Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Paladin antivirus leftovers and eventcreatexp


  • This topic is locked This topic is locked
40 replies to this topic

#1 youngmomma

youngmomma

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 24 February 2010 - 08:49 PM

I was talking to boopme who directed me to do a dds log and gmer log so i have done so I was infected with the paladin antivirus and have a previous post that has all the info in it from the infection and what has been goin on and what i have done so far i will include a link to this post


http://www.bleepingcomputer.com/forums/t/298182/paladin-antivirus-did-i-get-it-all/


yes it is okk to close this old topic after i post this one here as long as someone new is going to help me which i am sure they will smile.gif


so i followed the directions from boopme and here are the logs


btw i am using os win xp pro on a dell computer


i dont know if it will help at all but i will include a closed topic of mine with some other problems i was having that were pretty serious


I would very much appreciate it if you would be willing to look over these issues as well so maybe we can get everything working properly and back to normal in one spot smile.gif


http://www.bleepingcomputer.com/forums/t/291498/please-help-quick-im-infected/





thank you very much you guys are awesome smile.gif




also something else i noticed that kind of bothered me was i am the only one who has a profile on this computer and when i run safe mode when it has you log on there are two profiles mine (which is supposed to be administrator) and one thats name is Administrator ? is this someone else on my computer? or is this standard to have this profile? thanks

dds



DDS (Ver_09-12-01.01) - NTFSx86
Run by Anyone at 18:08:18.71 on Wed 02/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.289 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Paladin Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
F:\Program Files\AVG\AVG9\avgchsvx.exe
F:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
F:\Program Files\AVG\AVG9\avgcsrvx.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\AVG\AVG9\avgwdsvc.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\AVG\AVG9\avgemc.exe
F:\Program Files\AVG\AVG9\avgnsx.exe
F:\Program Files\AVG\AVG9\avgcsrvx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\PROGRA~1\AVG\AVG9\avgtray.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Anyone\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://msn.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - f:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - f:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] f:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [VeohPlugin] "f:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
mRun: [SoundMAXPnP] f:\program files\analog devices\core\smax4pnp.exe
mRun: [AVG9_TRAY] f:\progra~1\avg\avg9\avgtray.exe
mRun: [Windows Defender] "f:\program files\windows defender\MSASCui.exe" -hide
mRun: [ATIPTA] "f:\program files\ati technologies\ati control panel\atiptaxx.exe"
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: f:\docume~1\anyone\startm~1\programs\startup\erunta~1.lnk - f:\program files\erunt\AUTOBACK.EXE
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - f:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - f:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264386016453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - f:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL
IFEO: taskmgr.exe - c:\windows\procexp.exe

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\anyone\applic~1\mozilla\firefox\profiles\i8ffj965.default\
FF - component: f:\documents and settings\anyone\application data\mozilla\firefox\profiles\i8ffj965.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: f:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
f:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
f:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;f:\windows\system32\drivers\avgldx86.sys [2004-11-11 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;f:\windows\system32\drivers\avgmfx86.sys [2004-11-11 28424]
R1 AvgTdiX;AVG Free Network Redirector;f:\windows\system32\drivers\avgtdix.sys [2004-11-11 360584]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R2 avg9emc;AVG Free E-mail Scanner;f:\program files\avg\avg9\avgemc.exe [2004-11-11 906520]
R2 avg9wd;AVG Free WatchDog;f:\program files\avg\avg9\avgwdsvc.exe [2004-11-11 285392]
R2 WinDefend;Windows Defender;f:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
R3 StreamSurge;StreamSurge Driver (miniport);f:\windows\system32\drivers\ss.sys [2004-11-9 19968]
S3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;\??\f:\progra~1\belkin\f5d9050\bkndis5.sys --> f:\progra~1\belkin\f5d9050\BKNDIS5.SYS [?]

