Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ???/Was Windows Anivirus Pro


  • This topic is locked This topic is locked
17 replies to this topic

#1 nexus_99

nexus_99

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 12 January 2010 - 07:13 PM

Hi there,

My wife's computer was infected with Windows Antivirus Pro as well as another virus which locked down the desktop by placing a false desktop on top of the existing one with a large box that read 'WARNING - YOUR COMPUTER IS INFECTED'. The computer was not able to do anything, all programs that you tried to open were stopped.

Through the use of a USB key, I was able to run MBAM, and now the computer appears normal but will not connect to the internet. If I try to run a flush dns or ipconfig release/renew, it tells me that another device on the network is using that IP address, and it will not allow me to connect.

Please help, and thanks!

DDS log and HIJACKTHIS log posted.

DDS LOG:


DDS (Ver_09-12-01.01) - NTFSx86
Run by mdg at 18:46:48.73 on Tue 01/12/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.582 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\imPlayok.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\mdg\Application Data\Smilebox\SmileboxTray.exe
C:\Documents and Settings\mdg\imPlayok.exe
C:\DOCUME~1\mdg\LOCALS~1\Temp\b3vqjs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\mdg\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SmileboxTray] "c:\documents and settings\mdg\application data\smilebox\SmileboxTray.exe"
uRun: [imPlayok] c:\documents and settings\mdg\imPlayok.exe
uRun: [ygua8e7yhuiesfha876yfauy8fe] c:\docume~1\mdg\locals~1\temp\b3vqjs.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Calc32] c:\windows\system32\regedit.exe
mRun: [imPlayok] c:\windows\system32\imPlayok.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235925849765
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236477621781
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.gamehouse.com/games/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} - hxxp://www.gamehouse.com/games/dvcode/DVCControl.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5496/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-16 28544]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-11 54752]
S2 gupdate1c9a7f8937de840;Google Update Service (gupdate1c9a7f8937de840);c:\program files\google\update\GoogleUpdate.exe [2009-3-18 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-01-12 23:22:16 0 d-----w- C:\New Folder
2009-12-29 19:34:59 0 ----a-w- c:\windows\system32\24464.exe
2009-12-29 19:14:59 0 ----a-w- c:\windows\system32\26962.exe
2009-12-29 18:54:59 0 ----a-w- c:\windows\system32\29358.exe
2009-12-29 18:34:59 0 ----a-w- c:\windows\system32\11478.exe
2009-12-29 18:14:59 0 ----a-w- c:\windows\system32\15724.exe
2009-12-29 17:54:59 0 ----a-w- c:\windows\system32\19169.exe
2009-12-29 17:34:59 0 ----a-w- c:\windows\system32\26500.exe
2009-12-29 17:14:59 0 ----a-w- c:\windows\system32\6334.exe
2009-12-29 15:24:08 0 ----a-w- c:\windows\system32\18467.exe
2009-12-29 14:48:00 767488 ----a-w- c:\windows\system32\drivers\gyanakxz.sys
2009-12-29 14:47:29 15000 ----a-w- c:\windows\system32\g80geez9n.dll
2009-12-29 14:47:16 1 ----a-w- C:\s
2009-12-29 14:46:59 27734 ----a-w- c:\documents and settings\mdg\imPlayok.exe
2009-12-29 14:46:59 200704 ----a-w- c:\windows\system32\regedit.exe
2009-12-29 14:46:58 27734 ----a-w- c:\windows\system32\imPlayok.exe
2009-12-29 14:46:49 20480 ----a-w- C:\sofxlipg.exe
2009-12-29 14:46:48 27734 ----a-w- C:\ovqac.exe
2009-12-25 14:23:51 0 d-----w- c:\program files\iPod
2009-12-25 14:23:45 0 d-----w- c:\program files\iTunes
2009-12-25 14:23:45 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-25 14:22:42 0 d-----w- c:\program files\Bonjour
2009-12-25 14:20:07 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-12-25 14:20:07 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-02-17 01:19:37 109568 --sha-w- c:\windows\system32\gaweyego.dll
2009-02-20 12:57:48 144896 --sha-w- c:\windows\system32\geguboko.dll
2009-02-19 12:57:52 143360 --sha-w- c:\windows\system32\lukirepa.dll
2009-02-17 01:19:36 142336 --sha-w- c:\windows\system32\mhisya.dll
2009-02-17 01:19:36 142336 --sha-w- c:\windows\system32\nadohipi.dll
2009-02-20 12:57:48 144896 --sha-w- c:\windows\system32\rpkevq.dll
2009-02-19 12:57:52 143360 --sha-w- c:\windows\system32\sgkypy.dll
2009-02-17 20:50:26 145408 --sha-w- c:\windows\system32\wedewawa.dll
2009-02-17 20:50:28 109568 --sha-w- c:\windows\system32\yinofagi.dll
2009-02-17 20:50:26 145408 --sha-w- c:\windows\system32\znkwdv.dll

