Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with unknown fake-antivirus software

  • Please log in to reply
3 replies to this topic

#1 bendretti


  • Members
  • 5 posts
  • Local time:12:54 AM

Posted 13 August 2010 - 04:03 PM

I'm running windows xp home with windows security essentials. I haven't restarted the computer or done a restore. I think I got this virus from web surfing. It immediately turned off Windows Security Essentials and then start popping up it's own fake virus alerts saying you're infected and so on. It also had a green shield in the task bar. Trying to start Windows Security Essentials would just make the virus pop-up more false security warnings about how that's an infected file. All browser windows would also report that any site was a virus. The virus does try to open IE to www.porno.com and other such sites.

In order to do anything I ran rKill as it's iExplore.exe alias, the other versions of rKill weren't allowed to run by the virus. This produced one result which made the green shield and most of the false alerts go away. The result was "C:Documents and SettingsCompaq_OwnerLocal SettingsApplication Databhadgnqdvtwyvegrshdw.exe". I deleted that whole folder and emptied the trash.

Using a flash drive (I had yanked the network cable) I then installed a new version of malwarebytes, over writing an old version. I also copied over a new definitions file. I ran this and it produced two results I don't believe are the actual virus. I've attached the output. From reading another post I heard that malwarebytes could of been infected so I took their advice and uninstalled it. I've been attempting to install a new version but the computer won't let me without a restart and I don't want to restart the computer.

Following this sites instructions I ran and have attached the Attach.txt file and pasted the DDS.txt results below. I'm currently running the GMER program and it's taking a long time. I can post those results once it's finished.

Other then the above, all I can say is please help and thanks a ton for any help offered! I really appreciate it.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Owner at 13:26:33.43 on Fri 08/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2736 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:Program FilesMicrosoft Security EssentialsMsMpEng.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesDAEMON Toolsdaemon.exe
C:Program FilesLexmark 4300 Serieslxcemon.exe
C:Program FilesLexmark 4300 Seriesezprint.exe
C:Program FilesMicrosoft IntelliPointipoint.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCommon FilesIntuitUpdate ServiceIntuitUpdateService.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesAdobeAcrobat 9.0AcrobatAcrotray.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesSolidWorksCOSMOSFloWorksbinCFWStandAloneSlv.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
F:dds 2.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [updateMgr] "c:program filesadobeacrobat 7.0acrobatAdobeUpdateManager.exe" AcPro7_1_0 -reboot 1
uRun: [PlayOn] c:program filesmediamallPlayOn.exe
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Google Update] "c:documents and settingscompaq_ownerlocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [yxrouurb] c:documents and settingscompaq_ownerlocal settingsapplication databhadgnqdvtwyvegrshdw.exe
mRun: [Recguard] c:windowssminstRECGUARD.EXE
mRun: [HPBootOp] "c:program fileshewlett-packardhp boot optimizerHPBootOp.exe" /run
mRun: [DAEMON Tools] "c:program filesdaemon toolsdaemon.exe" -lang 1033
mRun: [lxcemon.exe] "c:program fileslexmark 4300 serieslxcemon.exe"
mRun: [EzPrint] "c:program fileslexmark 4300 seriesezprint.exe"
mRun: [NeroFilterCheck] c:program filescommon filesaheadlibNeroCheck.exe
mRun: [IntelliPoint] "c:program filesmicrosoft intellipointipoint.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
mRun: [LXCECATS] rundll32 c:windowssystem32spooldriversw32x863LXCEtime.dll,_RunDLLEntry@16
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [MSSE] "c:program filesmicrosoft security essentialsmsseces.exe" -hide -runkey
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
mRun: [AdobeCS4ServiceManager] "c:program filescommon filesadobecs4servicemanagerCS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:program filesadobeacrobat 9.0acrobatAcrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:program filesadobeacrobat 9.0acrobatAcrotray.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [yxrouurb] c:documents and settingscompaq_ownerlocal settingsapplication databhadgnqdvtwyvegrshdw.exe
mRunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "c:program filesmalwarebytes' anti-malwarembamext.dll"
mRunOnce: [InnoSetupRegFile.0000000001] "c:windowsis-1KDL8.exe" /REG
dRun: [Picasa Media Detector] c:program filespicasa2PicasaMediaDetector.exe
dRunOnce: [FlashPlayerUpdate] c:windowssystem32macromedflashNPSWF32_FlashUtil.exe -p
StartupFolder: c:docume~1compaq~1startm~1programsstartupsolidw~1.lnk - c:program filessolidworksswschedulerswBOEngine.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadobeg~1.lnk - c:program filescommon filesadobecalibrationAdobe Gamma Loader.exe
IE: Append to existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:progra~1micros~4office12EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:program filescommon filessourcetecswf catcherInternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:program filescommon filessourcetecswf catcherInternetExplorer.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:windowspchealthhelpctrvendorscn=hewlett-packard,l=cupertino,s=ca,c=usiebuttonsupport.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office12REFIEBAR.DLL
Trusted Zone: intuit.comttlc
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://sbs.hometime.com/Remote/msrdp.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
Hosts: winguard-2009.microsoft.com
Hosts: winguard-2009.com
Hosts: www.winguard-2009.com

