runescape_preferences.dat
2009-12-27 22:51:19 69 ----a-w- c:\documents and settings\windows\jagex_runescape_preferences2.dat
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2001-11-23 04:08:20 712704 ----a-w- c:\windows\inf\other\AUDIO3D.DLL
2009-01-29 02:19:27 32868 --sha-w- c:\windows\system32\aJiknXyb.ini2
2009-01-29 20:18:13 30906 --sha-w- c:\windows\system32\DKUwxGgh.ini2
2009-01-30 22:17:10 31289 --sha-w- c:\windows\system32\vDdgiSBc.ini2

============= FINISH: 22:48:46.12 ===============


RootRepeal report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/10 23:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1568000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF83CE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: H8SRTwkinmpfmuw.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTwkinmpfmuw.sys
Address: 0xF1830000 Size: 118784 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFCB1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\H8SRTcoyfjyrblq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTemgxlevxbn.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTewxdcweexe.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTqsoxhhqbct.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtshsyst.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTylvnsiqltl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTab98.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\H8SRTwkinmpfmuw.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Windows\Local Settings\Temp\~DF3B37.tmp
Status: Locked to the Windows API!

Path: c:\documents and settings\windows\local settings\temp\dc544.dmp
Status: Allocation size mismatch (API: 114688, Raw: 0)

Path: C:\Documents and Settings\Windows\Local Settings\Temp\H8SRTcca4.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Windows\Local Settings\Temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Windows\Local Settings\Temp\RecoveryStore.{CE8C778B-FE66-11DE-8D66-000B6A6690DF}.dat
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\mstqgxa0.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: services.exe (PID: 568) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: lsass.exe (PID: 580) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: svchost.exe (PID: 736) Address: 0x00a20000 Size: 36864

Object: Hidden Module [Name: H8SRTylvnsiqltl.dll]
Process: svchost.exe (PID: 736) Address: 0x00ac0000 Size: 65536

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: svchost.exe (PID: 736) Address: 0x00e40000 Size: 69632

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: svchost.exe (PID: 736) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: svchost.exe (PID: 832) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: svchost.exe (PID: 900) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: svchost.exe (PID: 952) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: svchost.exe (PID: 1064) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: ccSetMgr.exe (PID: 1192) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: ccEvtMgr.exe (PID: 1468) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: SPBBCSvc.exe (PID: 1560) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: spoolsv.exe (PID: 1628) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: svchost.exe (PID: 1944) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: Explorer.EXE (PID: 1988) Address: 0x00d70000 Size: 36864

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: Explorer.EXE (PID: 1988) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: svchost.exe (PID: 2036) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: DefWatch.exe (PID: 172) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: jqs.exe (PID: 260) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: SavRoam.exe (PID: 380) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: SeaPort.exe (PID: 892) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTcoyfjyrblq.dll]
Process: svchost.exe (PID: 1248) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: keyhook.exe (PID: 1868) Address: 0x00a90000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: pptd40nt.exe (PID: 1816) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: BrMfcWnd.exe (PID: 2080) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: ccApp.exe (PID: 2100) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: VPTray.exe (PID: 2116) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: jusched.exe (PID: 2136) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: brccMCtl.exe (PID: 2176) Address: 0x00f60000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: ctfmon.exe (PID: 2208) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: GoogleToolbarNotifier.exe (PID: 2236) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: BrMfcmon.exe (PID: 2300) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: sistray.exe (PID: 2352) Address: 0x00cf0000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: alg.exe (PID: 3344) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: wuauclt.exe (PID: 3704) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTqsoxhhqbct.dll]
Process: firefox.exe (PID: 4076) Address: 0x00da0000 Size: 151552