============= FINISH: 18:47:20.70 ===============


HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:05 PM, on 1/12/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\imPlayok.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\mdg\Application Data\Smilebox\SmileboxTray.exe
C:\Documents and Settings\mdg\imPlayok.exe
C:\DOCUME~1\mdg\LOCALS~1\Temp\b3vqjs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\mdg\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\mdg\Desktop\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Calc32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [imPlayok] C:\WINDOWS\system32\imPlayok.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\mdg\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [imPlayok] C:\Documents and Settings\mdg\imPlayok.exe
O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\mdg\LOCALS~1\Temp\b3vqjs.exe
O4 - HKUS\S-1-5-20\..\Run: [zohizosuti] Rundll32.exe "C:\WINDOWS\system32\vetiwuno.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash...h2.1.0.0.67.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235925849765
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236477621781
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - http://www.gamehouse.com/games/dvcode/DVCControl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...496/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Update Service (gupdate1c9a7f8937de840) (gupdate1c9a7f8937de840) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10460 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 17 January 2010 - 09:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  1. Click on the My Controls link at the top of the page to enter your control panel.
  2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 18 January 2010 - 11:14 AM

Thank you very much for your response. I am still having this issue, I am not in any other forums (been patiently waiting)


DDS (Ver_09-12-01.01) - NTFSx86
Run by mdg at 11:10:53.20 on Mon 01/18/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.583 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\imPlayok.exe
svchost.exe
svchost.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mdg\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\mdg\imPlayok.exe
C:\DOCUME~1\mdg\LOCALS~1\Temp\b3vqjs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\DOCUME~1\mdg\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SmileboxTray] "c:\documents and settings\mdg\application data\smilebox\SmileboxTray.exe"
uRun: [imPlayok] c:\documents and settings\mdg\imPlayok.exe
uRun: [ygua8e7yhuiesfha876yfauy8fe] c:\docume~1\mdg\locals~1\temp\b3vqjs.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Calc32] c:\windows\system32\regedit.exe
mRun: [imPlayok] c:\windows\system32\imPlayok.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235925849765
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236477621781
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.gamehouse.com/games/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} - hxxp://www.gamehouse.com/games/dvcode/DVCControl.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5496/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-16 28544]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-11 54752]
S2 gupdate1c9a7f8937de840;Google Update Service (gupdate1c9a7f8937de840);c:\program files\google\update\GoogleUpdate.exe [2009-3-18 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-01-12 23:48:12 1 ----a-w- c:\documents and settings\mdg\oashdihasidhasuidhiasdhiashdiuasdhasd
2010-01-12 23:22:16 0 d-----w- C:\New Folder
2009-12-29 19:34:59 0 ----a-w- c:\windows\system32\24464.exe
2009-12-29 19:14:59 0 ----a-w- c:\windows\system32\26962.exe
2009-12-29 18:54:59 0 ----a-w- c:\windows\system32\29358.exe
2009-12-29 18:34:59 0 ----a-w- c:\windows\system32\11478.exe
2009-12-29 18:14:59 0 ----a-w- c:\windows\system32\15724.exe
2009-12-29 17:54:59 0 ----a-w- c:\windows\system32\19169.exe
2009-12-29 17:34:59 0 ----a-w- c:\windows\system32\26500.exe
2009-12-29 17:14:59 0 ----a-w- c:\windows\system32\6334.exe
2009-12-29 15:24:08 0 ----a-w- c:\windows\system32\18467.exe
2009-12-29 14:48:00 767488 ----a-w- c:\windows\system32\drivers\gyanakxz.sys
2009-12-29 14:47:29 15000 ----a-w- c:\windows\system32\g80geez9n.dll
2009-12-29 14:47:16 1 ----a-w- C:\s
2009-12-29 14:46:59 27734 ----a-w- c:\documents and settings\mdg\imPlayok.exe
2009-12-29 14:46:59 200704 ----a-w- c:\windows\system32\regedit.exe
2009-12-29 14:46:58 27734 ----a-w- c:\windows\system32\imPlayok.exe
2009-12-29 14:46:49 20480 ----a-w- C:\sofxlipg.exe
2009-12-29 14:46:48 27734 ----a-w- C:\ovqac.exe
2009-12-25 14:23:51 0 d-----w- c:\program files\iPod
2009-12-25 14:23:45 0 d-----w- c:\program files\iTunes
2009-12-25 14:23:45 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-25 14:22:42 0 d-----w- c:\program files\Bonjour
2009-12-25 14:20:07 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-12-25 14:20:07 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-02-17 01:19:37 109568 --sha-w- c:\windows\system32\gaweyego.dll
2009-02-20 12:57:48 144896 --sha-w- c:\windows\system32\geguboko.dll
2009-02-19 12:57:52 143360 --sha-w- c:\windows\system32\lukirepa.dll
2009-02-17 01:19:36 142336 --sha-w- c:\windows\system32\mhisya.dll
2009-02-17 01:19:36 142336 --sha-w- c:\windows\system32\nadohipi.dll
2009-02-20 12:57:48 144896 --sha-w- c:\windows\system32\rpkevq.dll
2009-02-19 12:57:52 143360 --sha-w- c:\windows\system32\sgkypy.dll
2009-02-17 20:50:26 145408 --sha-w- c:\windows\system32\wedewawa.dll
2009-02-17 20:50:28 109568 --sha-w- c:\windows\system32\yinofagi.dll
2009-02-17 20:50:26 145408 --sha-w- c:\windows\system32\znkwdv.dll