================= FIREFOX ===================

FF - ProfilePath - c:docume~1compaq~1applic~1mozillafirefoxprofilesiv1ac7sb.default
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:documents and settingscompaq_ownerlocal settingsapplication datagoogleupdate1.2.183.29npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:program filesmozilla firefoxextensions{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("network.proxy.type", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.count", 24);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.size", 4096);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("accelerometer.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:windowssystem32driversMpFilter.sys [2009-6-18 151216]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;c:program filessolidworkscosmosfloworksbincfwStandAloneSlv.exe [2008-1-23 245760]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:program filesdragon agebin_shipdaupdatersvc.service.exe [2009-12-3 25832]
S3 dlttape;dlttape;c:windowssystem32driversdlttape.sys [2006-10-19 8320]
S3 QntmX32;QntmX32;c:windowssystem32driversQntmX32.sys [2006-8-28 10752]

=============== Created Last 30 ================

2010-08-13 18:11:08 54016 ----a-w- c:windowssystem32driversucovpx.sys
2010-08-13 14:19:16 314 ----a-w- c:windowsis-1KDL8.lst
2010-08-13 14:19:16 10562 ----a-w- c:windowsis-1KDL8.msg
2010-08-13 14:19:15 711168 ----a-w- c:windowsis-1KDL8.exe
2010-08-12 21:18:50 50688 ----a-w- c:windowssystem32ff_acm.acm
2010-07-26 21:13:37 0 d-sh--w- c:docume~1compaq~1applic~1SystemProc

==================== Find3M ====================

2010-08-03 20:35:20 599 -c--a-w- c:documents and settingscompaq_ownercdewpref.dat
2010-08-03 20:31:05 105 -c--a-w- c:documents and settingscompaq_ownerI2RD Startup.dat
2010-07-27 06:30:35 8462336 ------w- c:windowssystem32dllcacheshell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:windowssystem32schannel.dll
2010-06-30 12:31:35 149504 ------w- c:windowssystem32dllcacheschannel.dll
2010-06-24 22:51:58 11077120 ----a-w- c:windowssystem32dllcacheieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:windowssystem32wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:windowssystem32dllcachewininet.dll
2010-06-24 12:22:03 12800 ------w- c:windowssystem32dllcachexpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:windowssystem32dllcacheurlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:windowssystem32dllcachemstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:windowssystem32dllcachemshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:windowssystem32dllcacheoccache.dll
2010-06-24 12:21:59 599040 ----a-w- c:windowssystem32dllcachemsfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:windowssystem32dllcachemsfeedsbs.dll
2010-06-24 12:21:59 25600 ----a-w- c:windowssystem32dllcachejsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:windowssystem32dllcacheieproxy.dll
2010-06-24 12:21:58 1986560 ----a-w- c:windowssystem32dllcacheiertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:windowssystem32dllcacheiepeers.dll
2010-06-24 12:21:56 743424 ------w- c:windowssystem32dllcacheiedvtool.dll
2010-06-24 12:21:55 387584 ----a-w- c:windowssystem32dllcacheiedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:windowssystem32win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:windowssystem32dllcachewin32k.sys
2010-06-23 12:08:09 173056 ----a-w- c:windowssystem32dllcacheie4uinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:windowssystem32driverssrv.sys
2010-06-21 15:27:11 354304 ------w- c:windowssystem32dllcachesrv.sys
2010-06-18 13:36:12 3558912 ------w- c:windowssystem32dllcachemoviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:windowssystem32iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:windowssystem32dllcachehelpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:windowssystem32msxml3.dll
2010-06-14 07:41:45 1172480 ----a-w- c:windowssystem32dllcachemsxml3.dll
2010-06-01 17:37:48 221568 ------w- c:windowssystem32MpSigStub.exe
2005-05-13 22:12:00 217073 --sha-r- c:windowsmeta4.exe
2005-07-14 17:31:20 27648 --sha-r- c:windowssystem32AVSredirect.dll
2005-06-26 20:32:28 616448 -csha-r- c:windowssystem32cygwin1.dll
2005-06-22 03:37:42 45568 -csha-r- c:windowssystem32cygz.dll
2004-01-25 05:00:00 70656 --sha-r- c:windowssystem32i420vfw.dll
2005-02-28 18:16:22 240128 --sha-r- c:windowssystem32x.264.exe
2004-01-25 05:00:00 70656 --sha-r- c:windowssystem32yv12vfw.dll
2010-01-11 21:09:35 16384 --sha-w- c:windowssystem32configsystemprofilecookiesindex.dat
2010-01-11 21:09:18 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012010011120100112index.dat

