[Resolved] Spyware, Trojans, Vundo, Etc.

Computer forums for help with removing malicious software (malware) and improving computer security

grin Welcome to What the Tech! ( Log In | Register ) What tech support ought to be... Fast, friendly and free! Once registered - you'll have the ability to post your question in the appropriate forum below. Additionally, if you can assist another member by sharing your tech knowledge, please post a reply! Best of all - Registration and all assistance is FREE! Once you've completed registration, simply choose the appropriate forum below, click on the "new topic" button, and post your question! What are you waiting for? Register today! *Registered users see NO ADVERTISING.

What the Tech > Spyware / Malware / Virus Removal > Infections Removal

3 Pages

1 2 3 >

[Resolved] Spyware, Trojans, Vundo, Etc., Slow boot, slow web page load, odd results

Options

royb View Member Profile	Jun 29 2009, 03:03 PM Post #1
New Member Group: Authentic Member Posts: 18 Joined: 29-June 09 Member No.: 86,469 Operating System: XP SP3	Slow boot,slow or no loading of web page, strange search results, odd behavior and if I try to delete a user account it crashes. I have Norton running, run MalWarebytes Anti Malware and others often. Need help. Intermediate user. Thanks

jpshortstuff View Member Profile	Jul 1 2009, 03:36 AM Post #2
SuperHelper Group: Classroom Teacher Posts: 5,027 Joined: 28-April 07 From: UK Member No.: 69,799 Operating System: Windows XP (Professional), Windows Vista (Home Business), Windows 7 (Ultimate), Ubuntu Linux	Hi, Does MalwareBytes' find anything? If so, please post a log. Please download DDS and save it to your desktop. Disable any script blocking protection Double click dds.scr to run the tool. When done two logs should open: DDS.txt Attach.txt Save both reports to your desktop. --------------------------------------------------- Post the contents of the DDS.txt report in your next reply *Attach* the Attach.txt report to your post by scrolling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD. Download the GMER Rootkit Scanner. Unzip it to your Desktop. Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan. Right-click gmer.exe and select Run As Administrator. The program will begin to run. Caution These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised! If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click NO In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked. Now click the Scan button. Once the scan is complete, you may receive another notice about rootkit activity. Click OK. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt" Save it where you can easily find it, such as your desktop. Post the contents of GMER.txt in your next reply.