============= FINISH: 11:11:18.95 ===============

ATTACH LOG:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/24/2007 8:34:06 AM
System Uptime: 1/18/2010 11:09:27 AM (0 hours ago)

Motherboard: Acer | | Grapevine
Processor: Genuine Intel® CPU T2080 @ 1.73GHz | U1 | 1729/133mhz
Processor: Genuine Intel® CPU T2080 @ 1.73GHz | U1 | 1729/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 42.632 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acer eLock Management
Acer Empowering Technology framework
Acer ePerformance Management
Acer ePresentation Management
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.6
Age of Wonders
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom 802.11 Network Adapter
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Intel® Graphics Media Accelerator Driver
iTunes
Java™ 6 Update 2
Java™ 6 Update 3
Launch Manager
LimeWire 4.16.6
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Location Finder
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MSN
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
Nero 7 Ultra Edition
Panda ActiveScan 2.0
PowerDVD
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Segoe UI
Sesame Street First Steps (remove only)
Smilebox
SupportSoft Assisted Service
Synaptics Pointing Device Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6d
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Search 4.0
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Works Upgrade

==== End Of File ===========================



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 18 January 2010 - 02:27 PM

Hi nexus_99,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine. If you decide to remove the infection please go on with the following steps.


Removal Instructions
  1. Go to start > Run, type the following line in the run box and click OK:

    cmd/c proxycfg -d

    (there are spaces between cmd/c, proxycfg and -d)

    A window flashes it is normal.

  2. Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Calc32] C:\WINDOWS\system32\regedit.exe
    O4 - HKLM\..\Run: [imPlayok] C:\WINDOWS\system32\imPlayok.exe
    O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
    O4 - HKCU\..\Run: [imPlayok] C:\Documents and Settings\mdg\imPlayok.exe
    O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\mdg\LOCALS~1\Temp\b3vqjs.exe


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  3. Reboot the computer. If you still have no connection you need to use the flash driver to download this from another computer and run it on the infected computer.

    Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.


#5 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 18 January 2010 - 07:52 PM

Hi There,

Thanks so much for this. I won't do anything unless you specifically tell me to.

Here's the GMER.LOG:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-18 19:49:00
Windows 5.1.2600 Service Pack 2
Running: n49zkycz.exe; Driver: C:\DOCUME~1\mdg\LOCALS~1\Temp\pxtdypob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8658F0B8

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] gyanakxz <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gyanakxz@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyanakxz@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyanakxz@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyanakxz@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\gyanakxz@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gyanakxz@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\gyanakxz@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\gyanakxz@Group Boot Bus Extender

---- Files - GMER 1.0.15 ----

File C:\Program Files\VideoLAN\VLC\locale\co 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo 667 bytes
File C:\Program Files\VideoLAN\VLC\locale\ms 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo 354541 bytes
File C:\WINDOWS\system32\mshlps.dll 40448 bytes executable
File C:\WINDOWS\system32\kbdsock.dll 33280 bytes executable
File C:\WINDOWS\McAfee.com\FreeScan\config.dat 5444 bytes

---- EOF - GMER 1.0.15 ----


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 19 January 2010 - 03:56 AM

Thanks.

