Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dds, attach and gmer log


  • This topic is locked This topic is locked
15 replies to this topic

#1 Asha86x

Asha86x

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 28 March 2011 - 06:42 AM

OK so i posted a topic about how my computer was infected with the desktop security virus.. and probably several others. I have done everything I can to try to solve it, followed so many different internet guides on how to remove it, i have ran my virus scan norman, avast, malawarebytes etc. the only one that ever finds anyhing is malawarebytes, it says its an infected registry key.. i delete it.. restart.. and boom up pops desktop security.. so.. lets see what you guys can do! my last post i was told to do these things and post the log, i have done exactly as directed.. lets hope this can finally be the end of this desktop security crisis, for me! thanks so much for your help and your time, it is very, very much appreciated.

ive had to add them as attachments, as it will not let me post so much in the msg box.

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:44 AM

Posted 28 March 2011 - 03:24 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 Asha86x

Asha86x
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 28 March 2011 - 06:32 PM

It keeps restarting my computer and instructing me to write down file names.. This makes me nervous. When my comp restarts so does my av..And desktop security virus lol..

#4 Asha86x

Asha86x
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 28 March 2011 - 06:49 PM

ok it went through after all. here it is

ComboFix 11-03-28.01 - Jordan 03/29/2011 10:33:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.645 [GMT 11:00]
Running from: c:\documents and settings\Jordan\Desktop\ComboFix.exe
AV: Norman Security Suite *Disabled/Updated* {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
FW: Norman Security Suite *Disabled* {83B29CE9-9DE2-2CB5-9AB3-780D70FF12B0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\Jordan\Application Data\Adobe\plugs
c:\documents and settings\Jordan\Application Data\Bitrix Security
c:\documents and settings\Jordan\Application Data\Desktop Security
c:\documents and settings\Jordan\Application Data\EurekaLog
c:\documents and settings\Jordan\Application Data\Ezyqwi
c:\documents and settings\Jordan\Application Data\Iryfet
c:\documents and settings\Jordan\Application Data\Poeqor
c:\documents and settings\Jordan\Local Settings\Application Data\{4C2C502A-C84A-4AA1-AA0D-CD443DEFC9EA}
C:\moneyxmexx.exe
c:\windows\system32\C
.
Infected copy of c:\windows\system32\DRIVERS\WudfPf.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
.
.
No new files created in this timespan
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 10:59 . 2008-01-08 10:59 1567232 -c--a-w- c:\program files\SteamInstall.msi
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"Steam"="c:\program files\Steam\Steam.exe" [2011-02-07 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 1687824]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]
"Norman ZANDA"="c:\program files\Norman\Npm\Bin\ZLH.EXE" [2011-03-22 189824]
"NOELauncher"="c:\program files\Norman\nsc\bin\noelauncher.exe" [2010-11-08 78176]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Yqosucovotuke"="c:\windows\uvivabowinewunoz.dll" [2008-04-14 193536]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-9-27 122880]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\xxashaxx\\counter-strike source\\hl2.exe"=
.
R1 NGS;Norman General Security Driver;c:\program files\Norman\Ngs\Bin\ngs.sys [4/24/2010 3:18 PM 26744]