royb View Member Profile	Jul 1 2009, 12:28 PM Post #3
New Member Group: Authentic Member Posts: 18 Joined: 29-June 09 Member No.: 86,469 Operating System: XP SP3	Thanks for the help. I will gladly donate as soon as look at the exchange rate (I only have uUSD $8.00 in my PayPal account). MalWarebytes finds Vundo. I have run VundoFix from Atribune.org and it removes it? Norton dosen't find Vundo and it returns. I think I have complied with your requests, if not please let me know. Malwarebytes' Anti-Malware 1.38 Database version: 2358 Windows 5.1.2600 Service Pack 3 7/1/2009 2:12:27 PM mbam-log-2009-07-01 (14-12-02).txt Scan type: Full Scan (C:\\|D:\\|) Objects scanned: 20420 Time elapsed: 1 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{161b3614-fe54-4d30-8019-0d1e95dd4db1} (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kvedspul (Trojan.Vundo.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{161b3614-fe54-4d30-8019-0d1e95dd4db1} (Trojan.Vundo.H) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\ixqavxo.dll (Trojan.Vundo.H) -> No action taken. DDS (Ver_09-06-26.01) - NTFSx86 Run by Roy Bristow at 11:22:18.20 on Wed 07/01/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.178 [GMT -4:00] AV: Norton Internet Security On-access scanning enabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security enabled {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Documents and Settings\Roy Bristow\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Roy Bristow\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://comcast.net/ uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080514 uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb mWinlogon: Userinit=c:\windows\system32\userinit.exe BHO: : {161b3614-fe54-4d30-8019-0d1e95dd4db1} - c:\windows\system32\ixqavxo.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File TB: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No File TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter uRun: [Google Update] "c:\documents and settings\roy bristow\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe" mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} LSP: c:\windows\system32\lsp.dll Trusted Zone: download.com Trusted Zone: intuit.com DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://chat2.j2.com/Media/VisitorchatEnu/TLIEFlash.CAB DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: igfxcui - igfxdev.dll Notify: kvedspul - ixqavxo.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll AppInit_DLLs: frgehi.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-25 64160] R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2009-1-28 17264] R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [2009-5-12 21888] R0 qrgfbrnh;qrgfbrnh;c:\windows\system32\drivers\qrgfbrnh.sys [2004-8-10 23424] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-23 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-23 258608] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-23 482352] R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2008-12-7 14336] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-11-13 13360] R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312] R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-4 195856] R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-23 115560] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-11-13 69168] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936] R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2008-12-7 8832] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-9-26 19096] R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712] R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090630.055\NAVENG.SYS [2009-7-1 89104] R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090630.055\NAVEX15.SYS [2009-7-1 876144] S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090625.003\IDSXpx86.sys [2009-6-30 276344] S2 gupdate1c9a2515ee9ac6;Google Update Service (gupdate1c9a2515ee9ac6);c:\program files\google\update\GoogleUpdate.exe [2009-3-11 133104] S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [2009-5-12 9088] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408] S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464] =============== Created Last 30 ================ 2009-06-29 17:34 <DIR> --d----- c:\program files\Flip Words 2009-06-29 15:17 <DIR> --d----- c:\docume~1\roybri~1\applic~1\ZoomBrowser EX 2009-06-29 15:09 <DIR> --d----- c:\docume~1\roybri~1\applic~1\CameraWindowDC 2009-06-29 15:09 <DIR> --d----- c:\docume~1\roybri~1\applic~1\CANON INC 2009-06-22 14:17 <DIR> -cd-h--- c:\windows\ie8 2009-06-22 14:04 255,848 a------- c:\windows\system32\xactengine2_6.dll 2009-06-22 14:03 <DIR> --d-h--- c:\windows\msdownld.tmp 2009-06-22 14:02 <DIR> --d----- c:\windows\Logs 2009-06-21 19:27 16 a------- c:\documents and settings\roy bristow\FlipWords.dat 2009-06-21 14:14 293 a------- c:\windows\FlipWords.ini 2009-06-18 19:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser 2009-06-18 19:07 <DIR> --d----- c:\program files\Canon 2009-06-18 19:04 <DIR> --d----- c:\program files\common files\Canon 2009-06-11 20:00 183,296 a------- c:\windows\system32\lsp.dll 2009-06-10 16:03 118 a------- c:\windows\system32\MRT.INI 2009-06-10 04:52 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll 2009-06-10 04:52 12,800 -------- c:\windows\system32\dllcache\xpshims.dll 2009-06-09 15:37 <DIR> --dsh--- c:\documents and settings\roy bristow\IECompatCache 2009-06-03 23:24 <DIR> --dsh--- c:\documents and settings\roy bristow\PrivacIE 2009-06-03 23:21 <DIR> --dsh--- c:\documents and settings\roy bristow\IETldCache 2009-06-03 23:18 <DIR> --d----- c:\windows\ie8updates 2009-06-03 23:18 102,912 -------- c:\windows\system32\dllcache\iecompat.dll ==================== Find3M ==================== 2009-06-21 14:13 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys 2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-06-06 23:44 481,743 a------- c:\windows\system32\kungsfuvbrsvpj.dat 2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll 2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll 2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll 2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll 2009-05-12 06:56 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_nielprt_01007.Wdf 2009-05-12 06:55 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf 2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll 2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll 2009-04-30 17:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll 2009-04-30 17:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll 2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll 2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll 2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll 2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe 2009-04-22 20:09 15,688 a------- c:\windows\system32\lsdelete.exe 2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys 2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys 2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll 2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll 2009-02-10 15:38 60,744 a------- c:\documents and settings\roy bristow\g2mdlhlpx.exe 2009-01-26 12:00 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2009-01-26 12:00 88 ---shr-- c:\docume~1\alluse~1\applic~1\020AC935B7.sys 2008-07-07 09:56 81,920 a------- c:\docume~1\roybri~1\applic~1\ezpinst.exe 2008-07-07 09:56 47,360 a------- c:\docume~1\roybri~1\applic~1\pcouffin.sys 2008-12-07 21:55 56 ---shr-- c:\windows\system32\B735C90A02.sys 2008-09-23 20:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat ============= FINISH: 11:23:26.17 =============== GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-07-01 12:44:33 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT 86BC4270 ZwAlertResumeThread SSDT 865556B0 ZwAlertThread SSDT 86432A90 ZwAllocateVirtualMemory SSDT 86540050 ZwAssignProcessToJobObject SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA9D8B040] SSDT 86432288 ZwCreateMutant SSDT 86431CD0 ZwCreateSymbolicLinkObject SSDT 864B0720 ZwCreateThread SSDT 86541050 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA9D8B2C0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9D8B820] SSDT 86432BE8 ZwDuplicateObject SSDT spok.sys ZwEnumerateKey [0xF7411CA2] SSDT spok.sys ZwEnumerateValueKey [0xF7412030] SSDT 864328F0 ZwFreeVirtualMemory SSDT 86D5C068 ZwImpersonateAnonymousToken SSDT 86C3F268 ZwImpersonateThread SSDT 86543050 ZwLoadDriver SSDT 864A8878 ZwMapViewOfSection SSDT 8654D050 ZwOpenEvent SSDT spok.sys ZwOpenKey [0xF73F30C0] SSDT 86432D88 ZwOpenProcess SSDT 86BDF0B8 ZwOpenProcessToken SSDT 86544050 ZwOpenSection SSDT 86432CB8 ZwOpenThread SSDT 86431DA0 ZwProtectVirtualMemory SSDT spok.sys ZwQueryKey [0xF7412108] SSDT spok.sys ZwQueryValueKey [0xF7411F88] SSDT 86EF6850 ZwResumeThread SSDT 86EF0C08 ZwSetContextThread SSDT 86432710 ZwSetInformationProcess SSDT 86542050 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9D8BA70] SSDT 8654C050 ZwSuspendProcess SSDT 86C3C158 ZwSuspendThread SSDT 86BD80B8 ZwTerminateProcess SSDT 86C67E50 ZwTerminateThread SSDT 86CDD378 ZwUnmapViewOfSection SSDT 864329C0 ZwWriteVirtualMemory INT 0x63 ? 86CB0F00 INT 0x73 ? 86FD6BF8 INT 0x73 ? 86FD6BF8 INT 0x73 ? 86FD6BF8 INT 0x73 ? 86FD6BF8 INT 0x73 ? 86CB0F00 INT 0x73 ? 86CB0F00 INT 0x73 ? 86FD6BF8 INT 0x94 ? 86CB0F00 INT 0xA4 ? 86CB0F00 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CD4 80504570 4 Bytes CALL 14D688A0 PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 44F 805BB8ED 7 Bytes JMP 86F63B40 ? spok.sys The system cannot find the file specified. ! ? SYMEFA.SYS The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload F600E8AC 5 Bytes JMP 86CB04E0 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73F4040] spok.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73F413C] spok.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73F40BE] spok.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73F47FC] spok.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73F46D2] spok.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 86F661F8 AttachedDevice \FileSystem\Ntfs \Ntfs MPRIFL.SYS (My Private Folder driver/FSPro Labs) Device \Driver\usbehci \Device\USBPDO-0 86CD1500 Device \Driver\usbuhci \Device\USBPDO-1 86D4F1F8 Device \Driver\usbuhci \Device\USBPDO-2 86D4F1F8 Device \Driver\usbuhci \Device\USBPDO-3 86D4F1F8 Device \Driver\usbuhci \Device\USBPDO-4 86D4F1F8 AttachedDevice \Driver\Tcpip \Device\Tcp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company) Device \Driver\usbuhci \Device\USBPDO-5 86D4F1F8 Device \Driver\usbuhci \Device\USBPDO-6 86D4F1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 86F681F8 Device \Driver\usbehci \Device\USBPDO-7 86CD1500 Device \Driver\Ftdisk \Device\HarddiskVolume2 86F681F8 Device \Driver\Cdrom \Device\CdRom0 86C08500 Device \Driver\NetBT \Device\NetBT_Tcpip_{28C8854A-4440-4535-9B10-CE5FEF99D1FE} 8655E500 Device \Driver\NetBT \Device\NetBt_Wins_Export 8655E500 Device \Driver\NetBT \Device\NetbiosSmb 8655E500 AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company) Device \Driver\usbuhci \Device\USBFDO-0 86D4F1F8 Device \Driver\usbuhci \Device\USBFDO-1 86D4F1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 865531F8 Device \Driver\usbuhci \Device\USBFDO-2 86D4F1F8 Device 865531F8 Device \Driver\usbehci \Device\USBFDO-3 86CD1500 Device \Driver\usbuhci \Device\USBFDO-4 86D4F1F8 Device \Driver\Ftdisk \Device\FtControl 86F681F8 Device \Driver\usbuhci \Device\USBFDO-5 86D4F1F8 Device \Driver\usbuhci \Device\USBFDO-6 86D4F1F8 Device \Driver\usbehci \Device\USBFDO-7 86CD1500 Device 863E61F8 Device A7EEF297 AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 86401500 Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio) ---- Services - GMER 1.0.15 ---- Service system32\drivers\kungsfkvrndpsk.sys (* hidden * ) [SYSTEM] kungsfxjbqlxwn <-- ROOTKIT !!! Service system32\drivers\SKYNETxviwqjgq.sys (* hidden * ) [SYSTEM] SKYNETbdwptntr <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn@imagepath \systemroot\system32\drivers\kungsfkvrndpsk.