Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with I don't know what!


  • This topic is locked This topic is locked
11 replies to this topic

#1 ~LindsayM~

~LindsayM~

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 18 December 2010 - 02:50 PM

Hi, Please bare with me..I am by no means computer literate when it comes to viruses & malware etc. All I know is that yesterday my computer started running fake scans & wanting me to purchase protection. Lots of Windows security pop ups, Viagra etc.. I began 'googling' & discovered downloading Malwarebytes as a suggestion in which I did but this 'virus' will not let me open it. I tried changing the file name also, didn't work. I am completely lost on where to go from here. This is basically a foreign language to me. Any help would be so very appreciated!! Today the ads & pop ups seem to be gone, but i highly doubt they are??

DDS (Ver_10-12-12.02) - NTFSx86
Run by Kenny at 13:23:56.81 on Sat 12/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1790.1140 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Kenny\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Kenny\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\Kenny\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: c:\windows\system32\r3zc6n57gd.dll: {c7ba40a1-74f2-52bd-f411-04b15a2c8953} - c:\windows\system32\r3zc6n57gd.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DriverCure] "c:\program files\paretologic\drivercure\DriverCure.exe" -scan
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Octoshape Streaming Services] "c:\documents and settings\kenny\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [sremqgub] c:\documents and settings\kenny\local settings\application data\ladjdcklr\ihudytwtssd.exe
uRun: [mcexecwin] "rundll32.exe" c:\docume~1\kenny\locals~1\temp\aa2ib.dll, RestoreWindows
uRun: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] c:\docume~1\kenny\locals~1\temp\bwh7jtqs.exe
uRun: [wsvlqkvb] c:\documents and settings\kenny\local settings\application data\noobcucwi\rgbtyjjtssd.exe
uRun: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] c:\docume~1\kenny\locals~1\temp\mdm.exe
uRun: [M5T8QL3YW3] c:\docume~1\kenny\locals~1\temp\Hj1.exe
uRun: [cdloader] "c:\documents and settings\kenny\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [xgleegvs] c:\docume~1\kenny\locals~1\temp\nkogciucf\qutbrnxaffm.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] "c:\program files\common files\ahead\lib\NeroCheck.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sremqgub] c:\documents and settings\kenny\local settings\application data\ladjdcklr\ihudytwtssd.exe
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\2.bin\m3SrchMn.exe" /m=2 /w /h
mRun: [wsvlqkvb] c:\documents and settings\kenny\local settings\application data\noobcucwi\rgbtyjjtssd.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\r3zc6n57gd.dll: {c7ba40a1-74f2-52bd-f411-04b15a2c8953} - c:\windows\system32\r3zc6n57gd.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenny\applic~1\mozilla\firefox\profiles\s89m3tb9.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\kenny\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\kenny\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\mywebsearch\bar\firefox\NPMYWEBS.DLL
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: My Web Search: m3ffxtbr@mywebsearch.com - c:\program files\mywebsearch\bar\firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Personas Interactive: btpersonas@brandthunder.com - %profile%\extensions\btpersonas@brandthunder.com
FF - Ext: ChaCha Guide App Toolbar: chachaguidebar@chacha.com - %profile%\extensions\chachaguidebar@chacha.com

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-4-6 39456]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe [2010-1-2 28762]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-12-18 00:39:52 -------- d-----w- c:\program files\Iexplore.exe
2010-12-18 00:21:14 -------- d-----w- c:\docume~1\kenny\applic~1\Malwarebytes
2010-12-18 00:21:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-18 00:21:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-18 00:20:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 00:20:57 -------- d-----w- c:\program files\Iexploree.exe
2010-12-17 04:05:28 -------- d-----w- c:\docume~1\kenny\locals~1\applic~1\Graboid_Inc
2010-12-17 04:05:26 -------- d-----w- c:\docume~1\kenny\locals~1\applic~1\Graboid
2010-12-17 04:05:19 -------- d-----w- c:\docume~1\kenny\locals~1\applic~1\Geckofx
2010-12-17 04:03:28 -------- d-----w- c:\program files\VideoLAN
2010-12-17 04:03:03 -------- d-----w- c:\program files\Graboid
2010-12-06 14:55:05 36177 ----a-w- c:\documents and settings\kenny\mstsc.exe
2010-11-28 19:33:11 -------- d-----w- c:\docume~1\kenny\locals~1\applic~1\Octoshape

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 13:24:28.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 ~LindsayM~

~LindsayM~
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 18 December 2010 - 03:00 PM

I was receiving these messages:

Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.