=============== Created Last 30 ================


==================== Find3M ====================

2010-01-14 17:12:06 181120 ------w- f:\windows\system32\MpSigStub.exe
2009-12-31 16:50:03 353792 ----a-w- f:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- f:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- f:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- f:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- f:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- f:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- f:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- f:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- f:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- f:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- f:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- f:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- f:\windows\system32\msrle32.dll
2004-11-04 20:07:33 32768 --sha-w- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012004110520041106\index.dat

============= FINISH: 18:08:36.75 ===============






here is the gmer log



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-24 19:38:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: F:\DOCUME~1\Anyone\LOCALS~1\Temp\uwryrpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\F:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEEDD8320]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



also i am attaching the dds attach log



Thanks again for the quick replies and all the help smile.gif cold.gif

Attached Files


Edited by youngmomma, 24 February 2010 - 08:56 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:14 AM

Posted 26 February 2010 - 10:23 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 youngmomma

youngmomma
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 27 February 2010 - 05:00 AM

thank you for taking interest in my problem i appreciate it and yes i ha ve subscribed to this so there should be no problems thank you again smile.gif

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:14 AM

Posted 27 February 2010 - 07:07 PM

Hi youngmomma,

This is the TDSS rootkit and TDSSKiller is unable to remove it. It is also showing files I've never seen from this rootkit and so this could take a little longer than usual.

Please run Rkill

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.


Now run Combofix, this is a powerful tool so if you have any questions or problems with it just post back before you go ahead.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 youngmomma

youngmomma
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 28 February 2010 - 12:00 AM

ok i am unable to run combo fix at first everything was fine the box came up saying use at own risk

then ckicked ok then said avg was running.

i couldnt figure out how to turn it off and so i x'ed out of the combo fix and tried to delete avg then run again it said the same thing that avg was running.

so i tried to x out of combo again and it said ok will scan your comp at your own risk and started to scan so i x'ed out as soon as the blue window popped up and i dont believe it had time to really do much cause i was pretty quick to x out,

so then since i was having so much trouble deleting avg i looked it up and found a tool to remove it so i did so and it is not running anymore.

but my comp has froze a couple of times since this and now when i run combo there is no click ok to continue box it just loads and goes straight to the blue screen and has a message that says "SWSC' is not recognizable as an internal or external command operable program or batch file???????


what does this mean did combo fix screw my comp up more?

can this be fixed?

what should i do ?

i also would like to note that i had to delete windows defender before running the scan as well because couldnt figure out how to turn it off.

so now i am completely open to the viruss so please help fast thank you.

p.s i was able to run rkll but dont know where the log is?

#6 youngmomma

youngmomma
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 28 February 2010 - 12:57 AM

ok well i know i deserve a slap on the wrist for this but i went to another post and seen where someone was trying to delete combo fix and the person told them to use combofix /u and i tried that and strangest thing it ran combo fix installed the windows recovery and everything?


so i have the log i had an infected driver that it said it was attempting to restore but doesnt say if it did>


since it finished running does this mean it was fixed > also when i had those problems earlier i noticed that my notepad is not saving files anymore (see previous post topic above in link) again can we do anything about this? thanks again here is the log.




ComboFix 10-02-27.04 - Anyone 02/27/2010 23:34:17.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.537 [GMT -6:00]
Running from: f:\documents and settings\Anyone\Desktop\comfix.exe.exe
Command switches used :: /u
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\windows\system32\_000006_.tmp.dll
f:\windows\system32\drivers\ss.sys

f:\windows\system32\midimap.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_StreamSurge


