Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removal Guide for AnitSpyware Soft not working.


  • This topic is locked This topic is locked
18 replies to this topic

#1 PinkElephantP

PinkElephantP

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:22 AM

Posted 21 May 2010 - 03:58 PM

I have gotten AntiSpyware Soft on my computer and dont know how. It has COMPLETELY taken over my system and I tried to follow the removal guide here on bleeping compuer but like most other removal guides for this spyware, I am required to restart my computer in safe mode with networking and when I choose that option after pressing F8, my screen goes blue and says something about an error, and that I must have a virus bla bla. ANd then inorder to move on, the only opetion is to turn the computer off and restart normally. So my question is HOW do i get rid of this thing using another method if there is one. PLEASE HELP ME!

Edited by Pandy, 21 May 2010 - 04:21 PM.
Moved from Malware Removal to a more appropriate forum ~Pandy


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:22 AM

Posted 23 May 2010 - 08:41 PM

Hello PinkElephantP and welcome.gif to BleepingComputer

Let us see if we can get Safe mode to run.

Please download and run SafeBootKeyRepair.exe.

Once it has completed, please try booting into Safe Mode. If you can, please attempt to proceed with Remove Antivirus Soft (Uninstall Guide). If you are unable to boot into Safe Mode after running the above tool, or if you run into further difficulties with the guide please reply back to this topic and let me know so that we can take a different approach.

~Blade

Edited by Blade Zephon, 23 May 2010 - 08:42 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 PcProbs

PcProbs

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 May 2010 - 09:29 PM

Hi, im having the same problem and i tried that tool but it does not work on windows 7, could you please tell me if there is an updated tool or another way that i could get into safe mode

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:22 AM

Posted 23 May 2010 - 09:42 PM

PcProbs: Please start your own thread for help with your issue. This will help to eliminate confusion.

Additionally, attempting to use instructions that were created for another computer is a rather dangerous practice, for a couple reasons. Many infections may have similar symptoms, but can be substantially different in their construction and thus require different removal methods. It takes a good deal of training to be able to correctly identify some of these infections, and attempting an improper removal can sometimes cause a number of problems, including rendering your computer unable to start correctly. Additionally, each computer is different, and considerations must be made in the preparation of a fix to cause the least amount of disturbance to the machine.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 PinkElephantP

PinkElephantP
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:22 AM

Posted 24 May 2010 - 12:46 AM

Thanks Blade Zephon! Doing the safebootkeyrepair worked, and I was able to remove the rest of the virus. The only trace left of it, is that when I do a google search, and click my desired link, it redirects me to random websites, I then click BACK and re-click the link and then it takes me to the right place. Any suggestions on what I can do?

#6 PinkElephantP

PinkElephantP
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:22 AM

Posted 24 May 2010 - 12:49 AM

AHHHH! Blade! As I was replying to you, a second tab in my IE opened up, And I went to see what it was, and a box popped up looking like one from my system saying Danger! your system is being attacked by a virus or whatever, dont remember exactly and i tried to exit it and then it looked like a white page running things, in green and red. How did it come back?! I closed that tab and then nothing has happened since. What do i do? im not safe!

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:22 AM

Posted 25 May 2010 - 12:27 AM

Hello PinkElephantP.

Looks like you have a more complex infection than we first thought. We can get it though. . . but first we need to find out exactly what we're dealing with. Please run the following scanning utility. Please note that this tool will not fix any problems you have. . . what it will do is gather information so that we can know how to best tackle the situation. Only once we know exactly what kind of infection this is can we safely go about removing it.