R1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin\nprosec.sys [4/24/2010 3:18 PM 74144]
R1 tdi_nf;Norman Network Filter TDIL driver;c:\windows\system32\drivers\tdi_nf.sys [4/24/2010 3:18 PM 378000]
R2 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\Ndiskio.sys [4/24/2010 3:18 PM 22880]
R2 NNFSVC;Norman Network Filtering service;c:\program files\Norman\Ngs\Bin\nnf.exe [4/24/2010 3:18 PM 223000]
R2 NPFSvc32;Norman Personal Firewall Service;c:\program files\Norman\Npf\Bin\npfsvc32.exe [6/17/2010 12:49 PM 290472]
R2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin\nprosec.exe [4/24/2010 3:18 PM 90656]
R2 npsvc32;Norman Privacy Service;c:\program files\Norman\Npt\Bin\npsvc32.exe [4/24/2010 3:18 PM 99904]
R2 nregsec;Norman Registry Security driver;c:\program files\Norman\Ngs\Bin\nregsec.sys [4/24/2010 3:18 PM 40384]
R2 NVOY;Norman Resource Provider;c:\program files\Norman\Npm\Bin\nvoy.exe [4/24/2010 3:18 PM 100336]
R3 NASS;Norman Anti Spam Service;c:\program files\Norman\Nsc\Bin\nassvc32.exe [4/24/2010 3:18 PM 141000]
R3 NIG;Norman Intrusion Guard;c:\program files\Norman\Nig\Bin\nigsvc32.exe [4/24/2010 3:18 PM 336304]
R3 nnetsec;Norman Network Security service;c:\windows\system32\drivers\nnetsec.sys [4/24/2010 3:18 PM 48272]
R3 NNetSecC;Norman Network Filter NDIS common driver;c:\program files\Norman\Ngs\Bin\nnetsecc.sys [5/28/2010 12:16 AM 23040]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\Nsesvc.exe [12/9/2010 10:20 AM 288072]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [4/24/2010 3:18 PM 24176]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman\Nvc\Bin\Nvcoas.exe [8/17/2010 2:54 PM 198168]
R3 Scheduler;Norman Scheduler Service;c:\program files\Norman\Npm\Bin\scheduler.exe [4/24/2010 3:18 PM 99312]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
.
2011-03-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-09 12:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8992
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Norman\ngs\bin\nlf.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
BHO-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
Toolbar-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Hmoduwokuqisalu - c:\windows\wkbdel40.dll
HKCU-Run-XBV6RD5SZF - c:\docume~1\Jordan\LOCALS~1\Temp\Bz3.exe
HKCU-Run-{6D0B6652-3D84-7745-B887-349975ED34F4} - c:\documents and settings\Jordan\Application Data\Poeqor\ikpua.exe
HKCU-Run-{E16B4C70-4F12-501E-3C94-CCC4F065E610} - c:\documents and settings\Jordan\Application Data\Iryfet\liyse.exe
HKCU-Run-exvsgphj - c:\docume~1\Jordan\LOCALS~1\Temp\tcqkacjex\vyvkiiksjmo.exe
HKCU-Run-oeycfblq - c:\docume~1\Jordan\LOCALS~1\Temp\yewiaplrm\vntcpshsjmo.exe
HKCU-Run-sysapp.exe - c:\sysapp\sysapp.exe
HKU-Default-Run-moneyxmexx.exe - c:\moneyxmexx.exe\moneyxmexx.exe
HKLM_ActiveSetup-{79F751AB-DDEC-42B8-B58E-29F2ED230605} - c:\documents and settings\Jordan\Application Data\Bitrix Security\mlkee.dll
AddRemove-Desktop Security - c:\documents and settings\Jordan\Application Data\Desktop Security\securityhelper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-29 10:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-29 10:45:06
ComboFix-quarantined-files.txt 2011-03-28 23:45
.
Pre-Run: 79,953,186,816 bytes free
Post-Run: 80,673,103,872 bytes free
.
- - End Of File - - 8D4974D8D6EA922D31B20A734C8BB3B1

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:44 AM

Posted 29 March 2011 - 02:33 PM

Good evening. :)

It keeps restarting my computer and instructing me to write down file names.. This makes me nervous.

The time to be nervous is when it doesn't restart! :whistle:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving now.

So long, and thanks for all the fish.