Antivirus software alert
Infiltration alert
Your computer is being attacked by an Internet virus. It could be password-stealing attack, a trojan-dropper or similar.

#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:59 PM

Posted 18 December 2010 - 03:05 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#4 ~LindsayM~

~LindsayM~
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 18 December 2010 - 03:05 PM

I have GMER scanning

#5 ~LindsayM~

~LindsayM~
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 19 December 2010 - 01:46 PM

I was able to download Combofix but it will not run. I keep getting a pop up saying: Application cannot be executed; The file is infected. Do you want to activate your antivirus software now?

#6 ~LindsayM~

~LindsayM~
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 19 December 2010 - 01:58 PM

Also, I am unable to run magicjack anymore which is my phone! Instead i get the warning..help please

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:59 PM

Posted 19 December 2010 - 04:18 PM

Good evening. :)

Can you tell me how long the PC has been without an anti-virus program? I see McAfee Security Scan, but that isn't the same thing.

So long, and thanks for all the fish.

 

 


#8 ~LindsayM~

~LindsayM~
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 19 December 2010 - 04:32 PM

It's been quite a while. 6 months maybe? This computer was given to me so I don't know very much information about it.

Thank You

#9 ~LindsayM~

~LindsayM~
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 20 December 2010 - 01:47 PM

Thanks for attempting to help me. I guess I am going to wipe the computer clean :( I don't know what else to do & this has been going on for days now. I can download, but can't run any malware/virus scans..Can't go into safe mode, LOTS of popups now..Viagr@,Porn,Windows Security Alert & Antivirus software alert CONSTANTLY popping up. Yesterday I was unable to run task manager but today I can. These computers sure are interesting but mighty difficult for this girl :) Thanks

#10 ~LindsayM~

~LindsayM~
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 20 December 2010 - 02:50 PM

YAY!! I was able to run Combofix! I was researching & used Rkill to stop all processes on my PC & then it let me run CF. No idea how I managed it but awesome! Thanks for your help & is there anything else I should do now? Thanks!

Heres the log:

ComboFix 10-12-20.01 - Kenny 12/20/2010 13:25:48.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1790.1344 [GMT -6:00]
Running from: c:\documents and settings\Kenny\Desktop\LindsayBo.exe.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Guest\Application Data\completescan
c:\documents and settings\Guest\Application Data\install
c:\documents and settings\Kenny\mstsc.exe
c:\documents and settings\Kenny\Recent\Thumbs.db
C:\feed.txt
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\ieexplorer.exe
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))
.

