|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
12-05-2008, 02:48 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 6
OS: XP
|
severe problems with main PC
Hello all, I am posting this from a secondary computer due to the problems of my other comp which I am certain is infected with some malware.
First off there are certain websites that my browser will not allot be to visit. These sites are all virus scanning and malware removing websites. When I try to load one the browser will say page cannot be displayed. I have tried navigating to this site and others in firefox, IE, and google chrome, and none of them can connect, but other sites work perfectly fine through the same browser. So I tried downloading the dos script and gmer through this computer and sending them to my second comp through an email. I received the files, but there is something else blocking .EXE files from running properly. I'm not sure what it is, but when I try to run a file such as gmer.exe I get an hourglass for a second or two and then nothing happens. The same thing happens when I tried to install malware bytes. These problems all just started in the last few days and I've been trying to find a solution. Any help is greatly appreciated. results of dds DDS (Version 1.0) - NTFSx86 Run by Masta at 16:53:09.25 on Fri 12/05/2008 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.728 [GMT -6:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\AlienGUIse\wbload.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter svchost.exe C:\Documents and Settings\Masta\Desktop\dds.com ============== Pseudo HJT Report =============== mDefault_Search_URL = about:blank mSearch Page = about:blank mLocal Page = about:blank mStart Page = about:blank mSearch Bar = uInternet Connection Wizard,ShellNext = hxxp://toolbar.morpheus.com/ready.html?toolbar=Installed mSearchAssistant = hxxp://ie.search.msn.com mWinlogon: Userinit=userinit.exe BHO: {5b88a9e5-01b3-4a16-a6b1-6e7833684ecf} - c:\windows\system32\yfpqwl.dll BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll BHO: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\efcYsrRH.dll BHO: {C1A45ED4-D098-4147-8E76-BFDDB4722054} - c:\windows\system32\iifeDUlM.dll BHO: {D3138B39-C8A6-440B-9D42-50F766AEA8C7} - c:\program files\mu online toolbar\v3.2.0.0\MU_Online_Toolbar.dll BHO: {DB722189-97BF-4214-8629-0B087EC3E83A} - c:\windows\system32\pmnoNEVP.dll IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - Notify: AtiExtEvent - Ati2evxx.dll Notify: efcYsrRH - efcYsrRH.dll Notify: WB - c:\program files\alienguise\fastload.dll Notify: winuns32 - winuns32.dll AppInit_DLLs: c:\windows\system32\msconfig.dll,wbsys.dll yfpqwl.dll SEH: {54D9498B-CF93-414F-8984-8CE7FDE0D391} - c:\program files\ewido anti-malware\shellhook.dll SEH: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll SEH: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\efcYsrRH.dll SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\pmnoNEVP ============= SERVICES / DRIVERS =============== R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000] R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2006-11-28 3968] R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [] S4 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664] S4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880] S4 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888] S4 ewido security suite guard;ewido security suite guard;c:\program files\ewido anti-malware\ewidoguard.exe [2005-12-18 151616] =============== Created Last 30 ================ 2008-12-05 16:00 129,024 a------- c:\windows\system32\yfpqwl.dll 2008-12-05 16:00 129,024 a------- c:\windows\system32\yixoswfw.dll 2008-12-05 15:57 1,479,822 ---sh--- c:\windows\system32\oagbnpqj.ini 2008-12-05 15:57 72,704 a------- c:\windows\system32\jqpnbgao.dll 2008-12-05 14:47 111,104 a------- c:\windows\system32\IEDefender.dll 2008-12-05 14:46 <DIR> --d----- c:\program files\AV2010 2008-12-05 14:46 76,824 