============= FINISH: 13:27:02.81 ===============

GMER ran for 9-10 hours and must of finished at some point during the night. Unfortunately the computer then went into sleep mode and even when woken up would not display anything on the monitors. I did a hard restart and started in safe mode. After re-reading the instructions I noticed that I had forgotten to run defogger so I ran it then, which then had me restart. I restarted once again into safe mode and am running GMER again. Is this what I should be doing?

So far in safe mode there hasn't been any pop ups or anything that looks fishy.

Thanks again for any help!

Below is the GMER output, ran in safe mode. What do I do next? Thanks!!!

GMER - http://www.gmer.net
Rootkit scan 2010-08-14 15:01:05
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:DOCUME~1COMPAQ~1LOCALS~1Temppgdyrfog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice FileSystemNtfs Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice FileSystemFastfat Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA400000001
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA400000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA400000001@khjeh 0x81 0xE8 0xC3 0x34 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf40
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf40@khjeh 0xE5 0x73 0x97 0x6D ...
Reg HKLMSOFTWAREClassesCLSID{BEB3C0C7-B648-4257-96D9-B5D024816E27}Version
Reg HKLMSOFTWAREClassesCLSID{BEB3C0C7-B648-4257-96D9-B5D024816E27}Version@Version 0x21 0x51 0x96 0xA3 ...

---- EOF - GMER 1.0.15 ----

EDIT: Posts merged ~BP

While in safe mode I was able to do a full system scan with Windows Security Essentials. Below is what it found and deleted. Please advise what to do next. Thanks!







Attached Files

Edited by Budapest, 15 August 2010 - 04:51 PM.

BC AdBot (Login to Remove)


#2 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • Gender:Male
  • Location:@localhost
  • Local time:01:54 AM

Posted 19 August 2010 - 04:18 PM


Your post is a few days old. If you still need help post back.

How Can I Reduce My Risk to Malware?

#3 bendretti

  • Topic Starter

  • Members
  • 5 posts
  • Local time:12:54 AM

Posted 19 August 2010 - 04:24 PM

Sorry, I couldn't wait any longer. I wiped out the computer and installed Windows 7. Thanks for the reply.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • Gender:Male
  • Location:@localhost
  • Local time:01:54 AM

Posted 19 August 2010 - 04:33 PM

thanks for letting me know. Sometimes that can be the quickest and safest thing to do. If you dont have Windows update turned on make sure you visit windows update to get "patched" Heres some info for you that may help you remain malware free:

10 Tips for Prevention and Avoidance of Malware:
*There is no reason why your computer can not stay malware free.*

In no special order

1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader,iTunes etc. More and more third party applications are being targeted. Not sure if you have the latest version? Check their version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here and do it yourself.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks then you will also encounter malware. Can you really trust the source of the file? Do you really need another malware source?

Longer version with pictures in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users