***************************************************

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
GMER Log

Edited by Blade Zephon, 25 May 2010 - 12:29 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 PinkElephantP

PinkElephantP
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:22 AM

Posted 25 May 2010 - 02:15 AM

GMER LOG

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-25 02:09:34
Windows 5.1.2600 Service Pack 3
Running: gamer.exe; Driver: C:\DOCUME~1\LIRANL~1\LOCALS~1\Temp\axtdapow.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\Drivers\OEM02Afx.sys entry point in "init" section [0xA9128310]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[164] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\Explorer.EXE[164] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\wuauclt.exe[584] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\wuauclt.exe[584] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\winlogon.exe[916] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\winlogon.exe[916] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\services.exe[960] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\services.exe[960] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\lsass.exe[972] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\lsass.exe[972] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1132] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1132] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1200] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1200] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[1240] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1240] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1344] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1344] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1420] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1420] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\alg.exe[1576] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\alg.exe[1576] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\bcmwltry.exe[1664] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\bcmwltry.exe[1664] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\spoolsv.exe[1724] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\spoolsv.exe[1724] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1816] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1816] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\WLTRAY.exe[1892] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\WLTRAY.exe[1892] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Skype\Phone\Skype.exe[2208] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Skype\Phone\Skype.exe[2208] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Digital Line Detect\DLG.exe[2368] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Digital Line Detect\DLG.exe[2368] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\LimeWire\LimeWire.exe[2380] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\LimeWire\LimeWire.exe[2380] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[2436] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[2436] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[3040] C:\WINDOWS\system32\ws2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Skype\Plugin Manager\skypePM.exe[3040] C:\WINDOWS\system32\ws2_32.dll entry point in ".data" section [0x71AC41A1]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat A69CDD20

---- EOF - GMER 1.0.15 ----


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:22 AM

Posted 25 May 2010 - 10:12 PM

Hi PinkElephantP.

You have a rootkit infection. . . which means that normal tools such as Malwarebytes cannot see it due to its stealth capabilities. We need to use special tools.

I've had this topic moved by a moderator to the Malware Logs forum where we can do some more advanced stuff.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************

Please try running Kateskiller:
  • Please download kateskiller.zip onto your Desktop.
  • Extract kateskiller.exe onto your desktop
  • Go to your Start menu and click on run...
  • Into the window type:

    "%userprofile%\Desktop\kateskiller.exe" -l "%userprofile%\Desktop\kates.log" -y
    Note: all " l "s are lowercase " L "s, there are no capitalized " i "s in the command.

  • A black window will open. Once the scan is finished it will display Press any key to continue. Please do so.
  • A log called kates.log should be created on your Desktop, open it and post the content of it in your next reply.
Please reboot your machine now.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet; you may reconnect once the scan is complete.

~Blade


In your next reply, please include the following:
Kateskiller
DDS.txt
Attach.txt

Edited by Blade Zephon, 25 May 2010 - 10:13 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 PinkElephantP

PinkElephantP
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:22 AM

Posted 25 May 2010 - 11:33 PM

Kates Log

23:31:48:015 388 scanning threads ...
23:31:54:640 388
23:31:54:640 388 scanning modules...
23:31:54:812 388
23:31:54:812 388 scanning registry ...
23:31:54:812 388
23:31:54:812 388
completed
23:31:54:812 388 Infected threads: 0
23:31:54:812 388 Spliced functions: 0
23:31:54:812 388 Deleted files: 0
23:31:54:812 388 Fixed registry keys: 0