a------- c:\windows\system32\wingamma.exe 2008-12-05 01:52 <DIR> --d----- c:\program files\Panda Security 2008-12-04 18:01 80,896 a------- c:\windows\system32\msiconf.exe 2008-12-04 18:01 <DIR> --d----- c:\program files\Microsoft Common 2008-12-04 17:37 <DIR> --d----- c:\docume~1\masta\applic~1\Malwarebytes 2008-12-04 17:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2008-12-04 16:01 114,688 a------- c:\windows\system32\ukjxhg.dll 2008-12-04 16:01 114,688 a------- c:\windows\system32\ycfamhyk.dll 2008-12-04 15:58 129,024 a------- c:\windows\system32\fcyxuu.dll 2008-12-04 15:58 129,024 a------- c:\windows\system32\rnkletgq.dll 2008-12-04 15:56 72,704 a------- c:\windows\system32\ubnbtflo.dll 2008-12-04 15:56 1,482,400 ---sh--- c:\windows\system32\olftbnbu.ini 2008-12-03 15:08 1,482,400 ---sh--- c:\windows\system32\imoyodpx.ini 2008-12-03 15:04 129,024 a------- c:\windows\system32\kdgdshrt.dll 2008-12-03 15:04 129,024 a------- c:\windows\system32\ecjghi.dll 2008-12-02 15:06 1,404,399 ---sh--- c:\windows\system32\qgtvlpsw.ini 2008-12-02 15:06 72,704 a------- c:\windows\system32\wsplvtgq.dll 2008-12-02 15:04 129,024 a------- c:\windows\system32\rbkoer.dll 2008-12-02 15:04 129,024 a------- c:\windows\system32\dwciaumu.dll 2008-12-01 20:57 129,024 a------- c:\windows\system32\zbchib.dll 2008-12-01 20:57 129,024 a------- c:\windows\system32\ftvktlew.dll 2008-12-01 20:54 72,704 a------- c:\windows\system32\ukdjcpou.dll 2008-12-01 20:54 1,381,274 ---sh--- c:\windows\system32\uopcjdku.ini 2008-11-30 21:57 143 a------- c:\windows\system32\mcrh.tmp 2008-11-30 20:52 129,024 a------- c:\windows\system32\xkljpe.dll 2008-11-30 20:52 129,024 a------- c:\windows\system32\gyxoawck.dll 2008-11-30 20:52 1,381,274 ---sh--- c:\windows\system32\bdgdnwwu.ini 2008-11-30 20:13 916,785 a--sh--- c:\windows\system32\PVENonmp.ini2 2008-11-30 20:13 0 a--sh--- c:\windows\system32\PVENonmp.ini 2008-11-30 20:13 318,464 a------- c:\windows\system32\pmnoNEVP.dll 2008-11-30 20:00 95 a------- c:\windows\wininit.ini 2008-11-30 19:13 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy) 2008-11-30 19:13 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-11-30 19:13 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-11-30 19:12 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2008-11-30 15:24 129,024 a------- c:\windows\system32\lqlqvg.dll 2008-11-30 15:24 129,024 a------- c:\windows\system32\ispaemwe.dll 2008-11-30 15:22 72,704 a------- c:\windows\system32\qirsbkiu.dll 2008-11-30 15:21 874,029 a--sh--- c:\windows\system32\MlUDefii.ini 2008-11-30 15:12 38,476 a------- c:\windows\system32\wpv631227968841.cpx 2008-11-30 15:12 25,600 a------- c:\windows\system32\pmNgefFv.dll 2008-11-30 15:12 25,600 a------- c:\windows\system32\efcYsrRH.dll 2008-11-06 05:22 <DIR> --d----- c:\program files\Folding@home 2008-11-06 05:22 <DIR> --d----- c:\docume~1\masta\applic~1\Folding@home-x86 ==================== Find3M ==================== 2008-12-05 02:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2008-12-05 02:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2008-12-04 20:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2008-12-03 17:51 <DIR> --d----- c:\docume~1\masta\applic~1\uTorrent 2008-11-26 16:55 <DIR> --d----- c:\program files\Diablo II 2008-11-18 15:16 <DIR> --d----- c:\program files\PokerStars.NET 2008-11-16 14:29 <DIR> --d----- c:\program files\Lavasoft 2008-11-05 02:43 <DIR> --d----- c:\program files\mIRC 2008-09-06 18:47 <DIR> --d----- c:\docume~1\masta\applic~1\Atari 2008-08-14 21:16 <DIR> --d----- c:\docume~1\masta\applic~1\rhc3usj0ej9n 2007-12-13 14:04 <DIR> --d----- c:\docume~1\masta\applic~1\BitTorrent 2007-11-01 05:36 <DIR> --d----- c:\docume~1\masta\applic~1\NetMedia Providers 2007-10-18 22:58 <DIR> --d----- c:\docume~1\masta\applic~1\Turbine 2007-09-25 03:20 <DIR> --d----- c:\docume~1\masta\applic~1\Greyfirst 2007-07-08 18:37 <DIR> --d----- c:\docume~1\masta\applic~1\BitZipper 2007-03-18 22:59 <DIR> --d----- c:\docume~1\masta\applic~1\CoreCodec 