Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help infected with rkit/kriptic


  • This topic is locked This topic is locked
26 replies to this topic

#1 kashmier

kashmier

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 27 January 2010 - 01:20 PM

Hi

Over the last two days I have been experiencing a lot of problems due to an attack that somehow got onto my computer. I can think of a few ways that I may have helped it to get there but that is no longer the issue. I need to get this off my computer. At first my browser stopped responding and a message came up that said I was infected and next it seemed like everything I clicked on including the task bar brought up an error message saying it was infected leaving me unable to use it. At first it was lasa.blaster then it would change to something else. I thought I got it all off with a trojan remover I used in safe mode but when I got to a certain system32 file bcztd.sys it was unable to remove it. My Avira was also unable to remove it. Then when I tried to use another malware program I got a blue screen. This was a first on my laptop and had it not been for spelling errors I would have been really worried.

I saw this problem on a post and it was almost exactly what is going on with me and your staff was able to help. My only problem is that I will not be able to download and follow your instructions correctly. I just got this machine back from a problem after trying to install SP2. My disc drive is broken and I was unable to re install Vista on my own.

I hope you can help me.

Marisa

Hi again

I downloaded and ran the program dds
Here are the results

DDS (Ver_09-12-01.01) - NTFSx86
Run by Marisa at 13:27:19.08 on Wed 01/27/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1235 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Windows\system32\igfxsrvc.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Canon\Memory Card Utility\iP6310D\PDUiP6310DMon.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Marisa\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Ecolitefesufiyas] rundll32.exe "c:\users\marisa\appdata\local\KBDFWin.dll",Startup
uRun: [Xfovixuyoyulid] rundll32.exe "c:\users\marisa\appdata\local\uwawalif.dll",Startup
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PDUiP6310DMon] c:\program files\canon\memory card utility\ip6310d\PDUiP6310DMon.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\marisa\appdata\roaming\mozilla\firefox\profiles\v7b6ju7b.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ManageAccount|http://support.mozilla.com/en-US/kb/How+to+set+the+home+page
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-12-29 28552]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-8 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-8 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-8 56816]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-01-26 01:06:28 224008299 ----a-w- c:\windows\MEMORY.DMP
2010-01-25 23:07:07 763904 ----a-w- c:\windows\system32\drivers\bcztd.sys
2010-01-25 23:04:59 0 d-----w- c:\programdata\94526228
2010-01-25 23:04:38 24 ----a-w- c:\users\marisa\appdata\roaming\anvkgp.dat
2010-01-25 23:04:23 4 ----a-w- c:\users\marisa\appdata\roaming\avdrn.dat
2010-01-16 02:27:21 0 d-----w- c:\programdata\eBay
2010-01-13 06:33:49 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 06:33:48 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 06:33:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-13 06:33:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-13 06:33:47 24064 ----a-w- c:\windows\system32\lpk.dll
2010-01-13 06:33:47 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-10 02:16:33 57667 ----a-w- c:\windows\system32\ieuinit.inf
2009-12-31 12:16:52 0 d-----w- c:\program files\TweetDeck
2009-12-30 04:48:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-30 04:47:47 0 d-----w- c:\program files\Panda Security
2009-12-29 21:31:48 0 d-----w- c:\users\marisa\appdata\roaming\an
2009-12-29 07:50:50 0 d-----w- c:\program files\Visions Of Chaos
2009-12-29 07:08:40 0 d-----w- c:\program files\Chaoscope
2009-12-29 06:59:06 0 d-----w- c:\program files\Apophysis 2.0
2009-12-29 06:56:31 896000 ----a-w- c:\program files\STERLING2.EXE
2009-12-29 06:56:31 86528 ----a-w- c:\program files\ftloo01.dll
2009-12-29 06:56:13 0 d-----w- c:\program files\sterling