#11 PinkElephantP

PinkElephantP
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:22 AM

Posted 25 May 2010 - 11:43 PM

DDS LOG

DDS (Ver_10-03-17.01) - NTFSx86
Run by Liran Livyatan at 23:38:01.50 on Tue 05/25/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1450 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Documents and Settings\Liran Livyatan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080404
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080404
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\liranl~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-05-24 18:40:14 4128 ----a-w- C:\INFCACHE.1
2010-05-21 17:06:46 0 d-----w- c:\windows\SxsCaPendDel
2010-05-21 15:42:44 0 d-----w- c:\docume~1\liranl~1\applic~1\Malwarebytes
2010-05-21 15:41:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 15:41:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 15:41:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 15:41:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-21 13:46:13 2148 ----a-w- c:\windows\system32\wpa.dbl
2010-05-21 09:59:12 82432 ----a-w- c:\windows\system32\dllcache\ws2_32.dll
2010-05-18 02:28:13 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-18 02:27:10 0 d-----r- c:\program files\Skype
2010-05-17 21:32:07 0 d-----w- c:\program files\Windows Media Connect 2
2010-05-17 19:49:27 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-05-17 19:49:27 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-05-16 06:28:23 0 d--h--w- c:\program files\InstallJammer Registry
2010-05-16 06:28:23 0 d-----w- c:\program files\Jungle Jumping
2010-05-13 17:28:38 0 d-----w- c:\docume~1\liranl~1\applic~1\tmp
2010-05-13 17:28:38 0 d-----w- c:\docume~1\liranl~1\applic~1\Reallusion
2010-05-11 21:47:22 0 d-----w- c:\docume~1\liranl~1\applic~1\Uniblue
2010-05-11 21:47:17 0 d-----w- c:\program files\Uniblue
2010-05-09 06:45:45 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-09 06:45:45 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-05-09 06:45:30 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-05-09 06:45:30 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-05-06 02:50:48 754 ----a-w- c:\windows\WORDPAD.INI
2010-05-05 05:30:32 0 d--h--w- c:\windows\PIF
2010-05-05 05:01:28 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-05-05 05:01:28 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-05-05 05:01:23 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-05-05 05:01:23 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-04-30 19:21:21 0 d-----w- c:\documents and settings\liran livyatan\.unlimitedftp
2010-04-30 18:37:30 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-04-30 18:37:04 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-05-26 04:17:27 3478 ----a-w- c:\docume~1\liranl~1\applic~1\wklnhst.dat
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2008-04-04 06:06:30 76 --sh--r- c:\windows\CT4CET.bin
2008-12-02 21:31:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120220081203\index.dat

============= FINISH: 23:38:28.10 ===============



ATTACH LOG

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/7/2008 4:18:46 PM
System Uptime: 5/25/2010 11:34:11 PM (0 hours ago)

Motherboard: Dell Inc. | | 0KY767
Processor: Intel® Pentium® Dual CPU T2370 @ 1.73GHz | Microprocessor | 1728/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 106 GiB total, 90.077 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP159: 4/30/2010 5:57:33 PM - Software Distribution Service 3.0
RP160: 5/2/2010 3:00:45 AM - Software Distribution Service 3.0
RP161: 5/3/2010 11:30:06 AM - System Checkpoint
RP162: 5/5/2010 6:26:20 PM - System Checkpoint
RP163: 5/12/2010 3:00:17 AM - Software Distribution Service 3.0
RP164: 5/13/2010 11:17:40 PM - System Checkpoint
RP165: 5/17/2010 4:27:43 PM - Installed Windows Media Player 10
RP166: 5/17/2010 4:29:16 PM - Software Distribution Service 3.0
RP167: 5/18/2010 4:34:38 AM - Software Distribution Service 3.0
RP168: 5/21/2010 6:55:08 AM - 06/17/10
RP169: 5/21/2010 11:39:09 AM - Removed TMASOEDL
RP170: 5/21/2010 11:39:33 AM - Removed TMASOLDL
RP171: 5/21/2010 11:40:03 AM - Removed Trend Micro PC-cillin Internet Security 14
RP172: 5/21/2010 11:58:24 AM - Removed Apple Mobile Device Support
RP173: 5/21/2010 12:00:21 PM - Removed Apple Software Update
RP174: 5/21/2010 12:01:10 PM - Removed Bonjour
RP175: 5/21/2010 12:01:45 PM - Removed Broadcom Management Programs.
RP176: 5/21/2010 12:06:20 PM - Removed Apple Application Support
RP177: 5/21/2010 12:31:17 PM - Removed Browser Address Error Redirector.
RP178: 5/23/2010 6:52:53 PM - System Checkpoint
RP179: 5/25/2010 6:29:33 PM - System Checkpoint