2001-08-23 06:00 94,784 -c-sh--- c:\windows\twain.dll 2004-08-03 23:56 50,688 ---sh--- c:\windows\twain_32.dll 2007-05-28 19:08 10,646 a--sh--- c:\windows\system32\KGyGaAvL.sys 2004-08-03 23:56 1,028,096 ---sh--- c:\windows\system32\mfc42.dll 2004-08-03 23:56 54,784 ---sh--- c:\windows\system32\msvcirt.dll 2004-08-03 23:56 413,696 ---sh--- c:\windows\system32\msvcp60.dll 2004-08-03 23:56 343,040 ---sh--- c:\windows\system32\msvcrt.dll 2004-08-03 23:56 553,472 ---sh--- c:\windows\system32\oleaut32.dll 2004-08-03 23:56 83,456 ---sh--- c:\windows\system32\olepro32.dll 2004-08-03 23:56 11,776 ---sh--- c:\windows\system32\regsvr32.exe ============= FINISH: 16:57:18.15 =============== Last edited by jrice257; 12-05-2008 at 03:08 PM. |
|
     |
| Sponsored Links |
|
12-05-2008, 11:30 PM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: severe problems with main PC
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/comb...o-use-combofix Post the log from ComboFix when you've accomplished that. |
|
|
|
|
12-06-2008, 07:47 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 6
OS: XP
|
Re: severe problems with main PC
Got combofix to work and here's the log
ComboFix 08-12-06.04 - Masta 2008-12-06 21:23:53.1 - NTFSx86 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Masta\Application Data\rhc3usj0ej9n c:\program files\Common Files\ystem~1 c:\program files\Microsoft Common c:\program files\Microsoft Common\svchost.exe c:\windows\smdat32m.sys c:\windows\system32\bdgdnwwu.ini c:\windows\system32\drivers\TDSSmact.sys c:\windows\system32\dwciaumu.dll c:\windows\system32\ecjghi.dll c:\windows\system32\efcYsrRH.dll c:\windows\system32\fcyxuu.dll c:\windows\system32\ftvktlew.dll c:\windows\system32\gyxoawck.dll c:\windows\system32\imoyodpx.ini c:\windows\system32\ispaemwe.dll c:\windows\system32\kdgdshrt.dll c:\windows\system32\lqlqvg.dll c:\windows\system32\mcrh.tmp c:\windows\system32\MlUDefii.ini c:\windows\system32\msiconf.exe c:\windows\system32\nhtndgqe.dll c:\windows\system32\oagbnpqj.ini c:\windows\system32\olftbnbu.ini c:\windows\system32\pmNgefFv.dll c:\windows\system32\pmnoNEVP.dll c:\windows\system32\PVENonmp.ini c:\windows\system32\PVENonmp.ini2 c:\windows\system32\qgtvlpsw.ini c:\windows\system32\qirsbkiu.dll c:\windows\system32\rbkoer.dll c:\windows\system32\rnkletgq.dll c:\windows\system32\TDSScfum.dll c:\windows\system32\TDSSlxwp.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSnrsr.dll c:\windows\system32\TDSSofxh.dll c:\windows\system32\TDSSosvd.dat c:\windows\system32\TDSSrhym.log c:\windows\system32\TDSSriqp.dll c:\windows\system32\TDSSsihc.dll c:\windows\system32\TDSStkdv.log c:\windows\system32\ubnbtflo.dll c:\windows\system32\ukdjcpou.dll c:\windows\system32\ukjxhg.dll c:\windows\system32\uopcjdku.ini c:\windows\system32\wpv631227968841.cpx c:\windows\system32\wsplvtgq.dll c:\windows\system32\xkljpe.dll c:\windows\system32\xpvxsriy.dll c:\windows\system32\ycfamhyk.dll c:\windows\system32\yfpqwl.dll c:\windows\system32\yfwkit.dll c:\windows\system32\yirsxvpx.ini c:\windows\system32\yixoswfw.dll c:\windows\system32\zbchib.dll c:\windows\wiaserviv.log H:\autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 ))))))))))))))))))))))))))))))) . 2008-12-06 20:51 . 2008-12-06 20:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-06 20:51 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-06 20:51 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-06 20:08 . 2008-12-06 16:21 3,060,566 --a------ c:\documents and settings\Masta\ComboFix.exe 2008-12-06 17:23 . 2008-12-06 17:23 <DIR> d-------- c:\documents and settings\newuse 2008-12-06 16:41 . 2008-12-06 16:41 1,297 --a------ c:\program files\WinXP_EXE_Fix.reg 2008-12-05 14:47 . 2008-12-05 14:47 111,104 --a------ c:\windows\system32\IEDefender.dll 2008-12-05 14:46 . 2008-12-05 14:47 <DIR> d-------- c:\program files\AV2010 2008-12-05 14:46 . 2008-12-05 14:46 76,824 --a------ c:\windows\system32\wingamma.exe 2008-12-05 01:52 . 