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 152) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1852) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3068) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: jucheck.exe (PID: 3272) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3776) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 4048) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1156) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2148) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3328) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1176) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1856) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2312) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1776) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1900) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3140) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1972) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3600) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3548) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1360) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 896) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2360) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2084) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 4024) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1072) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1288) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2548) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3244) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3408) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1840) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3692) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 324) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2636) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2436) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3120) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: msnmsgr.exe (PID: 2728) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: GoogleUpdate.exe (PID: 3368) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: GoogleUpdate.exe (PID: 3604) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1648) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3008) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: wlcomm.exe (PID: 1172) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2376) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: wlcsdk.exe (PID: 3168) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3552) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3916) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1476) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: conime.exe (PID: 3684) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2632) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3524) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1052) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1612) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1652) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3360) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2340) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3388) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 656) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 3536) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 1448) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 2496) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: RootRepeal.exe (PID: 3836) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTemgxlevxbn.dll]
Process: dwwin.exe (PID: 5820) Address: 0x10000000 Size: 36864

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTwkinmpfmuw.sys

==EOF==




BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:28 AM

Posted 16 January 2010 - 01:38 PM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 nevermindmi

nevermindmi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 18 January 2010 - 02:40 AM

im doin this for my girl
she cant get on the sit please fix iit
and she told me ta paste all this stuff:


umm…so ive tried to go on the site to check the updates but it showed an error saying that “Firefox can’t find the server.” im wondering if you can help me fix this problem first. Other sites work fine on my computer except for this one and some other forum help sites like answers.yahoo.com. ive tried to view the site using the "cached" version from Google and printscreens from my friend but it didnt really work and i was not able to login but i was able to download the scans. and so, i asked my friend to help go on my account and post this up for me.

my computer is still infected with the description in my first post but i think it has gotten worst. at the moment i have a little less than 1GB of space on my computer so im wondering if im still able to download the scans required to fix my computer (later on). Adding to the first post, whenever i start my computer, there was this popup saying that my antivirus has been unable.

sometimes when i am inactive for a while on the computer, it would freeze up or some desktop icons would go missing. There is also a random file named "settings" on my desktop which im not sure what it is. But once i restart my computer, everything goes back to normal.

Below is my DDS log but the other scan (GMER) didnt work. I tried to scan my computer with it but after 30 minutes or so, there was a blue screen on my computer but my computer restarted and nothing seems to be wrong.

please help!! (:
thaanks ! (:


DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Windows at 0:35:41.67 on 01/18/2010 Mon
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.703.166 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\wlcsdk.exe
C:\PROGRA~1\MICROS~2\OFFICE11\ois.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\PROGRA~1\MICROS~2\OFFICE11\ois.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Windows\My Documents\Downloads\dds.pif
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.earthle.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://sympatico.msn.ca/default.aspx?lang=en-ca
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Spam mapi] c:\docume~1\windows\applic~1\cityre~1\MESS PLUS.exe
uRun: [Google Update] "c:\documents and settings\windows\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AdobeBridge]
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [vancjtv] c:\windows\system32\vancjtv.exe
mRun: [Online chin internet bolt] c:\documents and settings\all users\application data\bags plus online chin\extra wipe.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} - hxxp://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\hikebaga.dll c:\windows\system32\vakuhimu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\windows\applic~1\mozilla\firefox\profiles\mstqgxa0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\documents and settings\windows\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-3 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100107.006\naveng.sys [2010-1-8 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100107.006\navex15.sys [2010-1-8 1323568]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-9 38224]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 pl9hegyicqaiuio;CommServer;c:\windows\system32\jmoyrmijhlqoq.exe /service --> c:\windows\system32\jmoyrmijhlqoq.exe [?]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-01-18 05:25:08 0 d--h--w- c:\windows\PIF
2010-01-15 01:41:29 0 d-----w- c:\windows\SxsCaPendDel
2010-01-09 06:55:31 0 d-----w- c:\docume~1\windows\applic~1\Malwarebytes
2010-01-09 06:50:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 06:50:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-09 06:50:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 06:50:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 05:50:49 0 d-----w- c:\docume~1\alluse~1\applic~1\pixelStorm

==================== Find3M ====================

2009-12-27 22:51:23 39 ----a-w- c:\documents and settings\windows\jagex_runescape_preferences.dat
2009-12-27 22:51:19 69 ----a-w- c:\documents and settings\windows\jagex_runescape_preferences2.dat
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2001-11-23 04:08:20 712704 ----a-w- c:\windows\inf\other\AUDIO3D.DLL
2009-01-29 02:19:27 32868 --sha-w- c:\windows\system32\aJiknXyb.ini2
2009-01-29 20:18:13 30906 --sha-w- c:\windows\system32\DKUwxGgh.ini2
2009-01-30 22:17:10 31289 --sha-w- c:\windows\system32\vDdgiSBc.ini2

============= FINISH: 0:39:56.15 ===============

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:28 AM

Posted 18 January 2010 - 02:49 AM

Hello nevermindmi,

I see indeed evidence of several infections in your logs. One of them comes with the Messenger Plus Sponsor, so please uninstall that application as indicated below.

UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.

    Messenger Plus! Live & Sponsor (CiD)
If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


Before we continue, we are going to try to free up some harddisk space, by deleting your temporary files. You can also uninstall any programs you don't use (using Add/Remove programs).

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



Now lets run Combofix to take out some malware smile.gif

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 nevermindmi

nevermindmi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 18 January 2010 - 10:37 PM

I unistalled Messenger Plus! Live and Sponsor (CID) and I ran the TFC scan to clear my computer. But when i tired to run the combofix scan, it didnt work. I tired to disable my antivirus (Symantec AntiVirus) by right clicking on the icon but after 5 seconds or so it enables itself again. I tried to run Combofix.exe but it does not open. What can i do now?

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:28 AM

Posted 19 January 2010 - 04:54 AM

Please rename combofix.exe to random.exe and try to run it that way.

Yesterday there was a problem with the download link, so you may have to download it again.

Let me know if it works now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 nevermindmi

nevermindmi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 19 January 2010 - 04:54 PM

It didnt work sad.gif I re-downloaded the file and renamed it as random.exe and it was able to open but everything was in chinese. I continued anyways but my computer restarted itself in he middle of the process. When the computer started again, Combofix started running again but the desktop disappeared. After a while, it stopped running and so I closed the window. I tried this again and the same thing happened. What should I do now? On another note, I'm using hidemyass.com to access this site since the virus is blocking me from this site.

EDIT: okay after i closed the window, i realized that there were no more popups saying that firefox/internet explorer/google installer/google chrome has encountered an error and needs to close. I can also access this site. Everything else seems to be working okay. I'm not sure if ALL of the malware on my computer is cleared but it doesnt freezes anymore (:

I just want to ask one more question - do you think itll be alright if i download Messenger Plus again? You told me earlier to uninstall it but i want to still use the program.

Edited by nevermindmi, 19 January 2010 - 07:38 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:28 AM

Posted 20 January 2010 - 08:14 AM

Hi, please see if the following file(s) exist:

c:\combofix.txt
c:\coobox\combofix<number>.txt (where <number> is 1, 2, and so on).

Post me the oldest log (I think this would be c:\qoobox\combofix2.txt).

You can install Messenger Plus, ONLY if it gives you the option not to install the "sponsor". This sponsor actually infects you with Lop (which showed up in your logs).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 nevermindmi

nevermindmi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 20 January 2010 - 06:55 PM

I rescanned my computer with Combofix again since i couldnt find any other those logs. Sorry that some parts of the logs are in Chinese :S For some reason the scan and popups from the scan were in Chinese as well.

This one here is from c:\combofix.txt:

ComboFix 10-01-20.03 - Windows 0/2010 Wed 18:22:53.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.703.174 [GMT -5:00]
执行位置: c:\documents and settings\Windows\Desktop\random.exe.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dllcache\ieframe.dll.mui
.
---- 早前运行的结果 -------
.
c:\windows\system32\9976366.dll
c:\windows\system32\aJiknXyb.ini
c:\windows\system32\aJiknXyb.ini2
c:\windows\system32\DKUwxGgh.ini
c:\windows\system32\DKUwxGgh.ini2
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\vDdgiSBc.ini
c:\windows\system32\vDdgiSBc.ini2

.
((((((((((((((((((((((((( 2009-12-20 至 2010-01-20 的新的档案 )))))))))))))))))))))))))))))))
.