((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-28 03:26 . 2010-02-28 03:26 -------- d-----w- f:\documents and settings\Anyone\Application Data\AVG9
2010-02-28 03:16 . 2010-02-28 03:16 -------- d--h--w- f:\windows\PIF
2010-02-27 10:27 . 2010-02-27 10:27 -------- d-----w- f:\windows\system32\wbem\Repository
2010-02-24 05:42 . 2010-01-07 22:07 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 05:42 . 2010-01-07 22:07 19160 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-02-24 05:34 . 2010-02-24 05:42 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-02-24 05:03 . 2010-02-24 05:26 2096 ----a-w- f:\documents and settings\All Users\Application Data\fiosejgfse.dll
2010-02-24 04:59 . 2010-02-24 04:59 -------- d-sh--w- f:\windows\system32\config\systemprofile\IETldCache
2010-02-24 02:41 . 2010-02-27 17:00 -------- d-----w- f:\program files\DivX
2010-02-23 02:51 . 2010-02-23 02:51 -------- d-----w- f:\documents and settings\Anyone\Local Settings\Application Data\Opera
2010-02-23 02:50 . 2010-02-23 02:50 -------- d-----w- f:\program files\Opera
2010-02-22 02:51 . 2010-02-22 02:51 -------- d-----w- f:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-22 00:14 . 2010-02-22 00:14 -------- d-----w- f:\program files\Dell
2010-02-20 19:10 . 2010-02-20 19:10 -------- d-----w- f:\documents and settings\Anyone\Application Data\MSNInstaller
2010-02-20 19:01 . 2003-05-30 07:15 53248 ----a-w- f:\windows\system32\BInstDll.dll
2010-02-20 17:17 . 2010-02-20 17:17 -------- d-----w- f:\documents and settings\Anyone\Application Data\SoundSpectrum
2010-02-20 17:15 . 2010-02-20 17:15 -------- d-----w- f:\program files\SoundSpectrum
2010-02-20 16:54 . 2010-02-22 01:09 -------- d-----w- f:\program files\Resource Kit
2010-02-20 08:45 . 2010-02-21 08:56 -------- d-----w- f:\windows\system32\NtmsData
2010-02-20 07:17 . 2010-02-20 07:18 -------- d-----w- f:\documents and settings\All Users\Application Data\PCPitstop
2010-02-19 23:32 . 2010-02-19 23:32 552 ----a-w- f:\windows\system32\d3d8caps.dat
2010-02-19 23:08 . 2010-02-19 23:37 -------- d-----w- f:\documents and settings\Anyone\DoctorWeb
2010-02-15 12:15 . 2010-02-15 12:15 -------- d-----w- f:\program files\MSECache
2010-02-05 19:42 . 2008-04-13 23:15 60032 -c--a-w- f:\windows\system32\dllcache\usbaudio.sys
2010-02-05 19:42 . 2008-04-13 23:15 60032 ----a-w- f:\windows\system32\drivers\USBAUDIO.sys
2010-02-05 16:46 . 2008-04-13 23:15 32128 -c--a-w- f:\windows\system32\dllcache\usbccgp.sys
2010-02-05 16:46 . 2008-04-13 23:15 32128 ----a-w- f:\windows\system32\drivers\usbccgp.sys
2010-02-03 20:38 . 2010-02-03 20:38 -------- d-----w- f:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-03 05:42 . 2010-02-03 05:42 -------- d-----w- f:\program files\ERUNT
2010-02-02 03:52 . 2010-02-02 03:52 -------- d-----w- f:\documents and settings\Anyone\Application Data\SecondLife
2010-02-02 03:52 . 2010-02-27 21:05 -------- d-----w- f:\documents and settings\Anyone\Local Settings\Application Data\SecondLife
2010-02-02 03:51 . 2010-02-02 03:52 -------- d-----w- f:\program files\SecondLife
2010-02-02 00:43 . 2010-02-02 00:43 52224 ----a-w- f:\documents and settings\Anyone\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-02 00:43 . 2010-02-13 03:32 117760 ----a-w- f:\documents and settings\Anyone\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-02 00:43 . 2010-02-02 00:43 -------- d-----w- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-02 00:41 . 2010-02-19 20:44 -------- d-----w- f:\program files\SUPERAntiSpyware
2010-02-02 00:41 . 2010-02-02 00:41 -------- d-----w- f:\documents and settings\Anyone\Application Data\SUPERAntiSpyware.com
2010-02-02 00:41 . 2010-02-02 00:41 -------- d-----w- f:\program files\Common Files\Wise Installation Wizard
2010-02-01 10:16 . 2010-02-22 03:30 -------- d-----w- f:\documents and settings\Anyone\Local Settings\Application Data\Yahoo!