2008-12-05 01:52 <DIR> d-------- c:\program files\Panda Security 2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\Masta\Application Data\Malwarebytes 2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-30 20:00 . 2008-11-30 20:00 95 --a------ c:\windows\wininit.ini 2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy) 2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-11-30 19:12 . 2008-11-30 19:13 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 07:35 --------- d-----w c:\program files\Warcraft III 2008-12-06 02:32 --------- d-----w c:\program files\Diablo II 2008-12-05 08:07 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-05 08:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-05 02:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-03 23:51 --------- d-----w c:\documents and settings\Masta\Application Data\uTorrent 2008-11-18 21:16 --------- d-----w c:\program files\PokerStars.NET 2008-11-16 20:29 --------- d-----w c:\program files\Lavasoft 2008-11-06 11:24 --------- d-----w c:\documents and settings\Masta\Application Data\Folding@home-x86 2008-11-06 11:22 --------- d-----w c:\program files\Folding@home 2008-11-05 08:43 --------- d-----w c:\program files\mIRC 2008-11-04 02:45 --------- d-----w c:\program files\7-Zip 1996-09-18 19:07 7,564,336 -c--a-w c:\documents and settings\Jeff\L2DEMO.EXE 1996-09-17 16:02 15 -c--a-w c:\documents and settings\Jeff\INSTALL.BAT 2001-08-23 12:00 94,784 -csh--w c:\windows\twain.dll 2004-08-04 05:56 50,688 --sh--w c:\windows\twain_32.dll 2007-05-29 01:08 10,646 --sha-w c:\windows\system32\KGyGaAvL.sys 2004-08-04 05:56 1,028,096 --sh--w c:\windows\system32\mfc42.dll 2004-08-04 05:56 54,784 --sh--w c:\windows\system32\msvcirt.dll 2004-08-04 05:56 413,696 --sh--w c:\windows\system32\msvcp60.dll 2004-08-04 05:56 343,040 --sh--w c:\windows\system32\msvcrt.dll 2004-08-04 05:56 553,472 --sh--w c:\windows\system32\oleaut32.dll 2004-08-04 05:56 83,456 --sh--w c:\windows\system32\olepro32.dll 2004-08-04 05:56 11,776 --sh--w c:\windows\system32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] 2001-12-20 21:34 24576 c:\program files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Masta^Start Menu^Programs^Startup^Alienware Dock.lnk] path=c:\documents and settings\Masta\Start Menu\Programs\Startup\Alienware Dock.lnk backup=c:\windows\pss\Alienware Dock.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2008-12-05 01:38 6731312 c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2005-08-05 14:08 67160 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a--c--- 2006-01-02 16:41 45056 c:\program files\ATI Technologies\ATI.ACE\CLI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a--c--- 2004-03-03 11:00 335872 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a--c--- 2006-09-13 09:12 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon] --a------ 2001-08-09 16:06 45056 c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-09-18 08:42 133104 c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint] --a------ 2006-11-21 19:09 842584 c:\program files\Microsoft IntelliPoint\ipoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-07-10 08:18 270648 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] --a--c--- 2001-11-29 00:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 04:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a--c--- 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2008-05-16 13:01 13529088 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2008-05-16 13:01 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-12-11 09:56 286720 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-11-24 14:31 1410296 c:\program files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a--c--- 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a--c--- 2006-10-13 10:16 185784 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Gamma Display] --a------ 2008-12-05 14:46 76824 c:\windows\system32\wingamma.