Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Eset blocking clkh71yhks66.com continuously


  • This topic is locked This topic is locked
12 replies to this topic

#1 greyrock

greyrock

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 20 June 2010 - 12:19 PM

Hello,

Whenever any new page (except the home page) is opened in IE or Firefox, Eset reports that "address has been blocked", with the url clkh71yhks66.com/... This happens one or more times per page. The issue has persisted through several reboots. There is also a svchost process using 99% of the CPU time, making gathering the data for this post a challenge!

My son apparently noticed the problem and ran Malwarebytes' anti-malware without success several days ago. Unfortunately he wasn't able to give me much detail about the process he went through.

(Note, on-access scanning is normally enabled. I momentarily disabled it when creating the DDS log.)

Thank you very much for any help you can give me with this. From some similar posts, it doesn't look like this is a job for an amateur!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Yvette at 19:45:27.01 on Sat 06/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1279.546 [GMT -6:00]

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
F:\Joel on the F\Orbitdownloader\orbitdm.exe
F:\Joel on the F\Orbitdownloader\orbitnet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Yvette\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:2220
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - f:\joel on the f\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - f:\joel on the f\orbitdownloader\GrabPro.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [TkBellExe] "realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\program files\citrix\ica client\pnagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music engine\ymetray.exe
mPolicies-explorer: <NO NAME> =
IE: &Download by Orbit - f:\joel on the f\orbitdownloader\orbitmxt.dll/201
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Grab video by Orbit - f:\joel on the f\orbitdownloader\orbitmxt.dll/204
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Do&wnload selected by Orbit - f:\joel on the f\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\joel on the f\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - f:\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://wise2.woodward.com/apps/wfica.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: applib - applib.dll
Notify: cabpnp - cabpnp.dll
Notify: sqlhtml - sqlhtml.dll
Notify: urlcal - urlcal.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli ovdfpen.dll
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yvette\applic~1\mozilla\firefox\profiles\nyctflse.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\yvette\application data\mozilla\firefox\profiles\nyctflse.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: f:\joel on the f\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\yvette\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\DCxxMJPG.sys [2004-1-1 132940]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-5-3 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-5-3 41424]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2009-10-7 472280]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-5-3 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-4-27 87696]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]

=============== Created Last 30 ================

2010-06-20 01:32:09 0 ----a-w- c:\documents and settings\yvette\defogger_reenable
2010-06-17 15:15:19 0 d-----w- c:\docume~1\yvette\applic~1\Malwarebytes
2010-06-17 15:15:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-17 15:15:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-17 15:15:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-17 15:15:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 23:48:30 0 d-----w- c:\program files\iPod
2010-06-03 23:48:15 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-05-31 01:30:27 670 ----a-w- c:\program files\crash.txt
2010-04-08 19:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 19:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-11 17:54:21 123169 ----a-w- c:\program files\INSTALL.LOG
2009-06-11 17:54:20 930 ----a-w- c:\program files\install.sss
2009-06-11 17:51:37 537160 ----a-w- c:\program files\Uninstall.exe
2008-10-23 16:03:34 2191360 ----a-w- c:\program files\WorldOfGoo.exe
2008-09-30 20:25:44 8776 ----a-w- c:\program files\eula.txt
2008-09-17 21:11:16 15086 ----a-w- c:\program files\WorldOfGoo.ico
2008-09-06 16:44:30 9908 ----a-w- c:\program files\readme.html
2008-09-03 10:50:16 4286 ----a-w- c:\program files\2d.ico
2008-09-03 02:07:06 76 ----a-w- c:\program files\2DBoyOnTheInformationSuperhighway.url
2008-07-07 08:22:22 320512 ----a-w- c:\program files\SDL.dll
2008-05-30 06:11:46 3850760 ----a-w- c:\program files\D3DX9_38.dll
2008-04-11 01:31:22 7639 ----a-w- c:\program files\lgpl-3.0.txt
2008-04-11 01:31:22 626688 ----a-w- c:\program files\libcurl.dll
2008-04-11 01:20:16 626688 ----a-w- c:\program files\msvcr80.dll
2008-04-11 01:20:16 548864 ----a-w- c:\program files\msvcp80.dll
2008-04-11 01:20:16 522 ----a-w- c:\program files\Microsoft.VC80.CRT.manifest
2008-04-11 01:20:16 479232 ----a-w- c:\program files\msvcm80.dll

============= FINISH: 19:47:24.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:00 AM

Posted 25 June 2010 - 05:35 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 greyrock

greyrock
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 26 June 2010 - 06:52 AM