 

 


#6 Asha86x

Asha86x
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 29 March 2011 - 06:57 PM

i waited 3 times over the course of more than an hour, the scan wont work it keeps saying unexpected error 101 and then doesnt do anything at all.

here is the dds log.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/25/2007 9:46:36 PM
System Uptime: 3/29/2011 10:28:40 AM (24 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5GC-MX
Processor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz | LGA 775 | 1800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 63.593 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&2C575ACB&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&2C575ACB&0
Service: i8042prt
.
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N97
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
.
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia N95
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia N95
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd
.
==== System Restore Points ===================
.
RP96: 12/29/2010 4:19:55 PM - System Checkpoint
RP97: 12/30/2010 5:19:55 PM - System Checkpoint
RP98: 12/31/2010 6:19:55 PM - System Checkpoint
RP99: 1/28/2011 9:24:31 PM - System Checkpoint
RP100: 1/29/2011 9:33:38 PM - System Checkpoint
RP101: 1/30/2011 10:33:38 PM - System Checkpoint
RP102: 1/31/2011 11:33:34 PM - System Checkpoint
RP103: 2/2/2011 12:33:36 AM - System Checkpoint
RP104: 2/3/2011 1:33:39 AM - System Checkpoint
RP105: 2/4/2011 2:33:34 AM - System Checkpoint
RP106: 2/5/2011 10:53:33 AM - System Checkpoint
RP107: 2/7/2011 11:18:46 AM - System Checkpoint
RP108: 2/10/2011 5:57:46 PM - System Checkpoint
RP109: 2/18/2011 7:58:50 PM - System Checkpoint
RP110: 2/19/2011 8:26:37 PM - System Checkpoint
RP111: 2/20/2011 9:23:38 PM - System Checkpoint
RP112: 2/26/2011 6:58:20 PM - System Checkpoint
RP113: 2/27/2011 7:41:05 PM - System Checkpoint
RP114: 2/28/2011 8:05:11 PM - System Checkpoint
RP115: 3/1/2011 9:05:10 PM - System Checkpoint
RP116: 3/2/2011 10:05:10 PM - System Checkpoint
RP117: 3/3/2011 11:05:09 PM - System Checkpoint
RP118: 3/5/2011 12:05:16 AM - System Checkpoint
RP119: 3/6/2011 1:05:10 AM - System Checkpoint
RP120: 3/7/2011 2:05:02 AM - System Checkpoint
RP121: 3/8/2011 3:04:53 AM - System Checkpoint
RP122: 3/9/2011 4:04:53 AM - System Checkpoint
RP123: 3/10/2011 5:04:53 AM - System Checkpoint
RP124: 3/13/2011 10:03:38 AM - System Checkpoint
RP125: 3/19/2011 1:37:34 PM - System Checkpoint
RP126: 3/22/2011 8:34:24 AM - System Checkpoint
RP127: 3/27/2011 2:26:23 AM - System Checkpoint
RP128: 3/27/2011 10:30:05 PM - Removed Bonjour
RP129: 3/28/2011 2:55:23 PM - Removed Ventrilo Client
RP130: 3/28/2011 3:25:13 PM - Removed ScanSoft PaperPort 11
RP131: 3/28/2011 3:27:55 PM - Removed Brother MFL-Pro Suite
RP132: 3/28/2011 3:28:49 PM - Removed e-tax 2010
RP133: 3/28/2011 3:29:57 PM - Configured MYOB Premier v6.0.2
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.® L2 Fast Ethernet Driver
Auto Gordian Knot 2.55
AviSynth 2.5
BigPond Broadband ADSL
Counter-Strike: Source
Critical Update for Windows Media Player 11 (KB959772)
EA SPORTS™ Cricket 07
ESET Online Scanner v3
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImagXpress
ImgBurn
iTunes
Java Auto Updater
Java™ 6 Update 19
Java™ 6 Update 2
Java™ 6 Update 3
Junk Mail filter update
LightScribe 1.4.136.1
Logitech GamePanel Software 2.00