Please give me feedback when you faced anything and if you observed changes like being able to connect to internet.

Make sure you are wired/cored connected to internet. I want to see if you get connected to internet or just IE is not getting connected. We need to know that to make our strategy in using the tools to remove the malware. Some tools need internet connection. If there is no connection our options are limited to the tools that don't need internet connection.
  1. Did you do the step #1 ? You should have got an error. Please redo the step as follows:

    Go to start => Run, type cmd and click OK.
    Type in the command box proxycfg -d and press enter.

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @echo off
    cd\
    (ipconfig /all
    nslookup google.com
    ping -n 2 google.com
    nslookup yahoo.com
    ping -n 2 yahoo.com
    route print) >Log1.txt
    start Log1.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: desktop
    • Fill in File name: test.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click test.bat on the desktop.
    • A notepad opens, copy and paste the content it (log.txt) to your reply.

Edited by farbar, 19 January 2010 - 06:01 AM.


#7 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 19 January 2010 - 09:33 AM

Hi There,

Thanks once again for this. When I followed these instructions

[Go to start > Run, type the following line in the run box and click OK:cmd/c proxycfg -d (there are spaces between cmd/c, proxycfg and -d) A window flashes it is normal.]

I indeed got an error message which told me I couldn't run that. I assumed that's what you meant by the window flashing normally.

When I used your instructions in the last post (Run -> cmd ->enter and from command prompt entering proxycfg -d, it tells me:

Microsoft <R> WinDTTP Default Proxy Configuration Tool
Copyright © Microsoft Corporation. All rights reserved.

Updated proxy settings
Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Direct Access <no proxy server>.

****************************
Interestingly enough, when I hard-wired this time (instead of wireless that we usually do), I was able to connect to Google.com (homepage, I did no surfing). The log you asked me to run has returned packets, which was something else that wasn't happening previously. I tried the wireless connection as well, and that too allowed me access to the internet.

So, it appears internet access has returned, thank you. The computer still will not be used until you give me the all clear, though smile.gif

Here's the log you wanted:



Windows IP Configuration



Host Name . . . . . . . . . . . . : MUR

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : phub.net.cable.rogers.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : phub.net.cable.rogers.com

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-16-D4-E0-D7-A6

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.106

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 64.71.255.198

Lease Obtained. . . . . . . . . . : Tuesday, January 19, 2010 9:18:07 AM

Lease Expires . . . . . . . . . . : Wednesday, January 20, 2010 9:18:07 AM



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter

Physical Address. . . . . . . . . : 00-19-7E-A9-B1-88

Server: dns.rnc.net.cable.rogers.com
Address: 64.71.255.198

Name: google.com
Address: 66.249.91.104



Pinging google.com [66.249.91.104] with 32 bytes of data:



Reply from 66.249.91.104: bytes=32 time=28ms TTL=56

Reply from 66.249.91.104: bytes=32 time=26ms TTL=56



Ping statistics for 66.249.91.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 28ms, Average = 27ms

Server: dns.rnc.net.cable.rogers.com
Address: 64.71.255.198

Name: yahoo.com
Addresses: 209.131.36.159, 209.191.93.53, 69.147.114.224



Pinging yahoo.com [209.191.93.53] with 32 bytes of data:



Reply from 209.191.93.53: bytes=32 time=63ms TTL=51

Reply from 209.191.93.53: bytes=32 time=64ms TTL=51



Ping statistics for 209.191.93.53:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 63ms, Maximum = 64ms, Average = 63ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 d4 e0 d7 a6 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
0x3 ...00 19 7e a9 b1 88 ...... Broadcom 802.11g Network Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.106 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.106 192.168.1.106 20
192.168.1.0 255.255.255.0 192.168.1.106 192.168.1.106 20
192.168.1.106 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.106 192.168.1.106 20
224.0.0.0 240.0.0.0 192.168.1.106 192.168.1.106 20
255.255.255.255 255.255.255.255 192.168.1.106 192.168.1.106 1
255.255.255.255 255.255.255.255 192.168.1.106 3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 19 January 2010 - 10:37 AM

Great. thumbup2.gif

We can use internet now to remove the infection. In case the ComboFix did not run you may rename it to far.exe and run it.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#9 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 19 January 2010 - 03:09 PM

Hi Farbar,

Sorry for the delay in this reply, and again, thank you so very much for all your help.