Hello,

The symptoms haven't changed, except that the "address has been blocked" messages do not appear at every new web page now - it's a little more intermittent. Here are updated scan logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Yvette at 21:21:44.84 on Fri 06/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1279.756 [GMT -6:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Yvette\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:2220
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - f:\joel on the f\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - f:\joel on the f\orbitdownloader\GrabPro.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [TkBellExe] "realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\program files\citrix\ica client\pnagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music engine\ymetray.exe
mPolicies-explorer: <NO NAME> =
IE: &Download by Orbit - f:\joel on the f\orbitdownloader\orbitmxt.dll/201
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Grab video by Orbit - f:\joel on the f\orbitdownloader\orbitmxt.dll/204
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Do&wnload selected by Orbit - f:\joel on the f\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\joel on the f\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - f:\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://wise2.woodward.com/apps/wfica.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: applib - applib.dll
Notify: cabpnp - cabpnp.dll
Notify: sqlhtml - sqlhtml.dll
Notify: urlcal - urlcal.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli ovdfpen.dll
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yvette\applic~1\mozilla\firefox\profiles\nyctflse.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\yvette\application data\mozilla\firefox\profiles\nyctflse.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: f:\joel on the f\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\yvette\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\DCxxMJPG.sys [2004-1-1 132940]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-5-3 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-5-3 41424]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2009-10-7 472280]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-5-3 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-4-27 87696]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]

=============== Created Last 30 ================

2010-06-20 01:32:09 0 ----a-w- c:\documents and settings\yvette\defogger_reenable
2010-06-17 15:15:19 0 d-----w- c:\docume~1\yvette\applic~1\Malwarebytes
2010-06-17 15:15:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-17 15:15:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-17 15:15:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-17 15:15:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 23:48:30 0 d-----w- c:\program files\iPod
2010-06-03 23:48:15 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-05-31 01:30:27 670 ----a-w- c:\program files\crash.txt
2010-04-08 19:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 19:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-11 17:54:21 123169 ----a-w- c:\program files\INSTALL.LOG
2009-06-11 17:54:20 930 ----a-w- c:\program files\install.sss
2009-06-11 17:51:37 537160 ----a-w- c:\program files\Uninstall.exe
2008-10-23 16:03:34 2191360 ----a-w- c:\program files\WorldOfGoo.exe
2008-09-30 20:25:44 8776 ----a-w- c:\program files\eula.txt
2008-09-17 21:11:16 15086 ----a-w- c:\program files\WorldOfGoo.ico
2008-09-06 16:44:30 9908 ----a-w- c:\program files\readme.html
2008-09-03 10:50:16 4286 ----a-w- c:\program files\2d.ico
2008-09-03 02:07:06 76 ----a-w- c:\program files\2DBoyOnTheInformationSuperhighway.url
2008-07-07 08:22:22 320512 ----a-w- c:\program files\SDL.dll
2008-05-30 06:11:46 3850760 ----a-w- c:\program files\D3DX9_38.dll
2008-04-11 01:31:22 7639 ----a-w- c:\program files\lgpl-3.0.txt
2008-04-11 01:31:22 626688 ----a-w- c:\program files\libcurl.dll
2008-04-11 01:20:16 626688 ----a-w- c:\program files\msvcr80.dll
2008-04-11 01:20:16 548864 ----a-w- c:\program files\msvcp80.dll
2008-04-11 01:20:16 522 ----a-w- c:\program files\Microsoft.VC80.CRT.manifest
2008-04-11 01:20:16 479232 ----a-w- c:\program files\msvcm80.dll

============= FINISH: 21:27:51.65 ===============

Attached Files



#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:00 PM

Posted 30 June 2010 - 07:39 AM

Hello greyrock

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#5 greyrock

greyrock
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 30 June 2010 - 07:39 PM

Thanks PW! I'll keep an eye out for your instructions.

#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:00 PM

Posted 03 July 2010 - 05:03 PM

Hello greyrock,

I have a few questions.

Are you using a proxy server and does it use or did you set port 2220?
How do you connect to the internet?

Do you know what programs these files belong to?

2010-05-31 01:30:27 670 ----a-w- c:\program files\crash.txt
2009-06-11 17:54:21 123169 ----a-w- c:\program files\INSTALL.LOG
2009-06-11 17:54:20 930 ----a-w- c:\program files\install.sss
2009-06-11 17:51:37 537160 ----a-w- c:\program files\Uninstall.exe


Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Morpheus 5.4). These programs allow file sharing between users as the name(s) suggest. In today's world cyber crime has become an enormous problem. Different ways are used to infect personal computers to make use of their stored data or machine power for further propagation of malware files. A popular means is the use of file-sharing tools as a huge amount of prospective victims can be reached through them.