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\main Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\main@aid 10096 Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\main@sid 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\main@cmddelay 7200 Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\main\delete Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\main\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\main\injector@* kungsfwsp.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\main\tasks Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\modules@kungsfrk.sys \systemroot\system32\drivers\kungsfkvrndpsk.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\modules@kungsfcmd.dll \systemroot\system32\kungsfarmpydlv.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\modules@kungsflog.dat \systemroot\system32\kungsfuvbrsvpj.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\modules@kungsfwsp.dll \systemroot\system32\kungsfnbmqhhlj.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfxjbqlxwn\modules@kungsf.dat \systemroot\system32\kungsfwrtlnkou.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETbdwptntr@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETbdwptntr@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETbdwptntr@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETbdwptntr@imagepath \systemroot\system32\drivers\SKYNETxviwqjgq.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETbdwptntr\main Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETbdwptntr\main\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETbdwptntr\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETbdwptntr\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxviwqjgq.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETbdwptntr\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxtiouodx.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn@group file system Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn@imagepath \systemroot\system32\drivers\kungsfkvrndpsk.sys Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\main Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\main@aid 10096 Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\main@sid 0 Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\main@cmddelay 7200 Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\main\delete Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\main\injector Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\main\injector@* kungsfwsp.dll Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\main\tasks Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\modules Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\modules@kungsfrk.sys \systemroot\system32\drivers\kungsfkvrndpsk.sys Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\modules@kungsfcmd.dll \systemroot\system32\kungsfarmpydlv.dll Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\modules@kungsflog.dat \systemroot\system32\kungsfuvbrsvpj.dat Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\modules@kungsfwsp.dll \systemroot\system32\kungsfnbmqhhlj.dll Reg HKLM\SYSTEM\ControlSet002\Services\kungsfxjbqlxwn\modules@kungsf.dat \systemroot\system32\kungsfwrtlnkou.dat Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETbdwptntr@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETbdwptntr@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETbdwptntr@group file system Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETbdwptntr@imagepath \systemroot\system32\drivers\SKYNETxviwqjgq.sys Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETbdwptntr\main Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETbdwptntr\main\injector Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETbdwptntr\modules Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETbdwptntr\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxviwqjgq.sys Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETbdwptntr\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxtiouodx.dll Reg HKLM\SOFTWARE\Classes\CLSID\{161B3614-FE54-4D30-8019-0D1E95DD4DB1}\ProgID@ Akzydiqq Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{497E4387-4D07-A6B3-4E45-A2088163E506} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{497E4387-4D07-A6B3-4E45-A2088163E506}@naiojgmabnolokncbdkabjolfgno 0x6A 0x61 0x62 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{497E4387-4D07-A6B3-4E45-A2088163E506}@macpdhjbficnaokdjnleaadhcf 0x6A 0x61 0x62 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{497E4387-4D07-A6B3-4E45-A2088163E506}@abedlckcohpbmiinnnoaocjeefpokfiloe 0x61 0x62 0x6C 0x6F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{497E4387-4D07-A6B3-4E45-A2088163E506}@mahdadeebgllhgadjcapkcnlnf 0x64 0x62 0x63 0x70 ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Roy Bristow\My Documents\My Lockbox 0 bytes File C:\Documents and Settings\Roy Bristow\My Documents\My Lockbox\New Folder 0 bytes ---- EOF - GMER 1.0.15 ---- Attached File(s) Attach.txt ( 12.54K ) Number of downloads: 163