2010-02-01 06:19 . 2010-02-01 06:19 -------- d-----w- f:\documents and settings\Anyone\Application Data\AdobeUM
2010-01-30 04:40 . 2010-01-30 04:40 -------- d-----w- f:\documents and settings\Anyone\Application Data\Apple Computer
2010-01-29 09:45 . 2010-01-29 09:45 -------- d-----w- f:\program files\Veoh Networks
2010-01-29 09:22 . 2010-01-29 09:22 -------- d-----w- f:\program files\QuickTime
2010-01-29 09:22 . 2010-01-29 09:22 -------- d-----w- f:\documents and settings\All Users\Application Data\Apple Computer
2010-01-29 09:22 . 2010-01-29 09:22 -------- d-----w- f:\program files\Common Files\Apple
2010-01-29 09:22 . 2010-01-29 09:22 -------- d-----w- f:\documents and settings\Anyone\Local Settings\Application Data\Apple
2010-01-29 09:22 . 2010-01-29 09:22 -------- d-----w- f:\program files\Apple Software Update
2010-01-29 09:22 . 2010-01-29 09:22 -------- d-----w- f:\documents and settings\All Users\Application Data\Apple
2010-01-29 09:22 . 2010-01-29 09:22 -------- d-----w- f:\documents and settings\Anyone\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 03:56 . 2004-11-11 19:59 -------- d-----w- f:\documents and settings\All Users\Application Data\avg9
2010-02-24 22:19 . 2010-01-24 11:29 -------- d-----w- f:\documents and settings\Anyone\Application Data\LimeWire
2010-02-24 15:16 . 2009-12-22 09:35 181632 ------w- f:\windows\system32\MpSigStub.exe
2010-02-21 00:28 . 2010-01-24 12:28 -------- d-----w- f:\documents and settings\All Users\Application Data\NOS
2010-02-20 19:01 . 2004-11-09 18:49 -------- d-----w- f:\program files\Broadcom
2010-02-10 09:01 . 2004-11-05 04:53 -------- d-----w- f:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-29 05:09 . 2010-01-29 05:09 476 ----a-w- f:\documents and settings\Anyone\rkill.reg
2010-01-29 05:09 . 2010-01-29 05:09 236544 ----a-w- f:\documents and settings\Anyone\pev.exe
2010-01-29 04:59 . 2010-01-29 04:59 -------- d-----w- f:\documents and settings\Anyone\Application Data\Malwarebytes
2010-01-29 04:59 . 2010-01-29 04:59 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 02:22 . 2010-01-29 02:07 -------- d-----w- f:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-29 02:21 . 2010-01-29 02:21 -------- d-----w- f:\program files\Common Files\Adobe AIR
2010-01-29 02:21 . 2010-01-29 02:22 38784 ----a-w- f:\documents and settings\Anyone\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-29 02:21 . 2010-01-29 02:21 38784 ----a-w- f:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-27 21:38 . 2010-01-27 21:38 -------- d-----w- f:\program files\Electronic Arts
2010-01-27 20:58 . 2010-01-27 20:58 -------- d-----w- f:\program files\EA GAMES
2010-01-26 07:56 . 2010-01-26 07:56 -------- d-----w- f:\documents and settings\All Users\Application Data\McAfee
2010-01-26 04:49 . 2004-11-09 18:48 -------- d--h--w- f:\program files\InstallShield Installation Information
2010-01-25 21:12 . 2010-01-25 20:55 -------- d-----w- f:\documents and settings\All Users\Application Data\Norton
2010-01-25 20:55 . 2010-01-25 20:55 -------- d-----w- f:\documents and settings\All Users\Application Data\Symantec
2010-01-25 20:55 . 2010-01-25 20:55 -------- d-----w- f:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-25 14:18 . 2004-11-04 20:10 1219920 ----a-w- f:\documents and settings\Anyone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-25 05:13 . 2004-11-05 04:55 -------- d-----w- f:\program files\Microsoft Works
2010-01-25 03:53 . 2010-01-25 03:53 -------- d-----w- f:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-01-25 03:46 . 2010-01-25 03:46 -------- d-----w- f:\documents and settings\All Users\Application Data\Driver Whiz
2010-01-25 02:13 . 2010-01-25 02:13 -------- d-----w- f:\documents and settings\Anyone\Application Data\InstallShield
2010-01-25 01:58 . 2010-01-24 11:27 -------- d-----w- f:\program files\Java