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-05-16 13:01 1630208 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch] --a------ 2002-07-02 16:56 24576 c:\windows\system32\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "IDriverT"=3 (0x3) "ewido security suite guard"=2 (0x2) "ewido security suite control"=2 (0x2) "AntiVirService"=2 (0x2) "AntiVirScheduler"=2 (0x2) "ose"=3 (0x3) "Autodesk Licensing Service"=3 (0x3) "NBService"=3 (0x3) "AVG Anti-Spyware Guard"=2 (0x2) "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "Apple Mobile Device"=2 (0x2) "dmadmin"=3 (0x3) "iPod Service"=3 (0x3) "NVSvc"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Diablo II\\Diablo II.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\LimeWire\\3.6.15\\LimeWire.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-06 38496] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\SETUP.EXE . Contents of the 'Scheduled Tasks' folder 2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 08:42] . - - - - ORPHANS REMOVED - - - - BHO-{C1A45ED4-D098-4147-8E76-BFDDB4722054} - c:\windows\system32\iifeDUlM.dll BHO-{F7472C8C-BD20-49CD-9D2E-47A19E57A808} - c:\windows\system32\pmnoNEVP.dll BHO-{fee80177-8560-4afc-97c8-b3e8669348d6} - c:\windows\system32\yfwkit.dll Notify-WgaLogon - (no file) Notify-winuns32 - winuns32.dll MSConfigStartUp-avgnt - c:\program files\AntiVir PersonalEdition Classic\avgnt.exe MSConfigStartUp-BearShare - c:\program files\BearShare\BearShare.exe MSConfigStartUp-ec89b77d - c:\windows\system32\xpvxsriy.dll MSConfigStartUp-fe3dbfea - c:\windows\system32\fe3dbfea.exe MSConfigStartUp-Inrebpzv - c:\progra~1\COMMON~1\YSTEM~1\NPDB~1.EXE MSConfigStartUp-InstaFinderK - c:\program files\INSTAFINK\InstaFinderK_inst.exe MSConfigStartUp-lphc7usj0ej9n - c:\windows\system32\lphc7usj0ej9n.exe MSConfigStartUp-Opoa - c:\windows\system32\ASEMBL~1\smss.exe MSConfigStartUp-P2P Networking - c:\windows\system32\P2P Networking\P2P Networking.exe MSConfigStartUp-SemanticInsight - c:\program files\RXToolBar\Semantic Insight\SemanticInsight.exe MSConfigStartUp-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe MSConfigStartUp-SMrhc3usj0ej9n - c:\program files\rhc3usj0ej9n\rhc3usj0ej9n.exe MSConfigStartUp-SpywareQuake - c:\program files\SpywareQuake.com\Spyware-Quake.exe MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe MSConfigStartUp-tbon - c:\program files\TBONBin\tbon.exe MSConfigStartUp-zango - c:\program files\zango\zango.exe MSConfigStartUp-msiexec - msiconf.exe . ------- Supplementary Scan ------- . mLocal Page = about:blank mStart Page = about:blank mSearch Bar = uInternet Connection Wizard,ShellNext = hxxp://toolbar.morpheus.com/ready.html?toolbar=Installed IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe - FireFox -: Profile - c:\documents and settings\Masta\Application Data\Mozilla\Firefox\Profiles\r1pbz51b.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com FF -: plugin - c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npitunes.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 21:36:40 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(776) c:\windows\system32\Ati2evxx.dll c:\program files\AlienGUIse\fastload.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-12-06 21:41:03 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-07 03:41:00 Pre-Run: 1,798,524,928 bytes free Post-Run: 1,887,408,128 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 306 thanks again for all the help, I can now navigate to the pages online that were blocked and exe files are opening again! Last edited by jrice257; 12-06-2008 at 07:50 PM. |
|
|
|
|
12-06-2008, 07:57 PM
|
#4 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: severe problems with main PC
Open NOTEPAD and copy/paste the text in the quotebox below into it:
Code:
Folder:: C:\program files\AV2010 File:: C:\windows\system32\IEDefender.dll C:\windows\system32\wingamma.exe Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000000  Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. --------------- Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator. **Note** To optimize scanning time and produce a more sensible report for review:
Click Accept, when prompted to download and install the program files and database of malware definitions.
--------------- In your next post, please include fresh logs from:
|
|
|
|
|
12-06-2008, 08:15 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 6
OS: XP
|
Re: severe problems with main PC
done. the log:
ComboFix 08-12-06.04 - Masta 2008-12-06 22:03:31.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.709 [GMT -6:00] Running from: c:\documents and settings\Masta\Desktop\ComboFix2.exe Command switches used :: c:\documents and settings\Masta\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\system32\IEDefender.dll c:\windows\system32\wingamma.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\AV2010 c:\program files\AV2010\AV2010.exe c:\program files\AV2010\svchost.exe c:\windows\system32\IEDefender.dll c:\windows\system32\wingamma.exe . ((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 ))))))))))))))))))))))))))))))) . 2008-12-06 21:56 . 2008-12-06 21:56 <DIR> d-------- c:\program files\SoulseekNS 2008-12-06 20:51 . 2008-12-06 20:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-06 20:51 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-06 20:51 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-06 20:08 . 2008-12-06 16:21 3,060,566 --a------ c:\documents and settings\Masta\ComboFix.exe 2008-12-06 17:23 . 2008-12-06 17:23 <DIR> d-------- c:\documents and settings\newuse 2008-12-06 16:41 . 2008-12-06 16:41 1,297 --a------ c:\program files\WinXP_EXE_Fix.reg 2008-12-05 01:52 . 2008-12-05 01:52 <DIR> d-------- c:\program files\Panda Security 2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\Masta\Application Data\Malwarebytes 2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-30 20:00 . 2008-11-30 20:00 95 --a------ c:\windows\wininit.ini 2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy) 2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-11-30 19:12 . 2008-11-30 19:13 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 07:35 --------- d-----w c:\program files\Warcraft III 2008-12-06 02:32 --------- d-----w c:\program files\Diablo II 2008-12-05 08:07 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-05 08:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-05 02:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-03 23:51 --------- d-----w c:\documents and settings\Masta\Application Data\uTorrent 2008-11-18 21:16 --------- d-----w c:\program files\PokerStars.NET 2008-11-16 20:29 --------- d-----w c:\program files\Lavasoft 2008-11-06 11:24 --------- d-----w c:\documents and settings\Masta\Application Data\Folding@home-x86 2008-11-06 11:22 --------- d-----w c:\program files\Folding@home 2008-11-05 08:43 --------- d-----w c:\program files\mIRC 2008-11-04 02:45 --------- d-----w c:\program files\7-Zip 1996-09-18 19:07 7,564,336 -c--a-w c:\documents and settings\Jeff\L2DEMO.EXE 1996-09-17 16:02 15 -c--a-w c:\documents and settings\Jeff\INSTALL.BAT 2001-08-23 12:00 94,784 -csh--w c:\windows\twain.dll 2004-08-04 05:56 50,688 --sh--w c:\windows\twain_32.dll 2007-05-29 01:08 10,646 --sha-w c:\windows\system32\KGyGaAvL.sys 2004-08-04 05:56 1,028,096 --sh--w c:\windows\system32\mfc42.dll 2004-08-04 05:56 54,784 --sh--w c:\windows\system32\msvcirt.dll 2004-08-04 05:56 413,696 --sh--w c:\windows\system32\msvcp60.dll 2004-08-04 05:56 343,040 --sh--w c:\windows\system32\msvcrt.dll 2004-08-04 05:56 553,472 --sh--w c:\windows\system32\oleaut32.dll 2004-08-04 05:56 83,456 --sh--w c:\windows\system32\olepro32.dll 2004-08-04 05:56 11,776 --sh--w c:\windows\system32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] 2001-12-20 21:34 24576 c:\program files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Masta^Start Menu^Programs^Startup^Alienware Dock.lnk] path=c:\documents and settings\Masta\Start Menu\Programs\Startup\Alienware Dock.lnk backup=c:\windows\pss\Alienware Dock.