==================== Find3M ====================

2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-29 06:56:31 6236 ----a-w- c:\program files\SterlingInstructions.html
2009-12-29 06:56:31 3126 ----a-w- c:\program files\SterlingW2589q.ico
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-09 02:54:55 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-01 19:35:49 3341 ----a-w- c:\windows\unins000.dat
2009-12-01 19:35:38 682266 ----a-w- c:\windows\unins000.exe
2009-11-20 00:26:07 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-11-20 00:26:07 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-20 00:25:54 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-19 23:55:03 0 ----a-w- c:\users\marisa\appdata\roaming\wklnhst.dat
2009-11-13 19:31:40 49152 ----a-r- c:\windows\system32\inetwh32.dll
2009-11-13 19:31:40 1044480 ----a-r- c:\windows\system32\roboex32.dll
2009-11-09 13:34:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:30:40 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-05 08:01:51 268800 ----a-w- c:\windows\system32\es.dll
2009-11-03 18:56:06 14848 ----a-w- c:\windows\system32\wshrm.dll
2009-11-03 18:55:53 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-11-03 18:55:26 11776 ----a-w- c:\windows\system32\sbunattend.exe
2009-11-03 18:54:57 83968 ----a-w- c:\windows\system32\dnsrslvr.dll
2009-11-03 18:54:57 24576 ----a-w- c:\windows\system32\dnscacheugc.exe
2009-11-03 18:46:43 174 --sha-w- c:\program files\desktop.ini
2009-11-03 18:40:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-03 15:39:01 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-11-03 15:39:01 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-11-03 15:39:01 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-11-03 15:39:01 272896 ----a-w- c:\windows\system32\polstore.dll
2009-11-03 15:36:14 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-11-03 15:36:14 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-11-03 15:36:14 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-11-03 15:34:52 15360 ----a-w- c:\windows\system32\netevent.dll
2009-11-03 15:34:51 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-11-03 15:34:51 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-11-03 15:34:51 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-11-03 15:34:51 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-11-03 15:34:51 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-11-03 15:34:51 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-11-03 15:34:51 10240 ----a-w- c:\windows\system32\finger.exe
2009-11-03 15:34:50 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-11-03 15:34:48 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-11-03 15:34:48 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-11-03 15:33:03 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2009-11-03 15:33:03 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2009-11-03 15:33:01 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2009-11-03 15:32:58 542720 ----a-w- c:\windows\system32\sysmain.dll
2009-11-03 15:31:39 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-11-03 15:30:29 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2009-11-03 15:30:28 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-11-03 15:30:28 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-11-03 15:30:27 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-11-03 15:30:27 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-11-03 15:30:27 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-11-03 15:26:28 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-03 15:25:10 2855424 ----a-w- c:\windows\system32\mf.dll
2009-11-03 15:25:09 98816 ----a-w- c:\windows\system32\mfps.dll
2009-11-03 15:25:09 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-11-03 15:25:09 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-11-03 15:25:09 2048 ----a-w- c:\windows\system32\mferror.dll
2009-11-03 15:19:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-11-03 15:18:34 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-11-03 15:13:10 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-03 15:13:10 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-11-03 15:10:07 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-11-03 15:10:07 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-11-03 15:09:08 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-11-03 15:08:07 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-11-03 15:08:07 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-11-03 15:08:06 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-11-03 15:07:01 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-11-03 15:04:55 356864 ----a-w- c:\windows\system32\MediaMetadataHandler.dll
2009-11-03 15:01:49 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-11-03 15:01:49 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-11-03 15:01:48 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-11-03 14:58:44 696832 ----a-w- c:\windows\system32\localspl.dll
2009-11-03 14:57:51 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-11-03 14:57:51 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-11-03 14:57:51 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-11-03 14:57:51 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-03 14:57:51 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-11-03 14:57:51 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-11-03 14:55:00 2923520 ----a-w- c:\windows\explorer.exe
2009-11-03 14:52:02 7680 ----a-w- c:\windows\system32\lsass.exe
2009-11-03 14:52:02 72704 ----a-w- c:\windows\system32\secur32.dll
2009-11-03 14:52:02 494592 ----a-w- c:\windows\system32\kerberos.dll
2009-11-03 14:52:02 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-11-03 14:52:01 272384 ----a-w- c:\windows\system32\schannel.dll
2009-11-03 14:52:01 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2009-11-03 14:51:01 24064 ----a-w- c:\windows\system32\netcfg.exe
2009-11-03 14:46:32 1585664 ----a-w- c:\windows\system32\setupapi.dll
2009-11-03 14:44:05 549888 ----a-w- c:\windows\system32\rpcss.dll
2009-11-03 14:44:03 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-11-03 14:44:03 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2009-11-03 14:44:03 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-11-03 14:44:03 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2009-11-03 14:44:02 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-11-03 14:44:02 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2009-11-03 14:44:01 97280 ----a-w- c:\windows\system32\iasrecst.dll
2002-08-01 00:55:12 108 --sh--w- c:\windows\WSYS049.SYS

============= FINISH: 13:28:04.64 ===============

Edited by kashmier, 27 January 2010 - 01:33 PM.