2010-01-25 01:57 . 2010-01-25 01:57 152576 ----a-w- f:\documents and settings\Anyone\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-25 01:57 . 2010-01-25 01:57 79488 ----a-w- f:\documents and settings\Anyone\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-25 01:56 . 2010-01-24 11:27 -------- d-----w- f:\program files\LimeWire
2010-01-25 01:38 . 2010-01-25 01:38 -------- d-----w- f:\program files\Fisher-Price
2010-01-24 19:46 . 2010-01-24 19:46 152576 ----a-w- f:\documents and settings\Anyone\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-24 12:44 . 2010-01-24 12:44 -------- d-----w- f:\documents and settings\Anyone\Application Data\Individual Software
2010-01-24 12:44 . 2010-01-24 12:40 -------- d-----w- f:\program files\ResumeMaker
2010-01-24 12:40 . 2010-01-24 12:40 -------- d-----w- f:\documents and settings\All Users\Application Data\Individual Software
2010-01-24 12:28 . 2010-01-24 12:28 -------- d-----w- f:\program files\NOS
2010-01-24 12:16 . 2010-01-24 12:04 -------- d-----w- f:\documents and settings\All Users\Application Data\DriverCure
2010-01-24 12:05 . 2010-01-24 12:05 -------- d-----w- f:\documents and settings\Anyone\Application Data\DriverCure
2010-01-24 12:04 . 2010-01-24 12:04 -------- d-----w- f:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-24 09:32 . 2010-01-24 09:30 -------- d-----w- f:\program files\Windows Live
2010-01-24 09:32 . 2010-01-24 09:32 -------- d-----w- f:\program files\Microsoft SQL Server Compact Edition
2010-01-24 09:31 . 2010-01-24 09:31 -------- d-----w- f:\program files\Microsoft
2010-01-24 09:30 . 2010-01-24 09:30 -------- d-----w- f:\program files\Windows Live SkyDrive
2010-01-24 09:26 . 2010-01-24 09:26 -------- d-----w- f:\program files\Common Files\Windows Live
2010-01-24 07:56 . 2010-01-24 07:56 -------- d-----w- f:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-24 07:56 . 2010-01-24 07:56 -------- d-----w- f:\program files\McAfee Security Scan
2010-01-24 07:43 . 2010-01-24 07:43 0 ----a-w- f:\windows\nsreg.dat
2010-01-24 04:24 . 2004-11-11 12:04 -------- d-----w- f:\program files\Modem Helper
2009-12-31 16:50 . 2008-04-13 17:45 353792 ----a-w- f:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2008-04-28 09:25 916480 ----a-w- f:\windows\system32\wininet.dll
2009-12-17 09:37 . 2010-01-24 07:56 31936 ----a-w- f:\documents and settings\Anyone\Application Data\Mozilla\Firefox\Profiles\i8ffj965.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-17 09:37 . 2010-01-24 07:56 29344 ----a-w- f:\documents and settings\Anyone\Application Data\Mozilla\Firefox\Profiles\i8ffj965.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-12-16 19:42 . 2010-01-26 20:10 872960 ----a-w- f:\documents and settings\Anyone\Application Data\Mozilla\Firefox\Profiles\i8ffj965.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 19:42 . 2010-01-26 20:10 43008 ----a-w- f:\documents and settings\Anyone\Application Data\Mozilla\Firefox\Profiles\i8ffj965.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 19:42 . 2010-01-26 20:10 340480 ----a-w- f:\documents and settings\Anyone\Application Data\Mozilla\Firefox\Profiles\i8ffj965.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 19:41 . 2010-01-26 20:10 346624 ----a-w- f:\documents and settings\Anyone\Application Data\Mozilla\Firefox\Profiles\i8ffj965.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 18:43 . 2004-11-04 19:53 343040 ----a-w- f:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-13 22:41 33280 ----a-w- f:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2008-04-26 03:44 2189184 ----a-w- f:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-03-26 06:46 2066048 ----a-w- f:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2008-04-13 17:47 455424 ----a-w- f:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

