Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32\TrojanDownloader.Agent.NXY trojan (drsb.exe)


  • Please log in to reply
27 replies to this topic

#1 lakan299

lakan299

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cebu, Philippines
  • Local time:01:02 PM

Posted 02 April 2010 - 09:40 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by JAGNA PNP at 9:21:36.10 on Sat 04/03/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.735.286 [GMT 8:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JAGNA PNP\Desktop\Defogger.exe
C:\Documents and Settings\JAGNA PNP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://google.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uDefault_Page_URL = about:blank
uDefault_Search_URL = hxxp://google.com
mDefault_Page_URL = about:blank
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0dd4955c-8072-41cc-a89d-c10acdd9b1a0} - c:\windows\system32\cdfvie.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5b668cbe-06c0-4828-b4df-1ee031da45ce} - c:\windows\system32\cfgbken.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {6d46cca0-aff1-4b93-abe5-7aac3f37cb99} - c:\windows\system32\comre.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e12672c2-9c2e-4081-ac19-43dcf9de5dbb} - c:\windows\system32\colbac.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [nav_x] c:\smss.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Autorun Buster] c:\windows\system32\Zero.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jagnap~1\applic~1\mozilla\firefox\profiles\8pwd6lfd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405723&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2405723&SearchSource=13
FF - component: c:\documents and settings\jagna pnp\application data\mozilla\firefox\profiles\8pwd6lfd.default\extensions\{952d8189-ea25-431b-8ed6-7758dcc933d1}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\jagna pnp\application data\mozilla\firefox\profiles\8pwd6lfd.default\extensions\{952d8189-ea25-431b-8ed6-7758dcc933d1}\components\RadioWMPCore.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 yjqpnlpl;yjqpnlpl;c:\windows\system32\drivers\yjqpnlpl.sys [2001-8-23 23424]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-3-14 33800]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-3-14 472320]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-11-18 233472]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-11-18 36608]
S2 DllSrv Service Controler;DllSrv Service Controler;"c:\windows\system32\drivers\dllsrv.exe" --> c:\windows\system32\drivers\DllSrv.exe [?]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-8-23 3584]

=============== Created Last 30 ================

2010-04-03 01:18:14 0 ----a-w- c:\documents and settings\jagna pnp\defogger_reenable
2010-04-02 17:07:24 0 d-----w- c:\program files\FileASSASSIN
2010-04-02 16:20:22 0 d-----w- c:\program files\Trojan Killer
2010-04-01 14:49:50 0 d-----w- c:\program files\Ask.com
2010-03-31 05:21:18 0 d-----w- c:\program files\TrendMicro
2010-03-30 06:41:42 0 d--h--w- c:\windows\$hf_mig$
2010-03-26 00:35:53 15464 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-26 00:35:53 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-26 00:31:30 0 d-----w- c:\program files\iPod
2010-03-26 00:31:13 0 d-----w- c:\program files\iTunes
2010-03-26 00:31:13 0 d-----w- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2010-03-19 15:58:39 0 d-----w- c:\documents and settings\all users\slzar

==================== Find3M ====================

2010-02-14 04:24:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-04 00:01:52 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-01-11 20:27:13 125 ----a-w- c:\docume~1\alluse~1\applic~1\xlink.sys

============= FINISH: 9:22:29.70 ===============

++++ A brief description of what i have +++++

I have NOD32 and it has detected this:Win32\TrojanDownloader.Agent.NXY trojan (drsb.exe).

However, it cannot clean/delete the file since access is denied (given it is being used by another program- i dont know which one)

I have located the file (drsb.exe) regular delete does not work.

Ive tried File Assassin/KillBox/OTmoveIT and even manually deletion by the command propt.. to no avail, futile....

++++ i had this reply from moderator ++++

Hello and welcome.
We need a deeper look,please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic from step 9. Not here.
If Gmer won't run,skip it and move on.
Let me know if that went well.

>> I did just that and was able to do 6,7, and 9

had a glitch with the GMER.EXE, every time i try to run the program the pc just reboots (crash)... tried a couple of times but its still the same.... so i skipped...

thats pretty much all i know... thanks for all your help.

sincerely, lakan299

Attached Files


"One More Bite A Little Closer to the Bones"


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 03 April 2010 - 03:36 AM

Hi,

Ever wondered how you got infected? I see you are using a hacked version of Eset (NOD32) to bypass registration. Illegal software or their hacks/cracks are ALWAYS a source of malware and as long as you continue with this trend, you'll always get infected as well.