2010-01-19 00:11 . 2010-01-19 00:11 -------- d-----w- c:\documents and settings\Windows\Application Data\Apple Computer
2010-01-19 00:09 . 2010-01-19 00:09 -------- d-----w- c:\program files\Bonjour
2010-01-19 00:08 . 2010-01-19 00:08 -------- d-----w- c:\documents and settings\Windows\Local Settings\Application Data\Apple
2010-01-19 00:08 . 2010-01-19 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-18 05:25 . 2010-01-18 05:25 -------- d--h--w- c:\windows\PIF
2010-01-15 01:41 . 2010-01-15 02:13 -------- d-----w- c:\windows\SxsCaPendDel
2010-01-14 05:01 . 2010-01-15 01:22 -------- d-----w- c:\documents and settings\Log in
2010-01-09 06:55 . 2010-01-09 06:55 -------- d-----w- c:\documents and settings\Windows\Application Data\Malwarebytes
2010-01-09 06:50 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 06:50 . 2010-01-09 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-09 06:50 . 2010-01-09 06:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 06:50 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 23:38 . 2009-12-17 20:17 -------- d-----w- c:\program files\Common Files\Akamai
2010-01-20 23:15 . 2008-12-26 02:55 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-20 23:01 . 2008-07-27 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-19 00:19 . 2008-01-10 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-17 23:00 . 2009-03-24 22:40 -------- d-----w- c:\program files\Norton Security Scan
2010-01-14 05:48 . 2009-11-23 20:33 79488 ----a-w- c:\documents and settings\Windows\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-14 05:03 . 2010-01-14 05:03 1230960 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Component\GoogleCld_3F6C343113693CD9.dll
2009-12-27 22:51 . 2008-07-01 19:20 39 ----a-w- c:\documents and settings\Windows\jagex_runescape_preferences.dat
2009-12-27 22:51 . 2009-09-03 20:03 69 ----a-w- c:\documents and settings\Windows\jagex_runescape_preferences2.dat
2009-12-20 05:50 . 2009-12-20 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\pixelStorm
2009-12-18 04:20 . 2009-12-18 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-18 04:17 . 2009-12-18 04:17 -------- d-----w- c:\documents and settings\Windows\Application Data\com.adobe.ExMan
2009-12-18 03:09 . 2008-01-12 00:02 68544 ----a-w- c:\documents and settings\Windows\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-18 03:03 . 2009-12-18 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-12-18 03:03 . 2008-01-10 20:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-18 02:47 . 2009-12-18 02:47 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-16 23:18 . 2009-12-15 22:21 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-15 22:46 . 2009-12-15 22:46 -------- d-----w- c:\program files\Microsoft SQL Server
2009-12-15 22:46 . 2009-12-15 22:39 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-12-15 22:45 . 2009-12-15 22:45 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-12-15 22:45 . 2009-10-08 20:56 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-12-15 22:45 . 2009-12-15 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-15 22:44 . 2009-12-15 22:44 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-12-15 22:42 . 2009-12-15 22:42 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-12-15 22:38 . 2009-12-15 22:38 -------- d-----w- c:\program files\Microsoft SDKs
2009-12-15 22:35 . 2009-12-15 22:35 -------- d-----w- c:\program files\MSBuild
2009-12-15 22:35 . 2009-12-15 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-12-15 22:22 . 2009-12-15 22:22 -------- d-----w- c:\program files\MSXML 6.0
2009-11-21 16:36 . 2004-08-04 01:07 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-08-04 01:07 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Windows\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-26 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-02-27 241664]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-1-10 352256]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\WINDOWS\\system32\\sistray.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrCtrCen.exe"=
"c:\\WINDOWS\\ime\\IMJP8_1\\imjpmig.exe"=
"c:\\Program Files\\Brother\\Brmfcmon\\BrMfcMon.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\SPBBC\\SPBBCSvc.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Brother\\Brmfcmon\\BrMfcWnd.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
"c:\\WINDOWS\\system32\\Keyhook.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=
"c:\\Documents and Settings\\Windows\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SavRoam.exe"=
"c:\\Documents and Settings\\Windows\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"=
"c:\\WINDOWS\\system32\\logon.scr"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 8:07 PM 14336]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 12:04 AM 102448]
S2 pl9hegyicqaiuio;CommServer;c:\windows\system32\jmoyrmijhlqoq.exe /service --> c:\windows\system32\jmoyrmijhlqoq.exe [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
‘计划任务’ 文件夹 里的内容