[-] 2008-04-28 . A55B8899D2EA2E800061BCFD456E34DC . 547328 . . [5.1.2600.5512] . . f:\windows\system32\winlogon.exe

[-] 2008-04-28 . AF8ED52D2A32C7729C7F91C72B8CCB10 . 724992 . . [5.82] . . f:\windows\system32\comctl32.dll

[-] 2008-03-20 . 1CA39C7E1423FF8821664E0E06FEA55E . 343040 . . [7.0.2600.5508] . . f:\windows\system32\msvcrt.dll

[-] 2008-03-20 . F92D8964B5286DE225BD2B6BF89764BE . 578560 . . [5.1.2600.5508] . . f:\windows\system32\user32.dll

[-] 2008-04-28 . D6B1F0681FFF4A819D3BC958B4EB6012 . 1558528 . . [6.00.2900.5512] . . f:\windows\explorer.exe

[-] 2008-04-26 . BC298B78B311397B421D4D52B44B49EC . 1614848 . . [5.1.2600.5512] . . f:\windows\system32\sfcfiles.dll

[-] 2008-04-28 . B5E8782D4AF1B3756F38E11E7C157BBE . 25088 . . [5.1.2600.5512] . . f:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="f:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-01-26 2633976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="f:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="f:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-07 128512]

f:\documents and settings\Anyone\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - f:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - f:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-4 113664]
Adobe Reader Speed Launch.lnk - f:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" -atboottime
"eligmini"=f:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe 0
"IntelMeM"=f:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\WINDOWS\\system32\\mmc.exe"=
"f:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"f:\\WINDOWS\\system32\\dpvsetup.exe"=
"f:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"f:\\Program Files\\SecondLife\\SLVoice.exe"=
"f:\\Program Files\\Opera\\opera.exe"=
"f:\\WINDOWS\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 66632]
S3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;\??\f:\progra~1\Belkin\F5D9050\BKNDIS5.SYS --> f:\progra~1\Belkin\F5D9050\BKNDIS5.SYS [?]
S3 SASENUM;SASENUM;f:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-24 f:\windows\Tasks\AppleSoftwareUpdate.job
- f:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &Search
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\Anyone\Application Data\Mozilla\Firefox\Profiles\i8ffj965.default\
FF - component: f:\documents and settings\Anyone\Application Data\Mozilla\Firefox\Profiles\i8ffj965.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
f:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
f:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 23:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1343024091-1417001333-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
f:\windows\system32\SETUPAPI.dll
f:\windows\system32\sfc_os.dll
f:\program files\SUPERAntiSpyware\SASWINLO.dll
f:\windows\system32\WININET.dll
f:\windows\system32\COMRes.dll
f:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(744)
f:\windows\system32\setupapi.dll

- - - - - - - > 'explorer.exe'(3524)
f:\windows\system32\WININET.dll
f:\windows\system32\msctfime.ime
f:\windows\system32\COMRes.dll
f:\windows\System32\cscui.dll
f:\windows\system32\SETUPAPI.dll
f:\windows\system32\NETSHELL.dll
f:\windows\system32\credui.dll
f:\windows\system32\MSVCP60.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\IEFRAME.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\system32\Ati2evxx.exe
f:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-02-27 23:40:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-28 05:40

Pre-Run: 467,679,801,344 bytes free
Post-Run: 467,665,678,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6D2317D40DCEA01AE595271F624079A6









also i am trying to reinstall windows defender so i am not vulnerable to another virus or if i still have one for it to get worse? but i downloaded it from microsoft and installed it ran it and it says it cant check for definitions and has an error code of x80080005 do you know why this is is there another program that is reliable that i can use? i really dont want to go back to avg again, thanks

Edited by youngmomma, 28 February 2010 - 02:07 AM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:14 AM

Posted 28 February 2010 - 05:20 AM

Okay, there are a few things to do but we must clean the PC.


You must download and install a new antivirus first though.
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


Now we need to find a replacement file for the infected midimap.dll

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    midimap*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Edited by m0le, 28 February 2010 - 05:21 AM.

Posted Image
m0le is a proud member of UNITE

#8 youngmomma

youngmomma
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 28 February 2010 - 11:30 AM

ok i will do this and post the new log , i have a quick question about memory . my hard drive says there is almost 100 percent free space ,and the virtual memory says there is like 74 % free . but every once in a while (before i ran combo fix ) it would pop up in system tray that my virtual memory was low and windows was increasing the page file. is this also due to the virus? has it been sucking up my memory>? and i tried to install yahoo messenger a week ago and it said there had to be at least 100 mb free and like i said almost all the space on here is free? is this just a glitch with yahoo? thanks i will post log shortly.