The Combofix that I downloaded was slightly different that what you have in your screenshots, I chalked it up to updated versions as opposed to anything else (as I took it from your first link and figured you wouldn't link me anywhere malicious).

Here's the log it created at the end - you should know, whether it's normal or not, that the entire time there was a blue command prompt screen up, and it rebooted my machine automatically after the scan and before the log. It also closed out the instructions (IE page open to this forum) several times.

COMBOFIX LOG FILE:

ComboFix 10-01-19.01 - mdg 01/19/2010 14:53:49.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.558 [GMT -5:00]
Running from: c:\documents and settings\mdg\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\mdg\imPlayok.exe
c:\documents and settings\mdg\oashdihasidhasuidhiasdhiashdiuasdhasd
C:\ovqac.exe
c:\recycler\S-1-5-21-117609710-879983540-725345543-1004
c:\recycler\S-1-5-21-682606793-2152906327-598499186-1004
C:\s
C:\sofxlipg.exe
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\29358.exe
c:\windows\system32\6334.exe
c:\windows\system32\dimijeno.dll
c:\windows\system32\g80geez9n.dll
c:\windows\system32\gaweyego.dll
c:\windows\system32\geguboko.dll
c:\windows\system32\imPlayok.exe
c:\windows\system32\kbdsock.dll
c:\windows\system32\lukirepa.dll
c:\windows\system32\mhisya.dll
c:\windows\system32\mshlps.dll
c:\windows\system32\nadohipi.dll
c:\windows\system32\regedit.exe
c:\windows\system32\rpkevq.dll
c:\windows\system32\sgkypy.dll
c:\windows\system32\wedewawa.dll
c:\windows\system32\yinofagi.dll
c:\windows\system32\znkwdv.dll
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-12 23:22 . 2010-01-12 23:22 -------- d-----w- C:\New Folder
2009-12-29 14:48 . 2010-01-19 20:01 767488 ----a-w- c:\windows\system32\drivers\gyanakxz.sys
2009-12-29 14:47 . 2009-12-29 19:46 -------- d-----w- c:\documents and settings\mdg\Local Settings\Application Data\jlsbyg
2009-12-25 14:23 . 2009-12-25 14:23 -------- d-----w- c:\program files\iPod
2009-12-25 14:23 . 2009-12-25 14:24 -------- d-----w- c:\program files\iTunes
2009-12-25 14:23 . 2009-12-25 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-25 14:22 . 2009-12-25 14:22 -------- d-----w- c:\program files\Bonjour
2009-12-25 14:20 . 2009-12-25 14:20 -------- d-----w- c:\program files\Apple Software Update
2009-12-25 14:20 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-12-25 14:20 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 19:46 . 2007-09-04 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-08 02:14 . 2007-10-08 17:11 -------- d-----w- c:\documents and settings\mdg\Application Data\LimeWire
2009-12-30 23:21 . 2009-03-08 17:21 -------- d-----w- c:\program files\Microsoft
2009-12-29 15:37 . 2009-01-16 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 15:07 . 2007-08-31 01:29 -------- d-----w- c:\documents and settings\mdg\Application Data\Apple Computer
2009-12-25 14:23 . 2007-08-31 01:28 -------- d-----w- c:\program files\Common Files\Apple
2009-12-25 14:22 . 2007-08-31 01:29 -------- d-----w- c:\program files\QuickTime
2009-12-25 14:20 . 2007-08-31 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-20 23:16 . 2007-09-04 00:05 -------- d-----w- c:\program files\Google
2009-12-12 02:03 . 2009-05-09 19:03 -------- d-----w- c:\documents and settings\mdg\Application Data\Smilebox
2009-12-07 09:14 . 2009-12-07 09:14 1593992 ----a-w- c:\documents and settings\mdg\Application Data\Smilebox\SmileboxClient.exe
2009-12-07 08:39 . 2009-12-07 08:39 344712 ----a-w- c:\documents and settings\mdg\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-12-07 08:39 . 2009-12-07 08:39 123528 ----a-w- c:\documents and settings\mdg\Application Data\Smilebox\SmileboxUpdater.exe
2009-12-03 21:14 . 2009-01-16 00:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-01-16 00:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SmileboxTray"="c:\documents and settings\mdg\Application Data\Smilebox\SmileboxTray.exe" [2009-04-24 254600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-21 593920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-06 647520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\mdg\\My Documents\\My Music\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/16/2009 8:16 PM 28544]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [5/11/2009 8:30 PM 54752]
S2 gupdate1c9a7f8937de840;Google Update Service (gupdate1c9a7f8937de840);c:\program files\Google\Update\GoogleUpdate.exe [3/18/2009 1:37 PM 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]