2010-12-20 17:58 . 2010-12-20 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-12-20 15:22 . 2010-12-20 15:22 -------- d-----w- C:\a1e039b9bc8dda98e5ea
2010-12-20 15:22 . 2010-12-20 15:22 -------- d-----w- C:\871cd6804b1ff4f4121d98a4229e9cec
2010-12-20 15:15 . 2010-12-20 15:15 -------- d-----w- C:\bf5b2be94925f6e90f2578b1dd057b07
2010-12-20 15:14 . 2010-12-20 15:14 -------- d-----w- C:\f81f4d151f1c8dde82
2010-12-20 15:14 . 2010-12-20 15:14 -------- d-----w- C:\2a5716c03d5257659751a9
2010-12-20 14:44 . 2010-12-20 14:44 -------- d-----w- C:\d9f69e0b94656fc01a6e
2010-12-20 14:44 . 2010-12-20 14:44 -------- d-----w- C:\a7dc3ee300efd22c8cb0fbf33491dcba
2010-12-20 14:43 . 2010-12-20 14:43 -------- d-----w- C:\663fd202092ddf2c2a7ff1cc7e234d
2010-12-18 21:50 . 2010-12-19 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-12-18 00:39 . 2010-12-18 00:39 -------- d-----w- c:\program files\Iexplore.exe
2010-12-18 00:21 . 2010-12-18 00:21 -------- d-----w- c:\documents and settings\Kenny\Application Data\Malwarebytes
2010-12-18 00:21 . 2010-12-18 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-18 00:21 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-18 00:20 . 2010-12-18 00:26 -------- d-----w- c:\program files\Iexploree.exe
2010-12-18 00:20 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-17 04:17 . 2010-12-18 22:37 -------- d-----w- c:\documents and settings\Kenny\Application Data\vlc
2010-12-17 04:05 . 2010-12-17 04:16 -------- d-----w- c:\documents and settings\Kenny\Local Settings\Application Data\Graboid
2010-12-17 04:05 . 2010-12-17 04:05 -------- d-----w- c:\documents and settings\Kenny\Local Settings\Application Data\Geckofx
2010-12-17 04:03 . 2010-12-17 04:03 -------- d-----w- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-04-06 19:55 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-04 21:50 . 2010-06-05 03:45 664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2010-11-03 12:25 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverCure"="c:\program files\ParetoLogic\DriverCure\DriverCure.exe" [2009-02-27 2922064]
"cdloader"="c:\documents and settings\Kenny\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-01 13529088]
"nwiz"="nwiz.exe" [2008-08-01 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-01 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Kenny\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [4/6/2009 2:11 PM 39456]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
LSP: %SYSTEMROOT%\system32\nvLsp.dll
FF - ProfilePath - c:\documents and settings\Kenny\Application Data\Mozilla\Firefox\Profiles\s89m3tb9.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Personas Interactive: btpersonas@brandthunder.com - %profile%\extensions\btpersonas@brandthunder.com
FF - Ext: ChaCha Guide App Toolbar: chachaguidebar@chacha.com - %profile%\extensions\chachaguidebar@chacha.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-sremqgub - c:\documents and settings\Kenny\Local Settings\Application Data\ladjdcklr\ihudytwtssd.exe
HKCU-Run-wsvlqkvb - c:\documents and settings\Kenny\Local Settings\Application Data\noobcucwi\rgbtyjjtssd.exe
HKLM-Run-sremqgub - c:\documents and settings\Kenny\Local Settings\Application Data\ladjdcklr\ihudytwtssd.exe
HKLM-Run-wsvlqkvb - c:\documents and settings\Kenny\Local Settings\Application Data\noobcucwi\rgbtyjjtssd.exe
AddRemove-Fraps - c:\documents and settings\Kenny\Desktop\uninstall.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\IE.exee\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 13:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-602609370-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:17,92,7a,a3,5d,9f,30,e7,80,62,71,ff,3b,b6,9e,5a,db,7f,2a,fc,95,
bf,50,88,e7,77,5c,a5,a6,fa,91,d8,07,7d,6b,82,58,83,bc,fc,cb,e2,f6,b7,6f,8c,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\nvLsp.dll
.
Completion time: 2010-12-20 13:40:29
ComboFix-quarantined-files.txt 2010-12-20 19:40

Pre-Run: 92,685,332,480 bytes free
Post-Run: 93,274,570,752 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - B69300C91EE5C2F6898E84633F79B765

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:59 PM

Posted 20 December 2010 - 03:33 PM

Good evening. :)

The problem you have is with what nasties the PC has been exposed to while it has been "unprotected". It is not just the six months that you have had it that are of concern, but also the time that the PC spent prior to that with perhaps no protection.

It is going to be impossible to guarantee a clean computer at the end of the removal process, which makes it something of a non-starter in the first place. The possibility that legitimate files may have been infected or corrupted by the malware present on your PC, and also that security settings may have been lowered making your computer more liable to infection in the future, means that starting over is the easiest and most reliable solution to your problems.

You also need to be aware of the risk of identity theft if you have accessed bank accounts with this computer or shopped online. Keylogging software could have recorded details of these actions and a lack of an effective firewall means that there is nothing to stop this information being sent home. If this does apply to you, i'd monitor your accounts and perhaps consider getting credit/debit cards, passwords etc... changed - obviously not using this PC!

I seriously recommend that you reformat and reinstall Windows as it is the quickest, in the long run, and best method of cleaning the PC and securing it for the future.

Should you want them, I can provide links to free software that will help keep your PC malware-free in the future, but you shouldn't count on them to clean your machine as it is now.

So long, and thanks for all the fish.

 

 


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:59 PM

Posted 23 December 2010 - 08:37 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users