It is therefore possible to be infected by downloading infected files via peer-to-peer tools and so these tools must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes on copyright laws in many countries over the world and you are putting yourself at risk of of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

If you decide to keep this program please refrain from using it until we get your computer clean.


The following is referring to RegScrubXP.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

More information about registry cleaners can be found at Miekiemoes Blog


Next, Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


In your next reply please answer my questions, let me know about those files and include the following:

ComboFix.txt

Thanks!!
PW

#7 greyrock

greyrock
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 03 July 2010 - 09:18 PM

Hi PW,

A few days before my first post, when the machine started having problems, my son was searching on the symptoms and was led to the proxy settings. He found that it was set to use a proxy server, so he un-checked it. (I just found out about this one...) We've never manually set it to use a proxy server.

The files you listed appear to be associated with "World of Goo", a PC game installed a couple of months ago.


ComboFix 10-07-03.01 - Yvette 07/03/2010 19:18:31.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1279.883 [GMT -6:00]
Running from: c:\documents and settings\Yvette\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\desktop
c:\windows\Fonts\SABONS10.TTF
c:\windows\Fonts\SABONS11.TTF
c:\windows\Fonts\SABONS12.TTF
c:\windows\Fonts\SABONSB6.TTF
c:\windows\Fonts\SABONSB7.TTF
c:\windows\Fonts\SABONSB8.TTF
c:\windows\Fonts\SABONSB9.TTF
c:\windows\system\olepro32.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\Data
c:\windows\system32\dumphive.exe
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\muzapp.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-06-26 12:22 . 2010-06-26 12:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-17 15:15 . 2010-06-17 15:15 -------- d-----w- c:\documents and settings\Yvette\Application Data\Malwarebytes
2010-06-17 15:15 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-17 15:15 . 2010-06-17 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-17 15:15 . 2010-06-17 15:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 15:15 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-17 02:29 . 2010-06-17 02:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-17 01:49 . 2010-06-17 14:27 -------- d-----w- c:\documents and settings\Yvette\Local Settings\Application Data\kwbvxlb
2010-06-16 20:16 . 2010-06-16 20:21 -------- d-----w- c:\documents and settings\Yvette\Application Data\FileZilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-04 00:31 . 2009-12-19 00:58 -------- d-----w- c:\documents and settings\Yvette\Application Data\Orbit
2010-06-26 03:30 . 2008-05-17 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-03 23:50 . 2010-06-03 23:48 -------- d-----w- c:\program files\iTunes
2010-06-03 23:48 . 2010-06-03 23:48 -------- d-----w- c:\program files\iPod
2010-06-03 23:48 . 2009-06-20 19:21 -------- d-----w- c:\program files\Common Files\Apple
2010-06-03 23:37 . 2009-06-20 19:25 -------- d-----w- c:\program files\Bonjour
2010-05-31 01:30 . 2010-05-03 22:39 670 ----a-w- c:\program files\crash.txt
2010-05-13 22:24 . 2004-01-12 03:41 -------- d-----w- c:\program files\Google
2010-05-12 04:00 . 2010-05-12 04:00 -------- d-----w- c:\program files\GooTool
2010-04-08 19:20 . 2010-04-08 19:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 19:20 . 2010-04-08 19:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-11 17:54 . 2009-06-11 17:54 930 ----a-w- c:\program files\install.sss
2009-06-11 17:51 . 2009-06-11 17:54 537160 ----a-w- c:\program files\Uninstall.exe
2008-10-23 16:03 . 2008-10-23 16:03 2191360 ----a-w- c:\program files\WorldOfGoo.exe
2008-09-30 20:25 . 2008-09-30 20:25 8776 ----a-w- c:\program files\eula.txt
2008-09-17 21:11 . 2008-09-17 21:11 15086 ----a-w- c:\program files\WorldOfGoo.ico
2008-09-06 16:44 . 2008-09-06 16:44 9908 ----a-w- c:\program files\readme.html
2008-09-03 10:50 . 2008-09-03 10:50 4286 ----a-w- c:\program files\2d.ico
2008-09-03 02:07 . 2008-09-03 02:07 76 ----a-w- c:\program files\2DBoyOnTheInformationSuperhighway.url
2008-07-07 08:22 . 2008-07-07 08:22 320512 ----a-w- c:\program files\SDL.dll
2008-05-30 06:11 . 2008-05-30 06:11 3850760 ----a-w- c:\program files\D3DX9_38.dll
2008-04-11 01:31 . 2008-04-11 01:31 7639 ----a-w- c:\program files\lgpl-3.0.txt
2008-04-11 01:31 . 2008-04-11 01:31 626688 ----a-w- c:\program files\libcurl.dll
2008-04-11 01:20 . 2008-04-11 01:20 626688 ----a-w- c:\program files\msvcr80.dll
2008-04-11 01:20 . 2008-04-11 01:20 548864 ----a-w- c:\program files\msvcp80.dll
2008-04-11 01:20 . 2008-04-11 01:20 522 ----a-w- c:\program files\Microsoft.VC80.CRT.manifest
2008-04-11 01:20 . 2008-04-11 01:20 479232 ----a-w- c:\program files\msvcm80.dll
.
CODE
<pre>
c:\program files\Critical Thinking Software\Word Roots Software A1\UninstallerData\Word Roots Software A1 Uninstall .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Statcomp]
@="{DC403413-9CCD-4F82-9EEF-EE1B8E3F0AB1}"