==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Advanced Audio FX Engine
Advanced Video FX Engine
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell DataSafe Online
Dell Support Center
Dell System Restore
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card
Digital Line Detect
Documentation & Support Launcher
Games, Music, & Photos Launcher
Google Desktop
High Definition Audio Driver Package - KB835221
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel® Graphics Media Accelerator Driver
IntelliSonic Speech Enhancement
Internet Service Offers Launcher
iTunes
J2SE Runtime Environment 5.0 Update 6
Jungle Jumping
Laptop Integrated Webcam Driver (1.03.02.0719)
LimeWire 4.16.6
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
Modem Diagnostic Tool
MSXML 6 Service Pack 2 (KB954459)
Musicmatch for Windows Media Player
NetWaiting
OutlookAddinSetup
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Safari
SearchAssist
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Skype Toolbars
Skype™ 4.2
Uniblue RegistryBooster
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

5/24/2010 12:07:53 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips intelppm
5/24/2010 12:06:38 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/24/2010 12:06:34 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/24/2010 12:06:15 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
5/23/2010 9:11:47 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
5/23/2010 9:05:50 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
5/23/2010 9:05:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor
5/21/2010 12:31:29 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:22 AM

Posted 25 May 2010 - 11:52 PM

Hello PinkElephantP

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 PinkElephantP

PinkElephantP
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:22 AM

Posted 26 May 2010 - 12:23 AM

COMBOFIX LOG

ComboFix 10-05-25.02 - Liran Livyatan 05/26/2010 0:07.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1406 [GMT -5:00]
Running from: c:\documents and settings\Liran Livyatan\Desktop\Renamed.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Liran Livyatan\Local Settings\Application Data\syssvc.exe

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-24 20:36 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\rxsloqcdo
2010-05-24 04:28 . 2010-05-24 04:52 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\aimondxej
2010-05-24 04:28 . 2010-05-24 04:51 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\quupmkjlq
2010-05-21 17:16 . 2010-05-24 02:04 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\omonbheuc
2010-05-21 17:16 . 2010-05-24 02:05 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\jyhoafqri
2010-05-21 17:06 . 2010-05-21 19:27 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-21 15:42 . 2010-05-21 15:42 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\Malwarebytes
2010-05-21 15:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 15:41 . 2010-05-21 15:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 15:41 . 2010-05-21 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-21 15:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 11:12 . 2010-05-21 16:00 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\kxydrolnl
2010-05-21 11:12 . 2010-05-21 16:00 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\vvyfqtjry
2010-05-18 02:28 . 2010-05-18 02:28 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-18 02:28 . 2010-05-26 05:04 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\skypePM
2010-05-18 02:27 . 2010-05-26 05:12 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\Skype
2010-05-18 02:27 . 2010-05-18 02:27 -------- d-----w- c:\program files\Common Files\Skype
2010-05-18 02:27 . 2010-05-18 02:27 -------- d-----r- c:\program files\Skype
2010-05-18 02:27 . 2010-05-18 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-05-17 21:32 . 2010-05-17 21:32 -------- d-----w- c:\program files\Windows Media Connect 2
2010-05-17 21:30 . 2010-05-18 23:54 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-05-17 19:49 . 2008-04-13 17:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-05-17 19:49 . 2008-04-13 17:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-05-16 06:32 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-05-16 06:32 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-05-16 06:32 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-05-16 06:32 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2010-05-16 06:32 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2010-05-16 06:32 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2010-05-16 06:32 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-05-16 06:32 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-05-16 06:28 . 2010-05-16 06:28 -------- d-----w- c:\program files\Jungle Jumping
2010-05-16 06:28 . 2010-05-16 06:28 -------- d--h--w- c:\program files\InstallJammer Registry
2010-05-13 17:28 . 2010-05-13 17:28 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\tmp
2010-05-13 17:28 . 2010-05-13 17:28 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\Reallusion
2010-05-11 21:47 . 2010-05-11 21:47 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\Uniblue
2010-05-11 21:47 . 2010-05-11 21:47 -------- d-----w- c:\program files\Uniblue
2010-05-10 01:27 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-05-09 06:45 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-09 06:45 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-05-09 06:45 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-05-09 06:45 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-05-05 05:30 . 2010-05-05 05:30 -------- d--h--w- c:\windows\PIF
2010-05-05 05:01 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-05-05 05:01 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-05-05 05:01 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-05-05 05:01 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-05-04 00:32 . 2010-05-04 00:32 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\WMTools Downloaded Files
2010-04-30 21:07 . 2010-04-30 21:07 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\Identities
2010-04-30 19:21 . 2010-04-30 21:41 -------- d-----w- c:\documents and settings\Liran Livyatan\.unlimitedftp
2010-04-30 18:37 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-04-30 18:37 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 05:14 . 2008-04-16 05:37 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\LimeWire
2010-05-26 04:17 . 2008-05-01 01:29 3478 ----a-w- c:\documents and settings\Liran Livyatan\Application Data\wklnhst.dat
2010-05-21 17:31 . 2008-04-04 06:05 -------- d-----w- c:\program files\Dell
2010-05-21 17:06 . 2008-04-16 05:30 -------- d-----w- c:\program files\Common Files\Apple
2010-05-16 07:13 . 2008-04-07 21:19 48352 ----a-w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-10 18:50 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-10 18:51 430080 ----a-w- c:\windows\system32\vbscript.dll
2008-04-04 06:06 . 2008-04-04 06:06 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-07 26211624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-10 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\Liran Livyatan\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-2-8 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-4 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 04:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-07-03 18:57 1228800 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-02-14 00:21 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 02:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 20:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080404
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.