BC AdBot (Login to Remove)

 


#2 kashmier

kashmier
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 01 February 2010 - 09:32 PM

Just thought I would update, I am still hoping for help with this.


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 03 February 2010 - 11:21 AM.


#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:54 PM

Posted 03 February 2010 - 12:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 kashmier

kashmier
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 03 February 2010 - 01:42 PM

This is the DDS scan done 2/3/2010

DDS (Ver_09-12-01.01) - NTFSx86
Run by Marisa at 13:35:50.57 on Wed 02/03/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.195 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Canon\Memory Card Utility\iP6310D\PDUiP6310DMon.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Windows\system32\igfxsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZScanner.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Marisa\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Ecolitefesufiyas] rundll32.exe "c:\users\marisa\appdata\local\KBDFWin.dll",Startup
uRun: [Xfovixuyoyulid] rundll32.exe "c:\users\marisa\appdata\local\uwawalif.dll",Startup
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PDUiP6310DMon] c:\program files\canon\memory card utility\ip6310d\PDUiP6310DMon.exe
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\marisa\appdata\roaming\mozilla\firefox\profiles\v7b6ju7b.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ManageAccount|http://support.mozilla.com/en-US/kb/How+to+set+the+home+page
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-12-29 28552]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2009-12-14 163600]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-8 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-8 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-8 56816]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-02-03 17:25:32 1024 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-02-03 15:29:06 12896 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-03 10:22:41 0 d-----w- c:\programdata\SITEguard
2010-02-03 10:21:33 0 d-----w- c:\program files\STOPzilla!
2010-02-03 10:21:33 0 d-----w- c:\program files\common files\iS3
2010-02-03 10:21:32 0 d-----w- c:\programdata\STOPzilla!
2010-01-25 23:07:07 792064 ----a-w- c:\windows\system32\drivers\bcztd.sys
2010-01-25 23:04:59 0 d-----w- c:\programdata\94526228
2010-01-25 23:04:38 24 ----a-w- c:\users\marisa\appdata\roaming\anvkgp.dat
2010-01-25 23:04:23 4 ----a-w- c:\users\marisa\appdata\roaming\avdrn.dat
2010-01-16 02:27:21 0 d-----w- c:\programdata\eBay
2010-01-13 06:33:49 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 06:33:48 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 06:33:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-13 06:33:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-13 06:33:47 24064 ----a-w- c:\windows\system32\lpk.dll
2010-01-13 06:33:47 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-10 02:16:33 57667 ----a-w- c:\windows\system32\ieuinit.inf

==================== Find3M ====================

2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-29 06:56:45 896000 ----a-w- c:\program files\STERLING2.EXE
2009-12-29 06:56:31 86528 ----a-w- c:\program files\ftloo01.dll
2009-12-29 06:56:31 6236 ----a-w- c:\program files\SterlingInstructions.html
2009-12-29 06:56:31 3126 ----a-w- c:\program files\SterlingW2589q.ico
2009-12-23 19:13:34 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-12-23 19:13:32 438928 ----a-r- c:\windows\system32\SZBase5.dll
2009-12-23 19:04:54 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 15:24:24 163600 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2009-12-10 21:11:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-12-10 21:11:32 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-12-10 21:09:24 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-12-10 21:09:08 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-12-10 21:08:48 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-12-10 21:06:52 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-12-10 21:06:30 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-12-10 21:05:54 94208 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-12-10 21:02:42 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-12-09 02:54:55 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-07 21:59:32 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2009-12-07 21:59:32 61328 ----a-r- c:\windows\system32\drivers\is3srv.sys
2009-12-01 19:35:49 3341 ----a-w- c:\windows\unins000.dat
2009-12-01 19:35:38 682266 ----a-w- c:\windows\unins000.exe
2009-11-20 00:26:07 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-11-20 00:26:07 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-20 00:25:54 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-19 23:55:03 0 ----a-w- c:\users\marisa\appdata\roaming\wklnhst.dat
2009-11-13 19:31:40 49152 ----a-r- c:\windows\system32\inetwh32.dll
2009-11-13 19:31:40 1044480 ----a-r- c:\windows\system32\roboex32.dll
2009-11-09 13:34:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:30:40 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-03 18:46:43 174 --sha-w- c:\program files\desktop.ini
2009-11-03 18:40:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2002-08-01 00:55:12 108 --sh--w- c:\windows\WSYS049.SYS