[HKEY_CLASSES_ROOT\CLSID\{DC403413-9CCD-4F82-9EEF-EE1B8E3F0AB1}]
2007-04-16 15:52 1251004 ----a-w- c:\windows\SYSTEM32\fatbin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-12-08 3096576]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-17 68856]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="realsched.exe -osboot" [X]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]
"NapsterShell"="c:\program files\Napster\napster.exe" [2007-11-09 323216]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Program Neighborhood Agent.lnk - c:\program files\Citrix\ICA Client\pnagent.exe [2006-5-2 233744]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2008-2-5 54512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\applib]
2007-04-16 15:52 454022 ----a-w- c:\windows\SYSTEM32\applib.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Avid\\Avid Liquid 7\\Program\\RM.exe"=
"c:\\Program Files\\Avid\\Avid Liquid 7\\Program\\StudioU.mod"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Morpheus\\Morpheus.exe"=
"f:\\Joel on the F\\Orbitdownloader\\orbitdm.exe"=
"f:\\Joel on the F\\Orbitdownloader\\orbitnet.exe"=
"f:\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\SYSTEM32\DRIVERS\DCxxMJPG.sys [1/1/2004 09:46 Joel smart 132940]
R1 VBoxDrv;VirtualBox Service;c:\windows\SYSTEM32\DRIVERS\VBoxDrv.sys [5/3/2009 08:13 Joel smart 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\SYSTEM32\DRIVERS\VBoxUSBMon.sys [5/3/2009 08:13 Joel smart 41424]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/7/2009 10:16 Joel smart 472280]
R3 RRNetCapMP;RRNetCapMP;c:\windows\SYSTEM32\DRIVERS\rrnetcap.sys [11/26/2009 03:28 Joel smart 27168]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\VBoxNetAdp.sys [5/3/2009 08:13 Joel smart 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\SYSTEM32\DRIVERS\VBoxNetFlt.sys [4/27/2009 08:39 Joel smart 87696]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 12:04 Joel smart 135664]
S3 RRNetCap;RRNetCap Service;c:\windows\SYSTEM32\DRIVERS\rrnetcap.sys [11/26/2009 03:28 Joel smart 27168]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 23:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 06:04]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 06:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:2220
IE: &Download by Orbit - f:\joel on the f\Orbitdownloader\orbitmxt.dll/201
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Grab video by Orbit - f:\joel on the f\Orbitdownloader\orbitmxt.dll/204
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Do&wnload selected by Orbit - f:\joel on the f\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\joel on the f\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - f:\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
FF - ProfilePath - c:\documents and settings\Yvette\Application Data\Mozilla\Firefox\Profiles\nyctflse.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Yvette\Application Data\Mozilla\Firefox\Profiles\nyctflse.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: f:\joel on the f\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\Yvette\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Musicnotes\npmusicn.dll
FF - plugin: c:\program files\Musicnotes\NPSibelius.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{923ED7FC-AB32-4B9F-8A2C-B81D33023472} - c:\windows\system32\bootw32.dll
ShellIconOverlayIdentifiers-{C356423B-DC57-401F-AEA3-8F526B5514C5} - (no file)
ShellIconOverlayIdentifiers-{E5BCF8B8-52EC-4EAD-AD5C-0A6D088A8B55} - (no file)
ShellIconOverlayIdentifiers-{A310B586-9617-45B2-868D-4C9F50674F5F} - (no file)
ShellIconOverlayIdentifiers-{F608F498-939E-4C1D-A888-F31DFC3C1781} - (no file)
ShellIconOverlayIdentifiers-{0706C7EE-F60C-4849-A379-421F1DD38531} - (no file)
Notify-cabpnp - cabpnp.dll
Notify-sqlhtml - sqlhtml.dll
Notify-urlcal - urlcal.dll
AddRemove-Audacity 1.3 Beta (Unicode)_is1 - c:\documents and settings\Yvette\My Documents\Joel\Audacity 1.3 Beta (Unicode)\unins000.exe
AddRemove-Audacity_is1 - c:\documents and settings\Yvette\My Documents\Joel\Audacity\unins000.exe
AddRemove-CamStudio - c:\documents and settings\Yvette\My Documents\Joel\CamStudio\uninstall.exe
AddRemove-Children's Encyclopedia - c:\windows\uninst.exe -rDK Multimedia\Children's Encyclopedia\1.0.0
AddRemove-DLCS SpelGram - E:\setup.exe
AddRemove-Eyewitness World Atlas - c:\windows\UNINST.EXE -rDK Multimedia\Eyewitness World Atlas\1.0.0.0
AddRemove-Free Online MP4 Converter_is1 - c:\documents and settings\Yvette\My Documents\Joel\Free Online MP4 Converter\unins000.exe
AddRemove-Grammar Games - e:\grammar\setup.exe
AddRemove-I Love Spelling! - c:\windows\Uninst.exe -rDK Multimedia\I Love Spelling!\1.0.0.0
AddRemove-Microsoft Interactive Training - c:\windows\orun32.isu
AddRemove-Spell It Deluxe - e:\spelling\setup.exe
AddRemove-Ultra Mobile 3GP Video Converter_is1 - c:\documents and settings\Yvette\My Documents\Joel\Ultra Mobile 3GP Video Converter\unins000.exe
AddRemove-{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1 - c:\documents and settings\Yvette\My Documents\Joel\ConvertHelper\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 19:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\KB975562.log 2914 bytes
c:\windows\LastGood