2010-01-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-27 19:37]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-73586283-682003330-1003Core.job
- c:\documents and settings\Windows\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 04:39]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-73586283-682003330-1003UA.job
- c:\documents and settings\Windows\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 04:39]

2010-01-17 c:\windows\Tasks\Norton Security Scan for Windows.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 08:18]

2010-01-20 c:\windows\Tasks\User_Feed_Synchronization-{7EC6E6B1-DF3E-477D-B373-97DB57D628A0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2010-01-20 c:\windows\Tasks\User_Feed_Synchronization-{F696F9F0-7D4C-4C4D-B8CE-E67AB9E3F9D2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.earthle.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Windows\Application Data\Mozilla\Firefox\Profiles\mstqgxa0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\documents and settings\Windows\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Spam mapi - c:\docume~1\Windows\APPLIC~1\CITYRE~1\MESS PLUS.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-vancjtv - c:\windows\system32\vancjtv.exe
HKLM-Run-Online chin internet bolt - c:\documents and settings\All Users\Application Data\Bags Plus Online Chin\extra wipe.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 18:37
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3629.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3629.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2000478354-73586283-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\+}IQNS嘯黚髼搹eQ誰V*5*]
"Order"=hex:08,00,00,00,02,00,00,00,40,03,00,00,01,00,00,00,07,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,36,\
.
完成时间: 2010-01-20 18:46:23
ComboFix-quarantined-files.txt 2010-01-20 23:46

Pre-Run: 6,864,572,416 bytes free
Post-Run: 6,846,177,280 bytes free

- - End Of File - - 74482816A477F69E1EC5630C39C31C54

The only other notepads in my Local Disk are C:\Qoobox\Add-Remove Programs and C:\Qoobox\ComboFix-quarantined-files.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:28 AM

Posted 21 January 2010 - 04:03 AM

Hello nevermindmi,

No problem, I know what has to be on the chinese character lines smile.gif

You had a nasty rootkit there. Please consider the following first...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
File::
c:\windows\system32\jmoyrmijhlqoq.exe

Driver::
pl9hegyicqaiuio

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt
  • A description of any remaining problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 nevermindmi

nevermindmi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 21 January 2010 - 07:25 PM

oh ouch :S
Do i have a keylogger on this computer? sad.gif
This is my main computer but i dont use it to buy stuff or pay bills (thankfully). Does this mean that the hacker knows all my passwords for my accounts? sad.gif Could you please tell me what the hacker can access or do to my computer? Like...would they know EVERYTHING i do?? Can they change my passwords if they want to?

So far, everything is working fine (:

Okay...so for the two options: reinstall the OS or try to clean it.
Well...I would like to chose the better way - to install the OS but I dont know how to do that. Could you help me do so?
If not, then i guess i have to try to clean my computer...

Heres the log:

ComboFix 10-01-21.01 - Windows 1/2010 Thu 18:43:02.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.703.251 [GMT -5:00]
执行位置: c:\documents and settings\Windows\Desktop\random.exe.exe
Command switches used :: c:\documents and settings\Windows\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\jmoyrmijhlqoq.exe"
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PL9HEGYICQAIUIO
-------\Service_pl9hegyicqaiuio


((((((((((((((((((((((((( 2009-12-22 至 2010-01-22 的新的档案 )))))))))))))))))))))))))))))))
.