#14 PinkElephantP

PinkElephantP
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:22 AM

Posted 26 May 2010 - 12:28 AM

ComboFix 10-05-25.02 - Liran Livyatan 05/26/2010 0:07.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1406 [GMT -5:00]
Running from: c:\documents and settings\Liran Livyatan\Desktop\Renamed.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Liran Livyatan\Local Settings\Application Data\syssvc.exe

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-24 20:36 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\rxsloqcdo
2010-05-24 04:28 . 2010-05-24 04:52 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\aimondxej
2010-05-24 04:28 . 2010-05-24 04:51 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\quupmkjlq
2010-05-21 17:16 . 2010-05-24 02:04 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\omonbheuc
2010-05-21 17:16 . 2010-05-24 02:05 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\jyhoafqri
2010-05-21 17:06 . 2010-05-21 19:27 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-21 15:42 . 2010-05-21 15:42 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\Malwarebytes
2010-05-21 15:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 15:41 . 2010-05-21 15:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 15:41 . 2010-05-21 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-21 15:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 11:12 . 2010-05-21 16:00 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\kxydrolnl
2010-05-21 11:12 . 2010-05-21 16:00 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\vvyfqtjry
2010-05-18 02:28 . 2010-05-18 02:28 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-18 02:28 . 2010-05-26 05:04 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\skypePM
2010-05-18 02:27 . 2010-05-26 05:12 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\Skype
2010-05-18 02:27 . 2010-05-18 02:27 -------- d-----w- c:\program files\Common Files\Skype
2010-05-18 02:27 . 2010-05-18 02:27 -------- d-----r- c:\program files\Skype
2010-05-18 02:27 . 2010-05-18 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-05-17 21:32 . 2010-05-17 21:32 -------- d-----w- c:\program files\Windows Media Connect 2
2010-05-17 21:30 . 2010-05-18 23:54 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-05-17 19:49 . 2008-04-13 17:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-05-17 19:49 . 2008-04-13 17:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-05-16 06:32 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-05-16 06:32 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-05-16 06:32 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-05-16 06:32 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2010-05-16 06:32 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2010-05-16 06:32 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2010-05-16 06:32 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-05-16 06:32 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-05-16 06:28 . 2010-05-16 06:28 -------- d-----w- c:\program files\Jungle Jumping
2010-05-16 06:28 . 2010-05-16 06:28 -------- d--h--w- c:\program files\InstallJammer Registry
2010-05-13 17:28 . 2010-05-13 17:28 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\tmp
2010-05-13 17:28 . 2010-05-13 17:28 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\Reallusion
2010-05-11 21:47 . 2010-05-11 21:47 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\Uniblue
2010-05-11 21:47 . 2010-05-11 21:47 -------- d-----w- c:\program files\Uniblue
2010-05-10 01:27 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-05-09 06:45 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-09 06:45 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-05-09 06:45 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-05-09 06:45 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-05-05 05:30 . 2010-05-05 05:30 -------- d--h--w- c:\windows\PIF