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Reader
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSN
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
neroxml
Nokia Connectivity Cable Driver
Nokia Flashing Cable Driver
Nokia Home Media Server
Nokia MTP driver
Nokia PC Suite
Nokia Photos
Nokia Software Updater
Norman Security Suite
NVIDIA Drivers
PaperPort Image Printer
PC Connectivity Solution
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Steam
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VobSub v2.23 (Remove Only)
Vuze_Remote Toolbar
WebFldrs XP
WinAce Archiver
Winamp
Winamp Remote
Windows Driver Package - Atheros (arusb(Atheros)) Net (09/23/2008 3.0.0.131)
Windows Driver Package - NETGEAR (W8335XP) Net (02/22/2005 3.1.1.7)
Windows Driver Package - NETGEAR Inc. (RTLWUSB) Net (02/07/2007 5.1283.0207.2007)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Driver Package - Thomson (USB_RNDIS) Net (02/16/2004 1.0.0.3)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
World of Warcraft
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.3 final uninstall
XviD MPEG4 Video Codec (remove only)
.
==== Event Viewer Messages From Past Week ========
.
3/29/2011 10:21:56 AM, error: Service Control Manager [7034] - The Norman Privacy Service service terminated unexpectedly. It has done this 1 time(s).
3/29/2011 10:21:45 AM, error: Service Control Manager [7034] - The Norman NJeeves service terminated unexpectedly. It has done this 1 time(s).
3/28/2011 7:47:25 PM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
3/28/2011 2:35:38 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/28/2011 2:32:59 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
3/27/2011 8:37:57 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 5 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/27/2011 8:34:27 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/27/2011 12:34:43 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/27/2011 11:03:34 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/27/2011 11:01:09 PM, error: Service Control Manager [7000] - The AEGIS Protocol (IEEE 802.1x) v3.4.3.0 service failed to start due to the following error: The system cannot find the file specified.
3/27/2011 11:00:02 PM, error: Print [23] - Printer Brother PC-FAX v.2 failed to initialize because a suitable Brother PC-FAX v.2 driver could not be found.
3/27/2011 10:59:57 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
3/27/2011 10:59:57 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
3/27/2011 10:57:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/27/2011 10:50:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/27/2011 10:39:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/27/2011 10:26:55 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
3/27/2011 10:26:41 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/27/2011 10:26:12 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ASHS-LAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{97ABAE1F-A45B-46. The master browser is stopping or an election is being forced.
3/27/2011 10:25:57 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
3/27/2011 1:22:15 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/26/2011 11:29:27 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/26/2011 11:29:27 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
.
==== End Of File ===========================