============= FINISH: 13:37:19.93 ===============


#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:54 PM

Posted 03 February 2010 - 02:47 PM

And the gmer scan? smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 kashmier

kashmier
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 03 February 2010 - 04:01 PM

Hi
Sorry I had some problems with it. First time I ran it a blue screen came up when it hit
System32\Drivers\bcztd.sys - A device attached to this program is not functioning

The computer started again but it froze up and I could not close it so I put the battery in and out. I do that a lot because I do not know how to close it from the system button.

Next I ran it using safe mode and here are the results

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-03 15:48:36
Windows 6.0.6000
Running: bnh9xztk.exe; Driver: C:\Users\Marisa\AppData\Local\Temp\kwliypod.sys


---- Kernel code sections - GMER 1.0.15 ----

.pak2 C:\Windows\System32\Drivers\bcztd.sys entry point in ".pak2" section [0x807A73B6]
? C:\Windows\System32\Drivers\bcztd.sys A device attached to the system is not functioning.

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85540A00

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] bcztd <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\bcztd@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bcztd@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\bcztd@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\bcztd@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\bcztd@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\bcztd@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\bcztd@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\bcztd@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\bcztd@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\bcztd@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\bcztd@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\bcztd@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\bcztd@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\bcztd@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\bcztd@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\bcztd@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----


#7 kashmier

kashmier
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 03 February 2010 - 04:03 PM

This problem has been happening with security items and when I went to make sure my anti virus was on it is no longer showing in the task bar. I tried to activate it using the task bar set up but it still does not show. Do you have any ideas how I can tell when it is running?

Thanks again
Marisa

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:54 PM

Posted 04 February 2010 - 03:32 PM

Hi,


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 kashmier

kashmier
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 04 February 2010 - 04:09 PM

Hi

The problem with the computer is pretty much linked to any security system I open. I have Avira right now and when I ran the other scans you sent it was deleted from the task tray. It must still be working because I have it set to scan at 12 noon and it started up. I have been canceling it for the last few days because once it finds the virus everything starts to freeze up. Also it shows up in my task manager as avcenter.exe the cpu is fluctuatinf from 00 to about 04 with 7,616K - Antivirus Control Center. If I even try to end the process the warning comes up for the virus/torjan horse and things start freezing up.

I tried getting the icon to show up in the tray through the taskbar properties and it won't show even set at always show. I don't know what I should do.


Thank you
Marisa

#10 kashmier

kashmier
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 04 February 2010 - 04:57 PM

Hi

Thank goodness I have a computer I can get onto. I did the Combofix and after it rebooted the machine these messages came up. The message boxes were marked RunDll - Error Loadin
C:\User\Marisa\AppData\Local\uwawalif.dll
The specified module could not be found

C:\User\Marisa\AppData\Local\KBDFWin.dll
The specified module could not be found

I closed these warnings and the log was prepared. I copied it to my desktop and when I tried to open my internet connection or any program for that matter this came up
Illegal operation attempted on a registry key that has been modified for deletion.