2010-01-21 00:02 . 2010-01-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2010-01-21 00:02 . 2010-01-21 00:02 -------- d-----w- c:\program files\Messenger Plus! Live
2010-01-20 23:21 . 2010-01-20 23:46 -------- d-----w- C:\random.exe
2010-01-19 00:11 . 2010-01-19 00:11 -------- d-----w- c:\documents and settings\Windows\Application Data\Apple Computer
2010-01-19 00:09 . 2010-01-19 00:09 -------- d-----w- c:\program files\Bonjour
2010-01-19 00:08 . 2010-01-19 00:08 -------- d-----w- c:\documents and settings\Windows\Local Settings\Application Data\Apple
2010-01-19 00:08 . 2010-01-19 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-18 05:25 . 2010-01-18 05:25 -------- d--h--w- c:\windows\PIF
2010-01-15 01:41 . 2010-01-15 02:13 -------- d-----w- c:\windows\SxsCaPendDel
2010-01-14 05:01 . 2010-01-15 01:22 -------- d-----w- c:\documents and settings\Log in
2010-01-09 06:55 . 2010-01-09 06:55 -------- d-----w- c:\documents and settings\Windows\Application Data\Malwarebytes
2010-01-09 06:50 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 06:50 . 2010-01-09 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-09 06:50 . 2010-01-09 06:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 06:50 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 00:03 . 2009-12-17 20:17 -------- d-----w- c:\program files\Common Files\Akamai
2010-01-22 00:01 . 2008-07-27 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-21 23:59 . 2008-12-26 02:55 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-19 00:19 . 2008-01-10 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-17 23:00 . 2009-03-24 22:40 -------- d-----w- c:\program files\Norton Security Scan
2010-01-14 05:48 . 2009-11-23 20:33 79488 ----a-w- c:\documents and settings\Windows\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-14 05:03 . 2010-01-14 05:03 1230960 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Component\GoogleCld_3F6C343113693CD9.dll
2009-12-27 22:51 . 2008-07-01 19:20 39 ----a-w- c:\documents and settings\Windows\jagex_runescape_preferences.dat
2009-12-27 22:51 . 2009-09-03 20:03 69 ----a-w- c:\documents and settings\Windows\jagex_runescape_preferences2.dat
2009-12-20 05:50 . 2009-12-20 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\pixelStorm
2009-12-18 04:20 . 2009-12-18 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-18 04:17 . 2009-12-18 04:17 -------- d-----w- c:\documents and settings\Windows\Application Data\com.adobe.ExMan
2009-12-18 03:09 . 2008-01-12 00:02 68544 ----a-w- c:\documents and settings\Windows\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-18 03:03 . 2009-12-18 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-12-18 03:03 . 2008-01-10 20:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-18 02:47 . 2009-12-18 02:47 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-16 23:18 . 2009-12-15 22:21 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-15 22:46 . 2009-12-15 22:46 -------- d-----w- c:\program files\Microsoft SQL Server
2009-12-15 22:46 . 2009-12-15 22:39 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-12-15 22:45 . 2009-12-15 22:45 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-12-15 22:45 . 2009-10-08 20:56 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-12-15 22:45 . 2009-12-15 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-15 22:44 . 2009-12-15 22:44 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-12-15 22:42 . 2009-12-15 22:42 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-12-15 22:38 . 2009-12-15 22:38 -------- d-----w- c:\program files\Microsoft SDKs
2009-12-15 22:35 . 2009-12-15 22:35 -------- d-----w- c:\program files\MSBuild
2009-12-15 22:35 . 2009-12-15 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-12-15 22:22 . 2009-12-15 22:22 -------- d-----w- c:\program files\MSXML 6.0
2009-10-29 07:45 . 2004-08-04 01:07 916480 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Windows\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-26 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-02-27 241664]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-1-10 352256]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\WINDOWS\\system32\\sistray.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrCtrCen.exe"=
"c:\\WINDOWS\\ime\\IMJP8_1\\imjpmig.exe"=
"c:\\Program Files\\Brother\\Brmfcmon\\BrMfcMon.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\SPBBC\\SPBBCSvc.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Brother\\Brmfcmon\\BrMfcWnd.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
"c:\\WINDOWS\\system32\\Keyhook.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=
"c:\\Documents and Settings\\Windows\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SavRoam.exe"=
"c:\\Documents and Settings\\Windows\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"=
"c:\\WINDOWS\\system32\\logon.scr"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 8:07 PM 14336]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 12:04 AM 102448]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
‘计划任务’ 文件夹 里的内容

2010-01-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-27 19:37]

2010-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-73586283-682003330-1003Core.job
- c:\documents and settings\Windows\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 04:39]

2010-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-73586283-682003330-1003UA.job
- c:\documents and settings\Windows\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 04:39]