#9 youngmomma

youngmomma
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 28 February 2010 - 11:45 AM

here is the mirror log


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:44 on 28/02/2010 by Anyone (Administrator - Elevation successful)

========== filefind ==========

Searching for "midimap*"
F:\WINDOWS\system32\midimap.dll --a--- 42496 bytes [09:19 28/04/2008] [09:19 28/04/2008] 66620EE56B0FFB1B267BD24ECF942A9B

-=End Of File=-

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:14 AM

Posted 28 February 2010 - 04:12 PM

Virtual memory may be caused by a number of things. Malware is one cause so we need to check you're clean before we look at other possibilities there.


The midimap.dll infection may be a red herring.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

F:\WINDOWS\system32\midimap.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#11 youngmomma

youngmomma
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 28 February 2010 - 07:31 PM

i dont know what you meant by log i cant get to one for this so this is what i copy and pasted


File size: 42496 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5: 66620ee56b0ffb1b267bd24ecf942a9b
SHA1: 10ec4abdc5c203f60a559160a4d3c133185b836a



[ArcaVir]
2010-02-23 Found nothing
[F-Secure Anti-Virus]
2010-02-28 Found nothing
[A-Squared]
2010-02-23 Found nothing
[G DATA]
2010-02-23 Found nothing
[Avast! antivirus]
2010-02-23 Found nothing
[Ikarus]
2010-02-23 Found nothing
[Grisoft AVG Anti-Virus]
2010-02-28 Found nothing
[Kaspersky Anti-Virus]
2010-02-23 Found nothing
[Avira AntiVir]
2010-02-23 Found nothing
[ESET NOD32]
2010-02-23 Found nothing
[Softwin BitDefender]
2010-02-23 Found nothing
[Panda Antivirus]
2010-02-22 Found nothing
[ClamAV]
2010-03-01 Found nothing
[Quick Heal]
2010-02-23 Found nothing
[CPsecure]
2010-02-23 Found nothing
[Sophos]
2010-02-28 Found nothing
[Dr.Web]
2010-03-01 Found nothing
[VirusBlokAda VBA32]
2010-02-22 Found nothing
[Frisk F-Prot Antivirus]
2010-02-22 Found nothing
[VirusBuster]
2010-02-22 Found nothing












Filename: midimap.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Mon 1 Mar 2010 01:28:40 (CET) Permalink

Edited by youngmomma, 28 February 2010 - 07:32 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:14 AM

Posted 28 February 2010 - 07:36 PM

I didn't mention a log

QUOTE
Please post back the results of the scan in your next post.


copying and pasting the result was right thumbup2.gif


Looks like midimap.dll is not infected at all which means we can now move on to the online scan to remove any remnants lurking about

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push


Posted Image
m0le is a proud member of UNITE

#13 youngmomma

youngmomma
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 02 March 2010 - 11:29 PM

ok it found two things. i just recently tried opera to see if it was any good. one of the infections was in the cache is this browser unsafe to use? thanks again for all the help you have given me so far, and all the help you will give me in the future smile.gif you guys are great.

by the way you didnt say to , but i clicked to delete the bad files and then clicked finish i hope this was ok


F:\Documents and Settings\Anyone\Application Data\Sun\Java\Deployment\cache\6.0\40\5da228e8-72cff617 multiple threats deleted - quarantined
F:\Documents and Settings\Anyone\Local Settings\Application Data\Opera\Opera\cache\opr00CGH JS/Exploit.Pdfka.BQP trojan cleaned by deleting - quarantined


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:14 AM

Posted 03 March 2010 - 08:07 AM

Browsers carry malware in their cache sometimes but once that is cleared they are 100% safe.

Removing the entries was fine also. smile.gif

How is the PC performing now?
Posted Image
m0le is a proud member of UNITE

#15 youngmomma

youngmomma
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 03 March 2010 - 09:11 AM

it is running better than before . should all my file problems I was having in previous topics be ok now as well? I still do not have task manager , but i guess if that is my biggest complaint we are doing good smile.gif ty




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users