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:44 AM

Posted 30 March 2011 - 02:39 PM

Good evening. :)

Will you just check something for me as this is an issue that others have had. When you see the Computer Scan Settings window there should be a box for Enable Anti-Stealth technology, under Advanced settings, and it should be checked.
Will you try again and if the box is unchecked, check it and try the scan again. If the box is checked, don't bother as this isn't the cause and we'll try something else.

So long, and thanks for all the fish.

 

 


#8 Asha86x

Asha86x
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 30 March 2011 - 06:46 PM

Genius!!!! it worked! only took 2 and a half hours and came up with 27 infections haha! Turns out I unchecked that particular box... cos it didnt say it was meant to be checked...didnt say it wasnt either lol.. anyway here is the log :)




C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\35\47b837e3-43968426 probably a variant of Win32/Agent.RPSVWU trojan
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\35\5f24cc23-7504a44a probably a variant of Win32/Agent.RPSVWU trojan
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\39\2bda6c27-38dd60f1 multiple threats
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\39\2bda6c27-5a2cf8bd multiple threats
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\39\42b18427-60a301cb multiple threats
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\51\4f86a833-295d6044 multiple threats
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\51\5bbbadb3-120579ab multiple threats
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\56\21bbb478-4d79434b probably a variant of Win32/Agent.RPSVWU trojan
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\57\648153b9-3700f3cd Java/Agent.V trojan
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\61\13958dfd-3e6d0061 multiple threats
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\62\4f15e5fe-72d96dfa multiple threats
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\62\588b6b3e-4cc418e2 Java/Agent.U trojan
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\62\705d3dbe-35e71177 Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\Jordan\Application Data\Sun\Java\Deployment\cache\6.0\9\1df965c9-7c949341 multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\Jordan\Application Data\Iryfet\liyse.exe.vir Win32/Spy.Zbot.YW trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Jordan\Application Data\Poeqor\ikpua.exe.vir a variant of Win32/Kryptik.JEJ trojan
C:\System Volume Information\_restore{980AC690-1D9A-4AFF-B58E-B21721092870}\RP111\A0058239.exe a variant of Win32/Kryptik.JCD trojan
C:\System Volume Information\_restore{980AC690-1D9A-4AFF-B58E-B21721092870}\RP117\A0060259.exe Win32/Spy.Zbot.YW trojan
C:\System Volume Information\_restore{980AC690-1D9A-4AFF-B58E-B21721092870}\RP133\A0069088.exe a variant of Win32/Kryptik.JEJ trojan
C:\System Volume Information\_restore{980AC690-1D9A-4AFF-B58E-B21721092870}\RP133\A0069089.exe Win32/Spy.Zbot.YW trojan
C:\System Volume Information\_restore{980AC690-1D9A-4AFF-B58E-B21721092870}\RP133\A0069117.exe a variant of Win32/Kryptik.HAN trojan
C:\System Volume Information\_restore{980AC690-1D9A-4AFF-B58E-B21721092870}\RP133\A0069119.dll a variant of Win32/Kryptik.GYH trojan
C:\System Volume Information\_restore{980AC690-1D9A-4AFF-B58E-B21721092870}\RP133\A0069120.exe a variant of Win32/Kryptik.JEJ trojan
C:\WINDOWS\Bryvia.exe Win32/TrojanDownloader.FakeAlert.AQI trojan
C:\WINDOWS\Bryvib.exe Win32/TrojanDownloader.FakeAlert.AQI trojan
C:\WINDOWS\uvivabowinewunoz.dll a variant of Win32/Cimag.CK trojan
Operating memory a variant of Win32/Cimag.CK trojan

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:44 AM

Posted 31 March 2011 - 04:52 PM

Good evening. :)

As you have MalwareBytes onboard, let's see if that will deal with everything. If not, we'll go for the manual cleanup and you can be on your way before the weekend is up - fingers crossed.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#10 Asha86x

Asha86x
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 01 April 2011 - 08:09 AM

Hi again!
Over all the computer seems to have improved somewhat. Well, I'd even say considerably better! The desktop security virus is indeed gone, thank you very much! I suppose, it still kind of runs a bit crappy, I don't really know why. Sometimes it's like it freezes, nothing happens but I can still move my mouse, after about 1 minute, it comes back. This happens a lot. Also when my screen saver comes on, sometimes it can take like five minutes to get back to my desktop because it goes so slow. I dont really know what causes this. Probably just an old crappy computer lol. OK I ran Malwarebytes and it came up with nothing. And a fresh dds log, are both below for your viewing. Thankyou so much for your help.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4049

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/1/2011 10:49:41 PM
mbam-log-2011-04-01 (22-49-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 167988
Time elapsed: 2 hour(s), 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