I don't know if I should reboot the computer or what. I saved the log and sent it over the network

ComboFix 10-02-04.01 - Marisa 02/04/2010 16:18:17.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1232 [GMT -5:00]
Running from: c:\users\Marisa\Downloads\schrauber.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3388985760-1675286646-581509784-500
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}\chrome.manifest
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}\chrome\content\_cfg.js
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}\chrome\content\overlay.xul
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}\install.rdf
c:\users\Marisa\AppData\Local\KBDFWin.dll
c:\users\Marisa\AppData\Local\uwawalif.dll
c:\users\Marisa\AppData\Roaming\avdrn.dat
c:\windows\system32\drivers\bcztd.sys
c:\windows\system32\stacsv.exe
c:\windows\system32\xpysys.dll
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\unins000.dat
c:\windows\unins000.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_bcztd
-------\Service_bcztd


((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-03 10:22 . 2010-02-03 10:22 -------- d-----w- c:\programdata\SITEguard
2010-02-03 10:21 . 2010-02-03 10:21 -------- d-----w- c:\program files\Common Files\iS3
2010-02-03 10:21 . 2010-02-03 19:12 -------- d-----w- c:\programdata\STOPzilla!
2010-01-25 23:08 . 2010-02-04 21:18 0 ----a-w- c:\users\Marisa\AppData\Local\Tfaxejivuluyet.bin
2010-01-25 23:08 . 2010-02-03 17:29 120 ----a-w- c:\users\Marisa\AppData\Local\Yvawov.dat
2010-01-25 23:04 . 2010-01-29 22:26 -------- d-----w- c:\programdata\94526228
2010-01-16 02:27 . 2010-01-16 02:27 -------- d-----w- c:\programdata\eBay
2010-01-13 06:33 . 2009-10-19 14:42 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 06:33 . 2009-10-19 14:37 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 06:33 . 2009-10-19 14:39 24064 ----a-w- c:\windows\system32\lpk.dll
2010-01-13 06:33 . 2009-10-19 14:37 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-13 06:33 . 2009-10-19 14:36 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-13 06:33 . 2009-10-19 11:45 289792 ----a-w- c:\windows\system32\atmfd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 19:10 . 2010-02-03 19:10 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-03 15:30 . 2009-11-03 12:45 -------- d-----w- c:\users\Marisa\AppData\Roaming\Spare Backup
2010-01-29 22:35 . 2009-12-27 13:37 -------- d-----w- c:\program files\Trojan Remover
2010-01-25 23:04 . 2010-01-25 23:04 24 ----a-w- c:\users\Marisa\AppData\Roaming\anvkgp.dat
2010-01-16 02:27 . 2009-11-02 23:31 -------- d-----w- c:\program files\eBay
2010-01-13 08:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-10 02:17 . 2009-11-02 23:40 -------- d-----w- c:\programdata\WildTangent
2010-01-02 06:38 . 2010-01-22 01:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 01:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 01:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 01:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 12:16 . 2009-12-31 12:16 -------- d-----w- c:\program files\TweetDeck
2009-12-30 04:47 . 2009-12-30 04:47 -------- d-----w- c:\program files\Panda Security
2009-12-30 02:39 . 2009-12-29 21:31 -------- d-----w- c:\users\Marisa\AppData\Roaming\an
2009-12-29 07:54 . 2009-12-29 07:50 -------- d-----w- c:\program files\Visions Of Chaos
2009-12-29 07:08 . 2009-12-29 07:08 -------- d-----w- c:\program files\Chaoscope
2009-12-29 06:59 . 2009-12-29 06:59 -------- d-----w- c:\program files\Apophysis 2.0
2009-12-29 06:56 . 2009-12-29 06:56 896000 ----a-w- c:\program files\STERLING2.EXE
2009-12-29 06:56 . 2009-12-29 06:56 86528 ----a-w- c:\program files\ftloo01.dll