2010-05-05 05:01 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-05-05 05:01 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-05-05 05:01 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-05-05 05:01 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-05-04 00:32 . 2010-05-04 00:32 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\WMTools Downloaded Files
2010-04-30 21:07 . 2010-04-30 21:07 -------- d-----w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\Identities
2010-04-30 19:21 . 2010-04-30 21:41 -------- d-----w- c:\documents and settings\Liran Livyatan\.unlimitedftp
2010-04-30 18:37 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-04-30 18:37 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 05:14 . 2008-04-16 05:37 -------- d-----w- c:\documents and settings\Liran Livyatan\Application Data\LimeWire
2010-05-26 04:17 . 2008-05-01 01:29 3478 ----a-w- c:\documents and settings\Liran Livyatan\Application Data\wklnhst.dat
2010-05-21 17:31 . 2008-04-04 06:05 -------- d-----w- c:\program files\Dell
2010-05-21 17:06 . 2008-04-16 05:30 -------- d-----w- c:\program files\Common Files\Apple
2010-05-16 07:13 . 2008-04-07 21:19 48352 ----a-w- c:\documents and settings\Liran Livyatan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-10 18:50 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-10 18:51 430080 ----a-w- c:\windows\system32\vbscript.dll
2008-04-04 06:06 . 2008-04-04 06:06 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-07 26211624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-10 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\Liran Livyatan\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-2-8 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-4 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 04:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-07-03 18:57 1228800 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-02-14 00:21 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 02:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 20:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080404
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 14\pccguide.exe
AddRemove-Google Desktop - c:\program files\Google\Google Desktop Search\GoogleDesktopSetup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 00:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1544)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-05-26 00:18:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-26 05:18

Pre-Run: 96,649,891,840 bytes free
Post-Run: 97,193,873,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DFBA658B5F93419E305B5CB3669EC13C


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:22 AM

Posted 26 May 2010 - 04:29 PM

Hello PinkElephantP

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
File::
c:\windows\system32\ezsidmv.dat


Folder::
c:\documents and settings\Liran Livyatan\Local Settings\Application Data\rxsloqcdo
c:\documents and settings\Liran Livyatan\Local Settings\Application Data\aimondxej
c:\documents and settings\Liran Livyatan\Local Settings\Application Data\quupmkjlq
c:\documents and settings\Liran Livyatan\Local Settings\Application Data\omonbheuc
c:\documents and settings\Liran Livyatan\Local Settings\Application Data\jyhoafqri
c:\documents and settings\Liran Livyatan\Local Settings\Application Data\vvyfqtjry
c:\documents and settings\Liran Livyatan\Local Settings\Application Data\kxydrolnl

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

DDS::
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:5555


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade

In your next reply, please include the following:
ComboFix Log
How is the computer running now?

Edited by Blade Zephon, 26 May 2010 - 04:29 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users