DDS LOG-----
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jordan at 23:44:52.09 on Fri 04/01/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.649 [GMT 11:00]
.
AV: Norman Security Suite *Enabled/Updated* {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
FW: Norman Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\Norman\Npm\Bin\elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nnf.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norman\Npt\Bin\Npsvc32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Norman\nig\bin\nigsvc32.exe
C:\Program Files\Norman\nsc\bin\nassvc32.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norman\Nse\Bin\NSESVC.EXE
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jordan\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8992
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SkyTel] SkyTel.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles
mRun: [Norman ZANDA] "c:\program files\norman\npm\bin\ZLH.EXE" /LOAD /SPLASH
mRun: [NOELauncher] c:\program files\norman\nsc\bin\noelauncher.exe /load
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Yqosucovotuke] rundll32.exe "c:\windows\uvivabowinewunoz.dll",Startup
mRun: [RTHDCPL] RTHDCPL.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: c:\program files\norman\ngs\bin\nlf.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} - hxxp://www.miniclip.com/igloader/igloader.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2010-4-24 26744]
R1 NPROSEC;Norman Security driver;c:\program files\norman\ngs\bin\nprosec.sys [2010-4-24 74144]
R1 tdi_nf;Norman Network Filter TDIL driver;c:\windows\system32\drivers\tdi_nf.sys [2010-4-24 378000]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-2-1 54752]
R2 Ndiskio;Ndiskio;c:\program files\norman\nse\bin\Ndiskio.sys [2010-4-24 22880]
R2 NNFSVC;Norman Network Filtering service;c:\program files\norman\ngs\bin\nnf.exe [2010-4-24 223000]
R2 Norman ZANDA;Norman ZANDA;c:\program files\norman\npm\bin\Zanda.exe [2010-1-14 308408]
R2 NPFSvc32;Norman Personal Firewall Service;c:\program files\norman\npf\bin\npfsvc32.exe [2010-6-17 290472]
R2 NPROSECSVC;Norman Security service;c:\program files\norman\ngs\bin\nprosec.exe [2010-4-24 90656]
R2 npsvc32;Norman Privacy Service;c:\program files\norman\npt\bin\npsvc32.exe [2010-4-24 99904]
R2 nregsec;Norman Registry Security driver;c:\program files\norman\ngs\bin\nregsec.sys [2010-4-24 40384]
R2 NVOY;Norman Resource Provider;c:\program files\norman\npm\bin\nvoy.exe [2010-4-24 100336]
R3 NASS;Norman Anti Spam Service;c:\program files\norman\nsc\bin\nassvc32.exe [2010-4-24 141000]
R3 NIG;Norman Intrusion Guard;c:\program files\norman\nig\bin\nigsvc32.exe [2010-4-24 336304]
R3 nnetsec;Norman Network Security service;c:\windows\system32\drivers\nnetsec.sys [2010-4-24 48272]
R3 NNetSecC;Norman Network Filter NDIS common driver;c:\program files\norman\ngs\bin\nnetsecc.sys [2010-5-28 23040]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\norman\nse\bin\Nsesvc.exe [2010-12-9 288072]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2010-4-24 24176]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\norman\nvc\bin\Nvcoas.exe [2010-8-17 198168]
R3 Scheduler;Norman Scheduler Service;c:\program files\norman\npm\bin\scheduler.exe [2010-4-24 99312]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
.
=============== Created Last 30 ================
.
2011-03-30 13:29:13 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-03-30 13:27:49 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-03-30 13:27:23 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-03-30 13:15:18 -------- d-----w- c:\docume~1\jordan\locals~1\applic~1\{DB1F4D4A-DF6C-4CF5-A4AC-3B01DA4388D3}
2011-03-29 23:21:51 -------- d-----w- c:\program files\ESET
2011-03-29 03:45:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2011-03-28 23:23:03 -------- d-----w- C:\ComboFix
2011-03-28 23:09:33 -------- d-sha-r- C:\cmdcons
2011-03-28 23:06:25 89088 ----a-w- c:\windows\MBR.exe
2011-03-28 23:06:16 256512 ----a-w- c:\windows\PEV.exe
2011-03-28 23:06:13 161792 ----a-w- c:\windows\SWREG.exe
2011-03-28 23:06:12 98816 ----a-w- c:\windows\sed.exe
2011-03-27 11:41:58 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2011-03-31 20:03:47 0 ----a-w- c:\windows\Fkerodopuvo.bin
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2008-01-08 10:59:51 1567232 -c--a-w- c:\program files\SteamInstall.msi
.
============= FINISH: 23:45:20.31 ===============

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:44 AM

Posted 01 April 2011 - 03:31 PM

Good evening. :)

Plan B then.