2010-01-17 c:\windows\Tasks\Norton Security Scan for Windows.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 08:18]

2010-01-22 c:\windows\Tasks\User_Feed_Synchronization-{7EC6E6B1-DF3E-477D-B373-97DB57D628A0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2010-01-22 c:\windows\Tasks\User_Feed_Synchronization-{F696F9F0-7D4C-4C4D-B8CE-E67AB9E3F9D2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.earthle.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Windows\Application Data\Mozilla\Firefox\Profiles\mstqgxa0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\documents and settings\Windows\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 19:03
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3629.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3629.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2000478354-73586283-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\+}IQNS嘯黚髼搹eQ誰V*5*]
"Order"=hex:08,00,00,00,02,00,00,00,40,03,00,00,01,00,00,00,07,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,36,\
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'explorer.exe'(852)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\conime.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\documents and settings\Windows\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
.
**************************************************************************
.
完成时间: 2010-01-21 19:17:23 - 电脑已重新启动
ComboFix-quarantined-files.txt 2010-01-22 00:17
ComboFix2.txt 2010-01-20 23:46

Pre-Run: 6,720,843,776 bytes free
Post-Run: 6,722,584,576 bytes free

- - End Of File - - 3268B10559C6BB74F1B093EB33FC071A

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:28 AM

Posted 22 January 2010 - 04:37 AM

QUOTE
Does this mean that the hacker knows all my passwords for my accounts? Could you please tell me what the hacker can access or do to my computer? Like...would they know EVERYTHING i do?? Can they change my passwords if they want to?
No, it does not mean all data is stolen, it means there is a possibility. Now that the rootkit is gone, nobody is able to access your computer.
A backdoor is not necessarily the same as being hacked. It means the rootkit opened a "backdoor" to be able to communicate with its "owner". It can have used this backdoor to send sensitive data from your computer. Thats why its a good idea to change passwords.

The rootkit is gone, but this "backdoor" remains. It is a vulnerability that might or might not be exploited by something in the future.

A good tutorial about reinstall of windows is here

Let me know what you decide to do. If you have any more questions, just let me know smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 nevermindmi

nevermindmi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 22 January 2010 - 03:55 PM

oh okaay i see (:

well...im just wondering if theres something else you can do to get rid of the backdoor. I dont think that i would reinstall and reformat my computer since i dont have all the disk that are required. Is there another way to attempt to get rid of the backdoor or is that all we can do? If so, i would like to continue doin the clean up.

one more thing...if i refrain from using this computer to do bills or buy things online, would you still recommend me to continue using this computer? On this computer i just access my accounts (eg. facebook, hotmail), homework, and watch videos. Would the backdoor be a concern to any of this? Would you recommend me to buy a new computer?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:28 AM

Posted 23 January 2010 - 04:53 AM

Hello nevermindmi,

We can clean this computer from all malware, thats not the problem smile.gif

There's no way to check if the backdoor is still there, thats why a reformat is recommended.

However, if you don't use the computer for banking/buying, and you change facebook/hotmail passwords, you should be fine. Certainly not a reason to buy a new computer smile.gif

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 nevermindmi

nevermindmi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 24 January 2010 - 02:04 AM

Malwarebytes' Anti-Malware 1.44
Database version: 3623
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

1/24/2010 1:49:41 AM
mbam-log-2010-01-24 (01-49-41).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 183678
Time elapsed: 1 hour(s), 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTemgxlevxbn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTylvnsiqltl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\H8SRTwkinmpfmuw.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B38950E-0F0F-4BCB-8DE8-48A36F0E024A}\RP602\A0330012.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B38950E-0F0F-4BCB-8DE8-48A36F0E024A}\RP602\A0330129.sys (Malware.Trace) -> Quarantined and deleted successfully.


okay so i have a few questions: if i change all my passwords, the hacker wouldnt be able to access my accounts? so does that mean its not like a keylogger and after all the malware are removed, the hacker would not beable to do much to my computer?

and also, while i was scanning my computer with malwarebytes, several pop ups from my antivirus said that theres trojans or some sort which were detected.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users