jpshortstuff View Member Profile	Jul 1 2009, 12:36 PM Post #4
SuperHelper Group: Classroom Teacher Posts: 5,027 Joined: 28-April 07 From: UK Member No.: 69,799 Operating System: Windows XP (Professional), Windows Vista (Home Business), Windows 7 (Ultimate), Ubuntu Linux	Looks like you've got a nasty Rootkit (or two) on board. Let's see if we can drag it out. Please delete any existing copies of ComboFix that you might have. Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 Link 3 IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. 3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser. 4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise. 5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. This post has been edited by jpshortstuff: Jul 1 2009, 12:39 PM

jpshortstuff View Member Profile	Jul 1 2009, 02:09 PM Post #6
SuperHelper Group: Classroom Teacher Posts: 5,027 Joined: 28-April 07 From: UK Member No.: 69,799 Operating System: Windows XP (Professional), Windows Vista (Home Business), Windows 7 (Ultimate), Ubuntu Linux	Hi, Please click Start >> Control Panel >> Add/Remove Programs, and then find and Remove these old versions of Java: J2SE Runtime Environment 5.0 Update 6 Java™ 6 Update 5 Java™ 6 Update 7 (Leave update 14 as it is the latest) While you are there, I recommend you consider removing Limewire - its a great way to get yourself infected. Please disable Spybot TeaTimer via its System Tray icon. For more info, check here. 1. Please open Notepad Click Start , then Run Type notepad.exe in the Run Box. 2. Now copy/paste the entire content of the codebox below into the Notepad window: CODE FileLook:: c:\windows\system32\B735C90A02.sys c:\windows\system32\drivers\nnrnstdi.sys DirLook:: c:\documents and settings\Roy Bristow\Application Data\gsdljreq c:\documents and settings\NetworkService\Application Data\gsdljreq NetSvcs:: yogtgxzm RegNull:: [HKEY_USERS\S-1-5-21-1362977303-1881232705-3471229379-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{497E4387-4D07-A6B3-4E45-A2088163E506}] RegLockDel:: [HKEY_USERS\S-1-5-21-1362977303-1881232705-3471229379-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{497E4387-4D07-A6B3-4E45-A2088163E506}] [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{161B3614-FE54-4D30-8019-0D1E95DD4DB1}] 3. Save the above as CFScript.txt 4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt. Next, let's check for any leftovers. Please go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. Let me know how things are running after all this.