1) Go to Start > Control Panel > Java and select the General Tab.
Under Temporary Internet Files, click on Settings...
Cick on Delete Files...
Ensure that "Applications and Applets is checked - "Trace and Log Files" is optional - and then click on OK.

Depending on your version of Java it may be a little different, but near enough that you should be able to figure it out.

2) Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

File::
C:\WINDOWS\Bryvia.exe
C:\WINDOWS\Bryvib.exe
C:\WINDOWS\uvivabowinewunoz.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yqosucovotuke"=-


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before, and a description of how the PC is behaving.

So long, and thanks for all the fish.

 

 


#12 Asha86x

Asha86x
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 02 April 2011 - 05:25 PM

I dragged the cf script on top of the combo fix icon? Was that right? When I did it, it came up with that loading thing it does.. But it won't run. I've tried heaps of times to get it to run and it just won't. *sigh* I suck at this.
Thanks so much for helping me. Appreciate it a lot!

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:44 AM

Posted 02 April 2011 - 05:32 PM

Good evening. :)

Download a copy of HiJackThis.msi from here and save it to your Desktop

  • Double click HiJackThis.msi to begin installation.
  • Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to chose somewhere else and then click Install
  • Once HJT has installed, a shortcut will be created on your Desktop and HJT will run automatically.
  • You will need to accept the EULA, if it appears, to be able to use the tool.
  • When HJT opens, click on the Do a system scan and save a log file button.
  • When HJT has finished scanning, a window entitled "hijackthis.log" will open - when you close this window the log will be saved into the Hijackthis folder.
  • Copy and paste this into your next reply.

So long, and thanks for all the fish.

 

 


#14 Asha86x

Asha86x
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 06 April 2011 - 06:03 PM

Hello there! Sorry for the late reply, i was away from home for a few days. Here is the hijackthis log :)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:02:19 AM, on 4/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17095)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Norman\Npm\Bin\elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nnf.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norman\Npt\Bin\Npsvc32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Norman\nig\bin\nigsvc32.exe
C:\Program Files\Norman\nsc\bin\nassvc32.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\Program Files\Norman\Nse\Bin\NSESVC.EXE
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\Norman\nsc\bin\noelauncher.exe
C:\Program Files\Norman\Nvc\Bin\Nip.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Norman\nig\bin\niguser.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8992
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [NOELauncher] C:\Program Files\Norman\nsc\bin\noelauncher.exe /load
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Yqosucovotuke] rundll32.exe "C:\WINDOWS\uvivabowinewunoz.dll",Startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\norman\ngs\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\program files\norman\ngs\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\program files\norman\ngs\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\program files\norman\ngs\bin\nlf.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Norman eLogger Service (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\elogsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman Anti Spam Service (NASS) - Norman ASA - C:\Program Files\Norman\nsc\bin\nassvc32.exe
O23 - Service: Norman Intrusion Guard (NIG) - Norman ASA - C:\Program Files\Norman\nig\bin\nigsvc32.exe
O23 - Service: Norman Network Filtering service (NNFSVC) - Norman ASA - C:\Program Files\Norman\Ngs\Bin\Nnf.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program Files\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
O23 - Service: Norman Privacy Service (npsvc32) - Norman ASA - C:\Program Files\Norman\Npt\Bin\Npsvc32.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program Files\Norman\Nse\Bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Program Files\Norman\Npm\Bin\scheduler.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10944 bytes

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:44 AM

Posted 07 April 2011 - 02:08 PM

Good evening. :)

You may need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [Yqosucovotuke] rundll32.exe "C:\WINDOWS\uvivabowinewunoz.dll",Startup


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Reboot your computer straight away.

3) Remove any/all of the following files that you can find:

Files

C:\WINDOWS\Bryvia.exe
C:\WINDOWS\Bryvib.exe
C:\WINDOWS\uvivabowinewunoz.dll


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let me know how you get on and we'll tidy-up a few things and you're done.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users