2009-12-29 06:56 . 2009-12-29 06:56 6236 ----a-w- c:\program files\SterlingInstructions.html
2009-12-29 06:56 . 2009-12-29 06:56 3126 ----a-w- c:\program files\SterlingW2589q.ico
2009-12-29 06:56 . 2009-12-29 06:56 -------- d-----w- c:\program files\sterling
2009-12-29 06:51 . 2009-12-03 19:17 -------- d-----w- c:\program files\Audible
2009-12-29 01:37 . 2009-11-18 22:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-29 01:37 . 2009-11-18 22:53 38784 ----a-w- c:\users\Marisa\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-29 01:37 . 2009-11-18 22:53 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-27 14:05 . 2009-11-11 16:06 -------- d-----w- c:\program files\Nvu
2009-12-27 14:05 . 2009-11-11 15:47 -------- d-----w- c:\program files\SeaMonkey
2009-12-27 14:05 . 2009-11-04 22:33 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-27 14:05 . 2009-11-02 23:28 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver
2009-12-27 13:37 . 2009-12-27 13:37 -------- d-----w- c:\users\Marisa\AppData\Roaming\Simply Super Software
2009-12-27 12:37 . 2009-12-27 12:37 -------- d-----w- c:\program files\AML Products
2009-12-27 12:16 . 2009-12-27 12:16 -------- d-----w- c:\programdata\XoftSpySE
2009-12-26 01:06 . 2009-12-26 01:06 -------- d-----w- c:\program files\BitZipper
2009-12-26 01:06 . 2009-12-26 01:06 -------- d-----w- c:\users\Marisa\AppData\Roaming\BitZipper
2009-12-26 01:04 . 2009-12-26 00:36 -------- d-----w- c:\users\Marisa\AppData\Roaming\Ultra Fractal 5
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-09 02:54 . 2009-11-08 14:56 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-08 03:33 . 2009-12-03 19:14 -------- d-----w- c:\programdata\Creative
2009-11-19 23:55 . 2009-11-19 23:55 0 ----a-w- c:\users\Marisa\AppData\Roaming\wklnhst.dat
2009-11-18 16:05 . 2009-11-18 16:05 680 ----a-w- c:\users\Marisa\AppData\Local\d3d9caps.dat
2009-11-13 19:31 . 2009-11-13 19:31 49152 ----a-r- c:\windows\system32\inetwh32.dll
2009-11-13 19:31 . 2009-11-13 19:31 1044480 ----a-r- c:\windows\system32\roboex32.dll
2009-11-09 13:34 . 2009-12-13 08:03 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:30 . 2009-12-13 08:03 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:17 . 2009-12-13 08:03 396800 ----a-w- c:\windows\system32\drivers\http.sys
2002-08-01 00:55 . 2009-11-19 19:32 108 --sh--w- c:\windows\WSYS049.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-30 303104]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-06-30 638976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"PDUiP6310DMon"="c:\program files\Canon\Memory Card Utility\iP6310D\PDUiP6310DMon.exe" [2006-10-03 75376]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [12/29/2009 11:48 PM 28552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/8/2009 9:56 AM 108289]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187B.sys [6/10/2009 5:52 AM 347648]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Marisa\AppData\Roaming\Mozilla\Firefox\Profiles\v7b6ju7b.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ManageAccount|http://support.mozilla.com/en-US/kb/How+to+set+the+home+page
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Ecolitefesufiyas - c:\users\Marisa\AppData\Local\KBDFWin.dll
HKCU-Run-Xfovixuyoyulid - c:\users\Marisa\AppData\Local\uwawalif.dll
AddRemove-Christmas Paradise Screensaver_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 16:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe
c:\windows\sttray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Camera Assistant Software for Gateway\CEC_MAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-02-04 16:31:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-04 21:31