royb View Member Profile	Jul 1 2009, 02:47 PM Post #7
New Member Group: Authentic Member Posts: 18 Joined: 29-June 09 Member No.: 86,469 Operating System: XP SP3	Before I go further - I removed J2SE, Java 6 Update 5, Java 6 update 7 and Limewire. I do not have Spybot listed in Add/Remove. Found a Spybot folder in C:\ but cannot delete it. Please advise. Thanks

jpshortstuff View Member Profile	Jul 1 2009, 02:51 PM Post #8
SuperHelper Group: Classroom Teacher Posts: 5,027 Joined: 28-April 07 From: UK Member No.: 69,799 Operating System: Windows XP (Professional), Windows Vista (Home Business), Windows 7 (Ultimate), Ubuntu Linux	Hi, You don't need to delete Spybot, just disable it. Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected. On the left hand side, click on Tools, then click on the Resident Icon in the list. Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. Click on the "System Startup" icon in the List Uncheck the "TeaTimer" box and "OK" any prompts. If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted. Exit Spybot S&D when done. (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

royb View Member Profile	Jul 1 2009, 02:56 PM Post #9
New Member Group: Authentic Member Posts: 18 Joined: 29-June 09 Member No.: 86,469 Operating System: XP SP3	I wasn't clear. Spybot is no longer a program on my computer. Left over is a folder with TeaTimer.exe in it but you cannot launch it or delete it. Thanks

royb View Member Profile	Jul 1 2009, 02:57 PM Post #10
New Member Group: Authentic Member Posts: 18 Joined: 29-June 09 Member No.: 86,469 Operating System: XP SP3	I wasn't clear. Spybot is no longer a program on my computer. Left over is a folder with TeaTimer.exe in it but you cannot launch it or delete it. Thanks

jpshortstuff View Member Profile	Jul 1 2009, 02:59 PM Post #11
SuperHelper Group: Classroom Teacher Posts: 5,027 Joined: 28-April 07 From: UK Member No.: 69,799 Operating System: Windows XP (Professional), Windows Vista (Home Business), Windows 7 (Ultimate), Ubuntu Linux	Ah, I understand. In which case, you don't have to worry about it, we will remove it later if you still can't delete it.

jpshortstuff View Member Profile	Jul 2 2009, 04:33 AM Post #13
SuperHelper Group: Classroom Teacher Posts: 5,027 Joined: 28-April 07 From: UK Member No.: 69,799 Operating System: Windows XP (Professional), Windows Vista (Home Business), Windows 7 (Ultimate), Ubuntu Linux	Hi, I've got another CFScript for you to run, do the same as before: CODE File:: c:\windows\system32\B735C90A02.sys Folder:: c:\documents and settings\NetworkService\Application Data\gsdljreq c:\documents and settings\Roy Bristow\Application Data\gsdljreq Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"=- Your logs are looking good. Are you having any more problems? What happens if you try and delete that Spybot folder now? Please give the error message if it still doesn't work.

jpshortstuff View Member Profile	Jul 3 2009, 02:32 AM Post #15
SuperHelper Group: Classroom Teacher Posts: 5,027 Joined: 28-April 07 From: UK Member No.: 69,799 Operating System: Windows XP (Professional), Windows Vista (Home Business), Windows 7 (Ultimate), Ubuntu Linux	Hi, Something keeps coming back. Please delete your existing copy of ComboFix, and download a new one (there have been some updates recently that may be pertinent to what we are trying to remove). Then, run the new ComboFix with this CFScript: CODE Driver:: yogtgxzm NetSvc:: yogtgxzm Let me know how things are running after that, and please show me the new ComboFix log.

« Next Oldest · Infections Removal · Next Newest »

3 Pages

1 2 3 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
Infections Removal [Resolved] spyware/ fake antivirus 12	29	83valentine	302	Today, 11:38 AM Last post by: ken545
Infections Removal [Resolved] laptop running slow	14	juibre	166	Today, 11:37 AM Last post by: ken545
Infections Removal [Resolved] Trojan Detected 12	20	toyotomi	362	Today, 11:16 AM Last post by: CatByte
Infections Removal 9 trojans, a worm, and corrupt antivirus! Help! 123	31	StormyHaze	235	Today, 10:23 AM Last post by: chamber