--- Other Services/Drivers In Memory ---

*Deregistered* - gyanakxz
.
Contents of the 'Scheduled Tasks' folder

2009-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-04 22:24]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 18:37]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 18:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Calc32 - c:\windows\system32\regedit.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - e:\malwarebytes' anti-malware\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 15:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gyanakxz]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(896)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\brsvc01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\brss01a.exe
c:\acer\Empowering Technology\admServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\docume~1\mdg\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2010-01-19 15:04:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 20:04

Pre-Run: 45,701,341,184 bytes free
Post-Run: 46,147,870,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9E1BCFEA273753E2A248CCEA30DC36BB


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 19 January 2010 - 03:56 PM

Well done. thumbup2.gif

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. Open notepad and copy/paste the text in the code box below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/286488/infected-with-was-windows-anivirus-pro/

    Collect::
    c:\windows\system32\drivers\gyanakxz.sys
    Driver::
    gyanakxz
    Folder::
    c:\documents and settings\mdg\Local Settings\Application Data\jlsbyg


    Save this as CFScript.txt





    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




#11 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 19 January 2010 - 10:00 PM

Hello once again,

Hopefully you don't tire of being thanked repeatedly smile.gif

When I opened up the Combofix, it had me update. It then did it's thing, rebooted, and here's the result.

COMBOFIX LOG2:

ComboFix 10-01-19.03 - mdg 01/19/2010 21:47:25.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.592 [GMT -5:00]
Running from: c:\documents and settings\mdg\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mdg\Desktop\CFScript.txt

file zipped: c:\windows\system32\drivers\gyanakxz.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\mdg\Local Settings\Application Data\jlsbyg
c:\windows\system32\drivers\gyanakxz.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GYANAKXZ
-------\Service_gyanakxz


((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-12 23:22 . 2010-01-12 23:22 -------- d-----w- C:\New Folder
2009-12-25 14:23 . 2009-12-25 14:23 -------- d-----w- c:\program files\iPod
2009-12-25 14:23 . 2009-12-25 14:24 -------- d-----w- c:\program files\iTunes
2009-12-25 14:23 . 2009-12-25 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-25 14:22 . 2009-12-25 14:22 -------- d-----w- c:\program files\Bonjour
2009-12-25 14:20 . 2009-12-25 14:20 -------- d-----w- c:\program files\Apple Software Update
2009-12-25 14:20 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-12-25 14:20 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 19:46 . 2007-09-04 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-08 02:14 . 2007-10-08 17:11 -------- d-----w- c:\documents and settings\mdg\Application Data\LimeWire
2009-12-30 23:21 . 2009-03-08 17:21 -------- d-----w- c:\program files\Microsoft
2009-12-29 15:37 . 2009-01-16 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 15:07 . 2007-08-31 01:29 -------- d-----w- c:\documents and settings\mdg\Application Data\Apple Computer
2009-12-25 14:23 . 2007-08-31 01:28 -------- d-----w- c:\program files\Common Files\Apple
2009-12-25 14:22 . 2007-08-31 01:29 -------- d-----w- c:\program files\QuickTime
2009-12-25 14:20 . 2007-08-31 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-20 23:16 . 2007-09-04 00:05 -------- d-----w- c:\program files\Google
2009-12-12 02:03 . 2009-05-09 19:03 -------- d-----w- c:\documents and settings\mdg\Application Data\Smilebox
2009-12-07 09:14 . 2009-12-07 09:14 1593992 ----a-w- c:\documents and settings\mdg\Application Data\Smilebox\SmileboxClient.exe
2009-12-07 08:39 . 2009-12-07 08:39 344712 ----a-w- c:\documents and settings\mdg\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-12-07 08:39 . 2009-12-07 08:39 123528 ----a-w- c:\documents and settings\mdg\Application Data\Smilebox\SmileboxUpdater.exe
2009-12-03 21:14 . 2009-01-16 00:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-01-16 00:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-19_20.00.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2010-01-19 19:50 78864 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-01-19 20:03 78864 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-01-19 20:03 463068 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-01-19 19:50 463068 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SmileboxTray"="c:\documents and settings\mdg\Application Data\Smilebox\SmileboxTray.exe" [2009-04-24 254600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-21 593920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-06 647520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\mdg\\My Documents\\My Music\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/16/2009 8:16 PM 28544]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [5/11/2009 8:30 PM 54752]
S2 gupdate1c9a7f8937de840;Google Update Service (gupdate1c9a7f8937de840);c:\program files\Google\Update\GoogleUpdate.exe [3/18/2009 1:37 PM 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
.
Contents of the 'Scheduled Tasks' folder