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(252)
c:\windows\system32\applib.dll

- - - - - - - > 'lsass.exe'(340)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2412)
c:\windows\system32\WININET.dll
c:\windows\system32\fatbin.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\UAService7.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-03 19:50:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-04 01:50

Pre-Run: 715,612,160 bytes free
Post-Run: 2,345,385,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - C3F2A3563A1428B2FDB4FDAE2B4F2BD6


#8 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:00 PM

Posted 05 July 2010 - 03:01 PM

Hello greyrock,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue we will begin.

Step 1.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Folder::
c:\documents and settings\Yvette\Local Settings\Application Data\kwbvxlb

Renv::
c:\program files\Critical Thinking Software\Word Roots Software A1\UninstallerData\Word Roots Software A1 Uninstall .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\applib]

File::
c:\windows\SYSTEM32\applib.dll

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:2220


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2.
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.


    Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
  4. Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT

  5. Push
  6. A report will open. Copy and Paste that report in your next reply.
  7. Two reports will open, copy and paste them in a reply here:
    • OTList.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In your next reply please include the following:

ComboFix.txt
OTList.txt <-- Will be opened
Extra.txt <-- Will be minimized


How is your computer running? Any problems or issues?

Thanks!!
PW

#9 greyrock

greyrock
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 05 July 2010 - 09:39 PM

Rats! I think I'll play it safe, and go the reformat and reinstall route. I guess my kids have just received a lesson on "how to nuke a computer"...

I really appreciate your time PW, and that of your mentors. Thanks again for your help!

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:00 PM

Posted 06 July 2010 - 04:07 PM

Hello greyrock,

QUOTE
I think I'll play it safe, and go the reformat and reinstall route.
thumbup2.gif

Here are some websites with instructions if you need them.Here are some more steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of them, however by following the rest of them you will reduce the risk of becoming re-infected.

It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. Microsoft has released the latest upgrades to the XP OS platform, which can be referenced here

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

For most users the built in Windows Firewall is sufficient. If you use a third party firewall make sure you have only one firewall installed at a time.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

Any Problems or questions?

Thanks!!
PW

#11 greyrock

greyrock
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 07 July 2010 - 10:39 PM

Hello PW,

No questions, your site is really helpful. I appreciate all the good info.

Thanks again!

#12 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:00 PM

Posted 08 July 2010 - 01:13 PM

Hello greyrock,

It has been a pleasure working with you smile.gif



PW

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:00 AM

Posted 08 July 2010 - 05:05 PM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users