Anyway, * Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lakan299

lakan299
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cebu, Philippines
  • Local time:01:02 PM

Posted 03 April 2010 - 09:08 AM

Hi there,

you are using a hacked version of Eset (NOD32) to bypass registration-- that is embarassing, i must admit. Ill be sure to replace that one with a genuine as soon as i can... Thanks for that...really..

Heres my logs..

================================================================================

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3948

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/3/2010 9:42:27 PM
mbam-log-2010-04-03 (21-42-27).txt

Scan type: Quick scan
Objects scanned: 122105
Time elapsed: 24 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 8
Registry Data Items Infected: 4
Folders Infected: 4
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/JAGNA PNP/Local Settings/Temp/vvtrdemv.dat (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vvtrdemv.dat (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vvtrdemv.dat (Rootkit.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\nevershowext (Trojan.Autorun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nav_x (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\JAGNA PNP\Local Settings\Temp\vvtrdemv.dat (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.


===============================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:11 PM, on 4/3/2010
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32

Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Nokia\Nokia PC Suite

7\PCSuite.exe
C:\Program Files\ESET\ESET NOD32

Antivirus\ekrn.exe
C:\WINDOWS\system32\FsUsbExService.Ex

e
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity

Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin

Manager\skypePM.exe
C:\Program Files\PC Connectivity

Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity

Solution\Transports\NclRSSrv.exe
C:\Program

Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes'

Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://google.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/

sb/msgr8/*http://www.yahoo.com/ext/search/

search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://google.com
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/defaults/

su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/

sb/msgr8/*http://www.yahoo.com/ext/search/

search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaults/

sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaults/

su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88}

-

C:\PROGRA~1\Yahoo!\Companion\Installs\cp

n0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper -

{02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cp

n0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3

} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{0DD4955C-8072-41CC-A89D-C10ACDD9B1A

0} - C:\WINDOWS\system32\cdfvie.dll (file

missing)
O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA578C2EBDC

3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShi

m.dll
O2 - BHO: (no name) -

{5B668CBE-06C0-4828-B4DF-1EE031DA45C

E} - C:\WINDOWS\system32\cfgbken.dll (file

missing)
O2 - BHO: Yahoo! IE Services Button -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A789

7} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) -

{6D46CCA0-AFF1-4B93-ABE5-7AAC3F37CB

99} - C:\WINDOWS\system32\comre.dll (file

missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9

} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) -

{E12672C2-9C2E-4081-AC19-43DCF9DE5DB

B} - C:\WINDOWS\system32\colbac.dll (file

missing)
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69

C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class -

{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081

} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cp

n0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88}

-

C:\PROGRA~1\Yahoo!\Companion\Installs\cp

n0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\K-Lite Codec

Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed

Launcher] "C:\Program Files\Adobe\Reader

9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program

Files\ESET\ESET NOD32 Antivirus\egui.exe"

/hide /waitservice
O4 - HKLM\..\Run:

[BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Autorun Buster]

c:\windows\system32\Zero.exe
O4 - HKLM\..\Run: [iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)]

"C:\Program

Files\Yahoo!\Messenger\YahooMessenger.ex

e" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program

Files\Skype\Phone\Skype.exe" /nosplash

/minimized
O4 - HKCU\..\Run: [Rainlendar2] C:\Program

Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [PC Suite Tray]

"C:\Program Files\Nokia\Nokia PC Suite

7\PCSuite.exe" -onlytray
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\E

XCEL.EXE/3000
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A789

7} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263

} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIE

BAR.DLL
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP:

c:\windows\system32\nwprovau.dll
O16 - DPF:

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com -

{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D

} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4

~1.DLL
O23 - Service: DllSrv Service Controler -

Unknown owner -

C:\WINDOWS\system32\drivers\DllSrv.exe

(file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) -

ESET - C:\Program Files\ESET\ESET NOD32

Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET -

C:\Program Files\ESET\ESET NOD32

Antivirus\ekrn.exe
O23 - Service: FsUsbExService - Teruten -

C:\WINDOWS\system32\FsUsbExService.Ex

e
O23 - Service: iPod Service - Apple Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. -

C:\Program Files\PC Connectivity

Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) -

file:///C:/DOCUME~1/JAGNAP~1/LOCALS~1/

Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7140 bytes

"One More Bite A Little Closer to the Bones"


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 03 April 2010 - 09:32 AM

Hi,

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 lakan299

lakan299
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cebu, Philippines
  • Local time:01:02 PM

Posted 03 April 2010 - 03:13 PM

hello,

sorry bout that.. smile.gif

===============================================================================

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3948

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/3/2010 9:42:27 PM
mbam-log-2010-04-03 (21-42-27).txt