2009-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-04 22:24]

2010-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 18:37]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 18:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 21:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\WLDAP32.dll

- - - - - - - > 'explorer.exe'(3032)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\brsvc01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\acer\Empowering Technology\admServ.exe
c:\windows\system32\brss01a.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\docume~1\mdg\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-19 21:57:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-20 02:57
ComboFix2.txt 2010-01-19 20:04

Pre-Run: 46,146,228,224 bytes free
Post-Run: 46,026,506,240 bytes free

- - End Of File - - B8F716400BCC092BB5266F5742E23A29


#12 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 19 January 2010 - 10:09 PM

Sorry about the double post, here's the MBAM log (I tried to use the MBAM that was already on my wife's machine, it wouldn't run, gave me a runtime error '440' so I reinstalled it)

MBAM LOG:

Malwarebytes' Anti-Malware 1.44
Database version: 3601
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/19/2010 10:08:39 PM
mbam-log-2010-01-19 (22-08-39).txt

Scan type: Quick Scan
Objects scanned: 107622
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 20 January 2010 - 02:15 AM

You are very welcome nexus_99 and thank you too for the appriciation. smile.gif
  1. You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. I recommend this good free antivirus if you don't have a paid antivirus:

    Avira
    • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
    • In the left pane click Status. In the right pane click Scan system now.
    • After the scan finished let it remove what it finds and then Click Report.
    • You can get the last report also by clicking on Reports on the left pane.
    • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
    • A window opens, click on Report file.
    • Copy and paste the content of the report to your reply.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.

  3. Tell me also how is the computer running.


#14 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 20 January 2010 - 11:12 AM

Hi Farbar,

There were 2 versions of Java which have been removed.

AVIRA SCAN LOG (20 items were found):



Avira AntiVir Personal
Report file date: Wednesday, January 20, 2010 09:22

Scanning for 1572646 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MUR

Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 16:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 12:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 14:11:41
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 14:11:41
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 14:11:41
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 14:11:42
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 14:11:42
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 14:11:42
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 14:11:42
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 14:11:42
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 14:11:42
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 14:11:42
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 14:11:42
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 14:11:43
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 14:11:46
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 14:11:47
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 14:11:50
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 14:11:52
VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 14:11:54
VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 14:11:56
VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 14:11:57
VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 14:11:59
VBASE021.VDF : 7.10.2.131 201216 Bytes 1/7/2010 14:12:01
VBASE022.VDF : 7.10.2.158 192000 Bytes 1/11/2010 14:12:02
VBASE023.VDF : 7.10.2.186 200704 Bytes 1/14/2010 14:12:06
VBASE024.VDF : 7.10.2.205 201728 Bytes 1/15/2010 14:12:10
VBASE025.VDF : 7.10.2.219 158720 Bytes 1/18/2010 14:12:11
VBASE026.VDF : 7.10.2.230 173056 Bytes 1/19/2010 14:12:13
VBASE027.VDF : 7.10.2.231 2048 Bytes 1/19/2010 14:12:13
VBASE028.VDF : 7.10.2.232 2048 Bytes 1/19/2010 14:12:13
VBASE029.VDF : 7.10.2.233 2048 Bytes 1/19/2010 14:12:13
VBASE030.VDF : 7.10.2.234 2048 Bytes 1/19/2010 14:12:14
VBASE031.VDF : 7.10.2.242 102400 Bytes 1/20/2010 14:12:15
Engineversion : 8.2.1.142
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 12:38:52
AESCRIPT.DLL : 8.1.3.7 594296 Bytes 1/20/2010 14:12:35
AESCN.DLL : 8.1.3.1 127348 Bytes 1/20/2010 14:12:33
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 12:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 1/20/2010 14:12:32
AEPACK.DLL : 8.2.0.5 422262 Bytes 1/20/2010 14:12:29
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 12:38:38
AEHEUR.DLL : 8.1.0.195 2232695 Bytes 1/20/2010 14:12:27
AEHELP.DLL : 8.1.10.0 237942 Bytes 1/20/2010 14:12:19
AEGEN.DLL : 8.1.1.83 369014 Bytes 1/20/2010 14:12:18
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 12:38:26
AECORE.DLL : 8.1.9.5 184693 Bytes 1/20/2010 14:12:16
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 12:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 20:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 17:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Wednesday, January 20, 2010 09:22

