Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ron Too1 Gooochi


  • This topic is locked This topic is locked
6 replies to this topic

#1 Carna

Carna

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 26 August 2010 - 06:56 PM

As a quick note I did try to run the GMER program thing twice and both times it froze my computer and I was forced to restart. So I do not have the info that program can provide.

I have noticed recently that my computer has been freezing and lagging alot. When I decided to try and uninstall some programs to fix the problem I noticed a program called Ron Too1 Gooochi and looked it up. As I am not to sure what is NEEDED for my computer to work. It led me to this forums. I want to get rid of this program so have followed the instructions as much as my computer is able. (As a side note a previous virus which I somehow managed to get rid of disabled my Task Manager completely and I am unable to access it at all. and in any way. Perhaps this posted information can tell you why it is disabled?)



Heres the DDS report..



DDS (Ver_10-03-17.01) - NTFSx86
Run by Jonathon at 17:22:18.50 on Thu 08/26/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.501.96 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\sttray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\PROGRA~1\FLOCK\FLOCK.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Users\Jonathon\AppData\Roaming\U3\17380111D300F4BC\LaunchPad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jonathon\Carnas Horde\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3611
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3611
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
mWinlogon: UIHost=%windir%\Resources\LogonUI\flames-fury\logonui.exe
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: CDNSCacheObj Object: {376892ae-1825-4e5f-9f85-23f9640051cc} - c:\windows\XviDplg.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
TB: {35065594-9169-4A34-B167-FC4865038E53} - No File
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [userinit] c:\users\jonathon\appdata\roaming\twex.exe
uRun: [Tcazanapoxubace] rundll32.exe "c:\users\jonathon\appdata\local\wilsjot.dll",Startup
uRun: [Scofijenonuci] rundll32.exe "c:\users\jonathon\appdata\local\imocahexofipuj.dll",Startup
uRun: [notepad] rundll32.exe c:\windows\system32\config\system~1\ntload.dll,_IWMPEvents@0
uRun: [gazujugas] Rundll32.exe "c:\progra~2\nasijuye\nasijuye.dll",a
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [TkBellExe] "realsched.exe" -osboot
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
StartupFolder: c:\users\jonathon\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\users\jonathon\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
IE: &Save Flash In This Page by Flash Saver - c:\progra~1\flashs~1\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {09EA1F80-F40A-11D1-B792-444553540001} - c:\progra~1\flashs~1\save.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: igfxcui - igfxdev.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2009-8-29 252416]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-08-19 09:04:28 92346574 ----a-w- c:\windows\MEMORY.DMP
2010-08-14 09:52:37 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-08-14 09:47:02 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-09 16:59:36 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-08-09 16:59:24 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-08-09 16:59:23 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-08-09 16:59:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-08-07 23:48:15 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-08-07 23:48:14 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-08-07 23:48:10 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-08-07 23:48:09 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-08-07 23:48:07 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-08-07 23:47:54 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-07 23:47:51 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-07 23:47:35 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-08-07 23:46:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-08-07 23:41:24 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-08-07 23:41:24 472576 ----a-w- c:\windows\system32\secproc.dll
2010-08-07 23:41:20 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-08-07 23:41:20 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-08-07 23:41:20 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-08-07 23:41:19 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-08-07 23:41:19 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-08-07 23:41:18 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-08-07 23:41:18 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-08-07 23:39:23 815104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-07 23:39:22 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-08-07 23:39:22 179712 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-08-07 23:39:21 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-08-07 23:39:20 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-08-07 23:39:20 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2010-08-07 23:28:29 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-08-07 23:25:09 0 d-----w- c:\users\jonathon\appdata\roaming\Registry Mechanic
2010-08-07 23:10:20 97792 ----a-w- c:\windows\system32\cabview.dll
2010-08-07 22:49:28 0 d---a-w- c:\programdata\TEMP
2010-08-07 22:24:05 0 d-----w- c:\programdata\luyusowa
2010-08-07 22:24:05 0 d-----w- c:\programdata\fedalajo
2010-08-07 22:24:05 0 d-----w- c:\programdata\buhiwuna
2010-08-07 22:22:27 0 d-----w- c:\programdata\nasijuye
2010-08-07 22:22:27 0 d-----w- c:\programdata\migezomu
2010-08-07 22:22:27 0 d-----w- c:\programdata\jijivafo
2010-08-07 21:46:30 494592 ----a-w- c:\windows\system32\kerberos.dll
2010-08-07 21:46:29 272384 ----a-w- c:\windows\system32\schannel.dll
2010-08-06 09:43:43 0 d-----w- c:\program files\Gravity
2010-07-30 15:19:24 0 d-----w- c:\users\jonathon\DS Backup

==================== Find3M ====================

2010-08-24 09:32:00 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-08-24 09:32:00 86016 ----a-w- c:\windows\inf\infstor.dat
2010-08-24 09:32:00 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-30 15:37:42 1832 ----a-w- c:\users\jonathon\appdata\roaming\wklnhst.dat
2010-07-03 02:36:29 18467328 ----a-w- c:\windows\system32\imageres.dll
2009-03-13 20:17:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-12-12 16:59:26 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-28 07:31:57 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2009-10-28 07:31:57 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2009-10-28 07:31:57 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-10-28 07:31:52 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2009-10-28 07:31:52 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2009-10-28 07:31:52 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-10-20 21:37:08 294912 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-08-31 03:00:16 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-14 21:05:34 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-10-14 21:05:34 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-10-14 21:05:34 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:24:48.55 ===============


(Again, due to the GMERs failer I am unable to attatch the ARK file.. x.x)

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:50 PM

Posted 02 September 2010 - 09:36 AM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so (in that case, post fresh dds.txt contents).
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Carna

Carna
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 02 September 2010 - 05:51 PM

My computer doesnt have anything vital on it that I know of. Its second hand and only holds things like music and pictures. And some stories i've collected to read for my personal use. Because it is second hand I would like nothing better then to have Vista reinstalled and the computer wiped of all useless programs that have been downloaded onto it sense before I got it and after. I want to backup and save only the pictures, music and stories. and maybe one game program only. I think its a 'factory restart' or something. I am not sure. But because its a second hand computer I dont have a vista instilation disc or anything. How much exactly will it cost me to get this help?

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:50 PM

Posted 03 September 2010 - 08:03 AM

Hi,

I'm not quite sure if you want to take cleaning route or do reformat after backuping important stuff.

QUOTE
How much exactly will it cost me to get this help?

Help here is free so this won't cost you anything.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Carna

Carna
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 04 September 2010 - 01:56 AM

I have a friend that is saving my pics and stories for me. All I need is the means to clean my computer. Just tell me what to do...

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:50 PM

Posted 04 September 2010 - 06:22 AM

Hi,

Please post a fresh dds.txt log so I can see current situation first before giving further instructions.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:50 PM

Posted 11 September 2010 - 04:41 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users