Scan type: Quick scan
Objects scanned: 122105
Time elapsed: 24 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 8
Registry Data Items Infected: 4
Folders Infected: 4
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/JAGNA PNP/Local Settings/Temp/vvtrdemv.dat (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vvtrdemv.dat (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vvtrdemv.dat (Rootkit.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\nevershowext (Trojan.Autorun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nav_x (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\JAGNA PNP\Local Settings\Temp\vvtrdemv.dat (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

==============================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:11 PM, on 4/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DD4955C-8072-41CC-A89D-C10ACDD9B1A0} - C:\WINDOWS\system32\cdfvie.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5B668CBE-06C0-4828-B4DF-1EE031DA45CE} - C:\WINDOWS\system32\cfgbken.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6D46CCA0-AFF1-4B93-ABE5-7AAC3F37CB99} - C:\WINDOWS\system32\comre.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E12672C2-9C2E-4081-AC19-43DCF9DE5DBB} - C:\WINDOWS\system32\colbac.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Autorun Buster] c:\windows\system32\Zero.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: DllSrv Service Controler - Unknown owner - C:\WINDOWS\system32\drivers\DllSrv.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JAGNAP~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7140 bytes

"One More Bite A Little Closer to the Bones"


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 03 April 2010 - 05:32 PM

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {0DD4955C-8072-41CC-A89D-C10ACDD9B1A0} - C:\WINDOWS\system32\cdfvie.dll (file missing)
O2 - BHO: (no name) - {5B668CBE-06C0-4828-B4DF-1EE031DA45CE} - C:\WINDOWS\system32\cfgbken.dll (file missing)
O2 - BHO: (no name) - {6D46CCA0-AFF1-4B93-ABE5-7AAC3F37CB99} - C:\WINDOWS\system32\comre.dll (file missing)
O2 - BHO: (no name) - {E12672C2-9C2E-4081-AC19-43DCF9DE5DBB} - C:\WINDOWS\system32\colbac.dll (file missing)
O4 - HKLM\..\Run: [Autorun Buster] c:\windows\system32\Zero.exe
O23 - Service: DllSrv Service Controler - Unknown owner - C:\WINDOWS\system32\drivers\DllSrv.exe (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JAGNAP~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Let me know in your next reply how things are now.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 lakan299

lakan299
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cebu, Philippines
  • Local time:01:02 PM

Posted 03 April 2010 - 11:34 PM

Hello,

i did what was instructed... (fixed/cleaned all ten of them)

here are my observations:

sadly, start up/running my system is still the same, it doesn't seem to have improved.. Like opening Firefox still takes a long time... and my (drsb.exe) still exists..

Please bear with me on this.. I guess i need some more of your time...

sincerely,

Mon


"One More Bite A Little Closer to the Bones"


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 04 April 2010 - 02:21 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.



AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 lakan299

lakan299
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cebu, Philippines
  • Local time:01:02 PM

Posted 04 April 2010 - 08:56 AM

Hello,

Did as instructed.. but i only had combofix running upto the 50th stage and then the pc reboots.. it was not able to create the log file at C:\combofix.txt

when the pc was back online i checked c:\ but only found a pc icon named ComboFix with a tag which reads "Shows the disk drives and hardware connected to this computer"

Sorry, did not find anything on the ComboFix manual which talks about crashes, so i had to ask you...

Should i try running combofix again? or any instructions? mellow.gif

"One More Bite A Little Closer to the Bones"


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 04 April 2010 - 01:35 PM

Hi,
Did you disable Eset before you ran the scan?
Combofix automatically creates the log after reboot, unless some antivirus was interfering with it.
That's why I suggest you run Combofix once again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 lakan299

lakan299
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cebu, Philippines
  • Local time:01:02 PM

Posted 04 April 2010 - 09:09 PM

Mayng Buntag, smile.gif

I tried running combofix a number of times but still it was not able to complete the process. the last thing in its screen was "deleting files" then the pc reboots.. Still there are no logs in drive c:\...

I also closed all programs, including the ones in the notification tray, and security center and my hacked NOD32 (disabled)..
I also tried it while security center and Eset services are disabled through the msconfig.. still crashes before it finishes the whole process..

tried searching the web as well for similar problem, didn't find any.. mellow.gif

Edited by lakan299, 04 April 2010 - 11:58 PM.