Pre-Run: 85,544,120,320 bytes free
Post-Run: 85,207,433,216 bytes free

- - End Of File - - 845345424CCB391ECD33C65B616FC3FF


I am not sure how to check my email on this machine because everything is on the laptop. I am going to give you a phone number . It is my only number and I am here all the time.



Thanks

Edited by schrauber, 05 February 2010 - 01:29 PM.


#11 kashmier

kashmier
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 04 February 2010 - 06:05 PM

Hi again
I just wanted to let you know that I figured out how to get my email on this machine and I am following this site for an update. I am pretty much at a stand still with work since I do it all with the laptop and needed programs are on there. I was wondering if I should run the backup the Combofix did to get my registry set so I can use the machine again? I don't know if that will even work. I really hope that we can get this thing fixed.

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:54 PM

Posted 05 February 2010 - 01:31 PM

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\users\Marisa\AppData\Local\Tfaxejivuluyet.bin
c:\users\Marisa\AppData\Local\Yvawov.dat
Folder::
c:\programdata\94526228


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 kashmier

kashmier
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 05 February 2010 - 05:31 PM

I can't open anything on the computer I ran the combofix onto. I can't open the browser let alone get on the net to copy the text you sent.

This is the log I got yesterday = I never used the computer since

ComboFix 10-02-04.01 - Marisa 02/04/2010 16:18:17.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1232 [GMT -5:00]
Running from: c:\users\Marisa\Downloads\schrauber.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3388985760-1675286646-581509784-500
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}\chrome.manifest
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}\chrome\content\_cfg.js
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}\chrome\content\overlay.xul
c:\users\Marisa\AppData\Local\{A0BFB652-B9A2-4585-B4B5-B5418D4DBC7D}\install.rdf
c:\users\Marisa\AppData\Local\KBDFWin.dll
c:\users\Marisa\AppData\Local\uwawalif.dll
c:\users\Marisa\AppData\Roaming\avdrn.dat
c:\windows\system32\drivers\bcztd.sys
c:\windows\system32\stacsv.exe
c:\windows\system32\xpysys.dll
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\unins000.dat
c:\windows\unins000.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_bcztd
-------\Service_bcztd


((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-03 10:22 . 2010-02-03 10:22 -------- d-----w- c:\programdata\SITEguard
2010-02-03 10:21 . 2010-02-03 10:21 -------- d-----w- c:\program files\Common Files\iS3
2010-02-03 10:21 . 2010-02-03 19:12 -------- d-----w- c:\programdata\STOPzilla!
2010-01-25 23:08 . 2010-02-04 21:18 0 ----a-w- c:\users\Marisa\AppData\Local\Tfaxejivuluyet.bin
2010-01-25 23:08 . 2010-02-03 17:29 120 ----a-w- c:\users\Marisa\AppData\Local\Yvawov.dat
2010-01-25 23:04 . 2010-01-29 22:26 -------- d-----w- c:\programdata\94526228
2010-01-16 02:27 . 2010-01-16 02:27 -------- d-----w- c:\programdata\eBay
2010-01-13 06:33 . 2009-10-19 14:42 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 06:33 . 2009-10-19 14:37 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 06:33 . 2009-10-19 14:39 24064 ----a-w- c:\windows\system32\lpk.dll
2010-01-13 06:33 . 2009-10-19 14:37 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-13 06:33 . 2009-10-19 14:36 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-13 06:33 . 2009-10-19 11:45 289792 ----a-w- c:\windows\system32\atmfd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 19:10 . 2010-02-03 19:10 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-03 15:30 . 2009-11-03 12:45 -------- d-----w- c:\users\Marisa\AppData\Roaming\Spare Backup
2010-01-29 22:35 . 2009-12-27 13:37 -------- d-----w- c:\program files\Trojan Remover
2010-01-25 23:04 . 2010-01-25 23:04 24 ----a-w- c:\users\Marisa\AppData\Roaming\anvkgp.dat
2010-01-16 02:27 . 2009-11-02 23:31 -------- d-----w- c:\program files\eBay
2010-01-13 08:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-10 02:17 . 2009-11-02 23:40 -------- d-----w- c:\programdata\WildTangent
2010-01-02 06:38 . 2010-01-22 01:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 01:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 01:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 01:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 12:16 . 2009-12-31 12:16 -------- d-----w- c:\program files\TweetDeck
2009-12-30 04:47 . 2009-12-30 04:47 -------- d-----w- c:\program files\Panda Security
2009-12-30 02:39 . 2009-12-29 21:31 -------- d-----w- c:\users\Marisa\AppData\Roaming\an
2009-12-29 07:54 . 2009-12-29 07:50 -------- d-----w- c:\program files\Visions Of Chaos
2009-12-29 07:08 . 2009-12-29 07:08 -------- d-----w- c:\program files\Chaoscope