Starting search for hidden objects.
'54919' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'RtkBtMnt.exe' - '1' Module(s) have been scanned
Scan process 'WindowsSearch.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'SmileboxTray.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'LocationFinder.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'igfxext.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'admtray.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'LManager.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'searchindexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'admServ.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'BRSS01A.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BRSVC01A.EXE' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
53 processes with 53 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\C\ovqac.exe.vir
[DETECTION] Is the TR/Cutwail.AA Trojan
C:\Qoobox\Quarantine\C\sofxlipg.exe.vir
[DETECTION] Is the TR/Dldr.FraudLoad.ggk.1 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\mdg\imPlayok.exe.vir
[DETECTION] Is the TR/Cutwail.AA Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dimijeno.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\g80geez9n.dll.vir
[DETECTION] Is the TR/Vundo.169 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\gaweyego.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\geguboko.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\imPlayok.exe.vir
[DETECTION] Is the TR/Cutwail.AA Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir
[DETECTION] Is the TR/Agent.deot.3 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\lukirepa.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mhisya.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mshlps.dll.vir
[DETECTION] Is the TR/Agent.deou.2 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\nadohipi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\regedit.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\rpkevq.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\sgkypy.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wedewawa.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\yinofagi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\znkwdv.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_regedit_.exe.zip
[0] Archive type: ZIP
--> regedit.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan

Beginning disinfection:
C:\Qoobox\Quarantine\C\ovqac.exe.vir
[DETECTION] Is the TR/Cutwail.AA Trojan
[NOTE] The file was moved to '4bc82b55.qua'!
C:\Qoobox\Quarantine\C\sofxlipg.exe.vir
[DETECTION] Is the TR/Dldr.FraudLoad.ggk.1 Trojan
[NOTE] The file was moved to '4bbd2b4e.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\mdg\imPlayok.exe.vir
[DETECTION] Is the TR/Cutwail.AA Trojan
[NOTE] The file was moved to '4ba72b4c.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\dimijeno.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bc42b48.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\g80geez9n.dll.vir
[DETECTION] Is the TR/Vundo.169 Trojan
[NOTE] The file was moved to '4b872b17.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\gaweyego.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bce2b40.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\geguboko.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bbe2b44.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\imPlayok.exe.vir
[DETECTION] Is the TR/Cutwail.AA Trojan
[NOTE] The file was moved to '486c2a1d.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir
[DETECTION] Is the TR/Agent.deot.3 Trojan
[NOTE] The file was moved to '4bbb2b41.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\lukirepa.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bc22b54.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mhisya.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bc02b47.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mshlps.dll.vir
[DETECTION] Is the TR/Agent.deou.2 Trojan
[NOTE] The file was moved to '4bbf2b52.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\nadohipi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bbb2b40.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\regedit.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4bbe2b45.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\rpkevq.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bc22b50.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\sgkypy.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bc22b47.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wedewawa.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bbb2b45.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\yinofagi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bc52b49.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\znkwdv.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bc22b4e.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\_regedit_.exe.zip
[NOTE] The file was moved to '4bbc2b52.qua'!


End of the scan: Wednesday, January 20, 2010 11:10
Used time: 30:24 Minute(s)

The scan has been done completely.

8473 Scanned directories
177150 Files were scanned
20 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
20 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
177129 Files not concerned
1680 Archives were scanned
1 Warnings
21 Notes
54919 Objects were scanned with rootkit scan
0 Hidden objects were found



#15 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 20 January 2010 - 11:15 AM

And, the computer is running great. No problems at all, although there was something interesting that seems to be new.

When the computer boots up now, it goes to a black screen and asks which version of Windows we want to run on. As far as I know, there has only ever been 1 version on the computer, and we've never seen that screen before.

If you would like further information on that start up screen (perhaps it's a by-product of ComboFix or something), please let me know. Otherwise, everything is running very smoothly, thanks to your expertise.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users