"One More Bite A Little Closer to the Bones"


#12 lakan299

lakan299
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cebu, Philippines
  • Local time:01:02 PM

Posted 05 April 2010 - 12:39 AM

Hi there,

Id like to add that, although i was not able to have combofix finish the whole process, i noticed that booting/ boot up process is much much faster now... plus, i viewed the temporary files where i first located the drsb.exe and they were gone, in fact most of the files there are gone...

anyways, those are just my observations.. you'll have the last word... thumbup2.gif

"One More Bite A Little Closer to the Bones"


#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 05 April 2010 - 01:13 AM

Hi,


Can you post a new DDS log?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 lakan299

lakan299
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cebu, Philippines
  • Local time:01:02 PM

Posted 05 April 2010 - 03:30 AM

Hi there,

Sorry for the late reply,

Here it is:



DDS (Ver_10-03-17.01) - NTFSx86
Run by JAGNA PNP at 16:22:02.21 on Mon 04/05/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.735.212 [GMT 8:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Globe Telecom\Click Fix\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JAGNA PNP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://google.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uDefault_Page_URL = about:blank
uDefault_Search_URL = hxxp://google.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {6d46cca0-aff1-4b93-abe5-7aac3f37cb99} - c:\windows\system32\comre.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [globe] c:\program files\globe telecom\click fix\bin\sprtcmd.exe /P globe
mPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jagnap~1\applic~1\mozilla\firefox\profiles\8pwd6lfd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405723&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2405723&SearchSource=13
FF - component: c:\documents and settings\jagna pnp\application data\mozilla\firefox\profiles\8pwd6lfd.default\extensions\{952d8189-ea25-431b-8ed6-7758dcc933d1}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\jagna pnp\application data\mozilla\firefox\profiles\8pwd6lfd.default\extensions\{952d8189-ea25-431b-8ed6-7758dcc933d1}\components\RadioWMPCore.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-3-14 33800]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-3-14 472320]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-11-18 233472]
R2 sprtsvc_globe;SupportSoft Sprocket Service (globe);c:\program files\globe telecom\click fix\bin\sprtsvc.exe [2010-4-5 200384]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-11-18 36608]
S0 yjqpnlpl;yjqpnlpl;c:\windows\system32\drivers\yjqpnlpl.sys [2001-8-23 23424]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-8-23 3584]
S4 DllSrv Service Controler;DllSrv Service Controler;"c:\windows\system32\drivers\dllsrv.exe" --> c:\windows\system32\drivers\DllSrv.exe [?]

=============== Created Last 30 ================

2010-04-05 05:13:18 0 d-s---w- C:\ComboFix
2010-04-05 03:50:11 0 d-----w- c:\program files\common files\SupportSoft
2010-04-05 03:48:44 0 d-----w- c:\program files\Globe Telecom
2010-04-04 13:30:19 0 d-sha-r- C:\cmdcons
2010-04-04 13:27:16 98816 ----a-w- c:\windows\sed.exe
2010-04-04 13:27:16 77312 ----a-w- c:\windows\MBR.exe
2010-04-04 13:27:16 261632 ----a-w- c:\windows\PEV.exe
2010-04-04 13:27:16 161792 ----a-w- c:\windows\SWREG.exe
2010-04-03 13:14:04 0 d-----w- c:\docume~1\jagnap~1\applic~1\Malwarebytes
2010-04-03 13:12:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-03 01:18:14 0 ----a-w- c:\documents and settings\jagna pnp\defogger_reenable
2010-04-01 14:49:50 0 d-----w- c:\program files\Ask.com
2010-03-30 06:41:42 0 d--h--w- c:\windows\$hf_mig$
2010-03-26 00:35:53 15464 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-26 00:35:53 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-26 00:31:30 0 d-----w- c:\program files\iPod
2010-03-26 00:31:13 0 d-----w- c:\program files\iTunes
2010-03-26 00:31:13 0 d-----w- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2010-03-19 15:58:39 0 d-----w- c:\documents and settings\all users\slzar

==================== Find3M ====================

2010-02-14 04:24:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-04 00:01:52 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-01-11 20:27:13 125 ----a-w- c:\docume~1\alluse~1\applic~1\xlink.sys

============= FINISH: 16:22:50.15 ===============


Attached Files


"One More Bite A Little Closer to the Bones"


#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 05 April 2010 - 04:04 AM

Hi,

Let's try something with Combofix anyway. I hope It will run properly now...

But first of all, I want you to uninstall the hacked/cracked version of Eset first, because there's no point in cleaning up a system if illegal software is used.
After you have uninstalled Eset, reboot.

After reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

QUOTE
File::
c:\windows\system32\drivers\yjqpnlpl.sys
c:\windows\system32\comre.dll
Folder::
c:\program files\Ask.com
Driver::
NOD32FiXTemDono
DllSrv Service Controler
yjqpnlpl
Filelook::
c:\windows\system32\uxtheme.dll
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d46cca0-aff1-4b93-abe5-7aac3f37cb99}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users