2009-12-29 06:59 . 2009-12-29 06:59 -------- d-----w- c:\program files\Apophysis 2.0
2009-12-29 06:56 . 2009-12-29 06:56 896000 ----a-w- c:\program files\STERLING2.EXE
2009-12-29 06:56 . 2009-12-29 06:56 86528 ----a-w- c:\program files\ftloo01.dll
2009-12-29 06:56 . 2009-12-29 06:56 6236 ----a-w- c:\program files\SterlingInstructions.html
2009-12-29 06:56 . 2009-12-29 06:56 3126 ----a-w- c:\program files\SterlingW2589q.ico
2009-12-29 06:56 . 2009-12-29 06:56 -------- d-----w- c:\program files\sterling
2009-12-29 06:51 . 2009-12-03 19:17 -------- d-----w- c:\program files\Audible
2009-12-29 01:37 . 2009-11-18 22:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-29 01:37 . 2009-11-18 22:53 38784 ----a-w- c:\users\Marisa\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-29 01:37 . 2009-11-18 22:53 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-27 14:05 . 2009-11-11 16:06 -------- d-----w- c:\program files\Nvu
2009-12-27 14:05 . 2009-11-11 15:47 -------- d-----w- c:\program files\SeaMonkey
2009-12-27 14:05 . 2009-11-04 22:33 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-27 14:05 . 2009-11-02 23:28 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver
2009-12-27 13:37 . 2009-12-27 13:37 -------- d-----w- c:\users\Marisa\AppData\Roaming\Simply Super Software
2009-12-27 12:37 . 2009-12-27 12:37 -------- d-----w- c:\program files\AML Products
2009-12-27 12:16 . 2009-12-27 12:16 -------- d-----w- c:\programdata\XoftSpySE
2009-12-26 01:06 . 2009-12-26 01:06 -------- d-----w- c:\program files\BitZipper
2009-12-26 01:06 . 2009-12-26 01:06 -------- d-----w- c:\users\Marisa\AppData\Roaming\BitZipper
2009-12-26 01:04 . 2009-12-26 00:36 -------- d-----w- c:\users\Marisa\AppData\Roaming\Ultra Fractal 5
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-09 02:54 . 2009-11-08 14:56 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-08 03:33 . 2009-12-03 19:14 -------- d-----w- c:\programdata\Creative
2009-11-19 23:55 . 2009-11-19 23:55 0 ----a-w- c:\users\Marisa\AppData\Roaming\wklnhst.dat
2009-11-18 16:05 . 2009-11-18 16:05 680 ----a-w- c:\users\Marisa\AppData\Local\d3d9caps.dat
2009-11-13 19:31 . 2009-11-13 19:31 49152 ----a-r- c:\windows\system32\inetwh32.dll
2009-11-13 19:31 . 2009-11-13 19:31 1044480 ----a-r- c:\windows\system32\roboex32.dll
2009-11-09 13:34 . 2009-12-13 08:03 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:30 . 2009-12-13 08:03 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:17 . 2009-12-13 08:03 396800 ----a-w- c:\windows\system32\drivers\http.sys
2002-08-01 00:55 . 2009-11-19 19:32 108 --sh--w- c:\windows\WSYS049.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-30 303104]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-06-30 638976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"PDUiP6310DMon"="c:\program files\Canon\Memory Card Utility\iP6310D\PDUiP6310DMon.exe" [2006-10-03 75376]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [12/29/2009 11:48 PM 28552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/8/2009 9:56 AM 108289]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187B.sys [6/10/2009 5:52 AM 347648]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6307
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Marisa\AppData\Roaming\Mozilla\Firefox\Profiles\v7b6ju7b.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ManageAccount|http://support.mozilla.com/en-US/kb/How+to+set+the+home+page
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Ecolitefesufiyas - c:\users\Marisa\AppData\Local\KBDFWin.dll
HKCU-Run-Xfovixuyoyulid - c:\users\Marisa\AppData\Local\uwawalif.dll
AddRemove-Christmas Paradise Screensaver_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 16:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe
c:\windows\sttray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Camera Assistant Software for Gateway\CEC_MAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-02-04 16:31:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-04 21:31

Pre-Run: 85,544,120,320 bytes free
Post-Run: 85,207,433,216 bytes free

- - End Of File - - 845345424CCB391ECD33C65B616FC3FF

Edited by kashmier, 05 February 2010 - 05:34 PM.


#14 kashmier

kashmier
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ringtown, PA
  • Local time:09:54 AM

Posted 05 February 2010 - 06:30 PM

I believe that the computer has been fixed.

I finally got the guts to close it down after doing some research on combofix.
I restarted it and was able to get onto the internet. Everything seems to work. I did a complete scan with my antivirus and it detected 2 things and this time when I clicked to remove them it did.

Thank you for your time
Marisa

Edited by kashmier, 05 February 2010 - 09:43 PM.


#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:54 PM

Posted 06 February 2010 - 07:29 AM

Good to here, but we are not finished smile.gif


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users