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2008-12-05 01:38 6731312 c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2005-08-05 14:08 67160 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a--c--- 2006-01-02 16:41 45056 c:\program files\ATI Technologies\ATI.ACE\CLI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a--c--- 2004-03-03 11:00 335872 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a--c--- 2006-09-13 09:12 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon] --a------ 2001-08-09 16:06 45056 c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-09-18 08:42 133104 c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint] --a------ 2006-11-21 19:09 842584 c:\program files\Microsoft IntelliPoint\ipoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-07-10 08:18 270648 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] --a--c--- 2001-11-29 00:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 04:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a--c--- 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2008-05-16 13:01 13529088 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2008-05-16 13:01 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-12-11 09:56 286720 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-11-24 14:31 1410296 c:\program files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a--c--- 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a--c--- 2006-10-13 10:16 185784 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-05-16 13:01 1630208 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch] --a------ 2002-07-02 16:56 24576 c:\windows\system32\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "IDriverT"=3 (0x3) "ewido security suite guard"=2 (0x2) "ewido security suite control"=2 (0x2) "AntiVirService"=2 (0x2) "AntiVirScheduler"=2 (0x2) "ose"=3 (0x3) "Autodesk Licensing Service"=3 (0x3) "NBService"=3 (0x3) "AVG Anti-Spyware Guard"=2 (0x2) "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "Apple Mobile Device"=2 (0x2) "dmadmin"=3 (0x3) "iPod Service"=3 (0x3) "NVSvc"=2 (0x2) "aawservice"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Diablo II\\Diablo II.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\SETUP.EXE . Contents of the 'Scheduled Tasks' folder 2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 08:42] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-Windows Gamma Display - c:\windows\system32\wingamma.exe . ------- Supplementary Scan ------- . mLocal Page = about:blank mStart Page = about:blank mSearch Bar = uInternet Connection Wizard,ShellNext = hxxp://toolbar.morpheus.com/ready.html?toolbar=Installed IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe - FireFox -: Profile - c:\documents and settings\Masta\Application Data\Mozilla\Firefox\Profiles\r1pbz51b.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com FF -: plugin - c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npitunes.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 22:09:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(776) c:\windows\system32\Ati2evxx.dll c:\program files\AlienGUIse\fastload.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-12-06 22:13:21 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-07 04:13:17 ComboFix2.txt 2008-12-07 03:41:05 Pre-Run: 1,938,612,224 bytes free Post-Run: 1,918,287,872 bytes free 223 |
|
|
|
|
12-07-2008, 01:24 AM
|
#7 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 6
OS: XP
|
Re: severe problems with main PC
here's the kaspersky scan results:
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Sunday, December 7, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, December 06, 2008 19:53:45 Records in database: 1440831 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ H:\ Scan statistics: Files scanned: 89982 Threat name: 14 Infected objects: 21 Suspicious objects: 0 Duration of the scan: 04:28:46 File name / Threat name / Threats count C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\3YNUK4ZH\stats[1].htm Infected: Trojan-Downloader.VBS.Agent.n 1 C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-78060736.zip Infected: Exploit.Java.Gimsh.b 1 C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-50b7e850.zip Infected: Exploit.Java.Gimsh.a 1 C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5286af48-45b91d64.zip Infected: Exploit.Java.Gimsh.a 1 C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-54e206d6-11e539a7.zip Infected: Exploit.Java.Gimsh.a 1 C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-7f23c09f.zip Infected: Exploit.Java.Gimsh.b 1 C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-564bac3b.zip Infected: Exploit.Java.Gimsh.b 1 C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-2a44f9cc.zip Infected: Exploit.Java.Gimsh.b 1 C:\Documents and Settings\Masta\Desktop\LWmusic\ants go marching by - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1 C:\Documents and Settings\Masta\Desktop\LWmusic\on a neck, on a spit.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1 C:\Qoobox\Quarantine\C\Program Files\AV2010\svchost.exe.vir Infected: Trojan.Win32.FraudPack.alc 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmact.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\efcYsrRH.dll.vir Infected: Trojan.Win32.Monderb.xil 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\pmNgefFv.dll.vir Infected: Trojan.Win32.Monderb.xil 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir Infected: Trojan.Win32.Agent.arvz 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\wingamma.exe.vir Infected: Trojan-Downloader.Win32.Delf.puu 1 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O92N4DQN\AV2010Installer[1].exe Infected: Trojan-Downloader.Win32.Delf.puu 1 The selected area was scanned. |
|
|
|
|
12-07-2008, 02:15 AM
|
#8 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: severe problems with main PC
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Code:
@echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\3YNUK4ZH\stats[1].htm" "C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-78060736.zip" "C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-50b7e850.zip" "C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5286af48-45b91d64.zip" "C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-54e206d6-11e539a7.zip" "C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-7f23c09f.zip" "C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-564bac3b.zip" "C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-2a44f9cc.zip" "C:\Documents and Settings\Masta\Desktop\LWmusic\ants go marching by - greatest hits.wma" "C:\Documents and Settings\Masta\Desktop\LWmusic\on a neck, on a spit.mp3" "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O92N4DQN\AV2010Installer[1].exe" ) do ( del /a/f/q %%g >nul 2>&1 if exist %%g echo.%%~g>>"%temp%\log.txt" ) for %%g in ( "%systemdrive%\VundoFix Backups" %systemdrive%\Deckard %systemdrive%\Qoobox ) do ( rd /s/q %%g >nul 2>&1 if exist %%g echo.%%~g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! nircmd wait 7000 del %0 It should look like this:  Double click on fix.bat & allow it to run Post back to tell me what it says. Also update us on the state of the machine Last edited by sUBs; 12-07-2008 at 02:16 AM. |
|
|
|
|
12-07-2008, 04:01 AM
|
#9 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 6
OS: XP
|
Re: severe problems with main PC
It said deleted successfully in the command box, then it closed and the file deleted itself. The computer has been running noticably faster and the internet and EXE problems have been resolved.
Last edited by jrice257; 12-07-2008 at 04:02 AM. |
|
|
|
|
12-07-2008, 07:21 AM
|
#10 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: severe problems with main PC
Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day.  Kindly respond to this thread once more so we can mark this thread as resolved. |
|
|
|
| Thread Tools | |
|
|
