Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91982 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] windows police pro


  • This topic is locked This topic is locked
32 replies to this topic

#16 bigbadkitty

bigbadkitty

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 21 September 2009 - 09:41 AM

OK I got a warning popup that said gmer has found something caused by rootkit activity.


GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-21 10:40:24
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\HP_OWN~1.YOU\LOCALS~1\Temp\awgdypod.sys


---- System - GMER 1.0.15 ----

Code 82E99D18 ZwEnumerateKey
Code 82E9BAD0 ZwFlushInstructionCache
Code 82E99B66 ZwSaveKey
Code 82E99C3E ZwSaveKeyEx
Code 82E983EE IofCallDriver
Code 82D382A6 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gasfkywnyxqnej.sys (*** hidden *** ) [SYSTEM] gasfkyiwiutvsd <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd@imagepath \systemroot\system32\drivers\gasfkywnyxqnej.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\main\injector@* gasfkywsp8y.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywnyxqnej.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\modules@gasfkycmd.dll \systemroot\system32\gasfkyhimpmhjy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\modules@gasfkylog.dat \systemroot\system32\gasfkyugqvawuh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\modules@gasfkywsp.dll \systemroot\system32\gasfkyqmuecuxs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\modules@gasfky.dat \systemroot\system32\gasfkyigvjnsve.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyiwiutvsd\modules@gasfkywsp8y.dll \systemroot\system32\gasfkyyreyorbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd@imagepath \systemroot\system32\drivers\gasfkywnyxqnej.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\main\injector@* gasfkywsp8y.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywnyxqnej.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\modules@gasfkycmd.dll \systemroot\system32\gasfkyhimpmhjy.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\modules@gasfkylog.dat \systemroot\system32\gasfkyugqvawuh.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\modules@gasfkywsp.dll \systemroot\system32\gasfkyqmuecuxs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\modules@gasfky.dat \systemroot\system32\gasfkyigvjnsve.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyiwiutvsd\modules@gasfkywsp8y.dll \systemroot\system32\gasfkyyreyorbg.dll

---- Files - GMER 1.0.15 ----

File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Actions 0 bytes
File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Brushes 0 bytes
File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Flash Panels 0 bytes
File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Graphic Styles 0 bytes
File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Keyboard Shortcuts 0 bytes
File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Save for Web Settings 0 bytes
File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Scripts 0 bytes
File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Swatches 0 bytes
File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Symbols 0 bytes
File C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\LMResources\de_DE\Workspaces 0 bytes

---- EOF - GMER 1.0.15 ----

    Advertisements

Register to Remove


#17 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 September 2009 - 09:44 AM

Please do the following:

Note: I cannot stress enough how important it is to disable your security programs before running ComboFix.


Download Combofix from either of the links below. You must rename it before saving it. Save it to your desktop.

Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt back into this thread.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#18 bigbadkitty

bigbadkitty

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 21 September 2009 - 09:51 AM

remember, I am a moron...do you mean for me to go to control panel, then security center, and disable everything (firewall, automatic updates, and virus protection)? and turn off avast?

#19 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 September 2009 - 10:09 AM

Yes please,

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#20 bigbadkitty

bigbadkitty

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 21 September 2009 - 10:21 AM

I just got a disclaimer popup...telling me

the following websites are not in any way affiliated to ComboFix:

http://www.combofix.org/
http:/www.combofixdownload.com/

If you have purchased anything from them, I suggest you instruct your financiers to cancel the transaction

#21 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 September 2009 - 10:42 AM

Please carry on...OK your way through till it scans

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#22 bigbadkitty

bigbadkitty

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 21 September 2009 - 11:11 AM

I'm pretty sure this is it ComboFix 09-09-20.04 - HP_Owner 09/21/2009 11:54:23.1.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.236 [GMT -5:00] Running from: C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\My Documents\Downloads\Combo-Fix.exe AV: avast! antivirus 4.8.1335 [VPS 090920-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\FunWebProducts C:\Program Files\FunWebProducts\ScreenSaver\Images\00F7D417.urr C:\Program Files\FunWebProducts\Shared\34226704.dat C:\Program Files\MyWebSearch C:\Program Files\MyWebSearch\bar\History\search3 C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat C:\Program Files\MyWebSearch\bar\Settings\setting2.htm C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak C:\Program Files\MyWebSearch\bar\Settings\settings.dat C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak C:\Program Files\screensavers.com C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml.backup C:\Program Files\screensavers.com\Installer\bin\siuninst.exe C:\Program Files\screensavers.com\Wallpaper\swpstart.exe C:\Program Files\Uninstall Fun Web Products.dll C:\Program Files\Windows Police Pro C:\Program Files\Windows Police Pro\msvcm80.dll C:\Program Files\Windows Police Pro\msvcp80.dll C:\Program Files\Windows Police Pro\msvcr80.dll C:\Program Files\Windows Police Pro\tmp\dbsinit.exe C:\Program Files\Windows Police Pro\tmp\images\i1.gif C:\Program Files\Windows Police Pro\tmp\images\i2.gif C:\Program Files\Windows Police Pro\tmp\images\i3.gif C:\Program Files\Windows Police Pro\tmp\images\j1.gif C:\Program Files\Windows Police Pro\tmp\images\j2.gif C:\Program Files\Windows Police Pro\tmp\images\j3.gif C:\Program Files\Windows Police Pro\tmp\images\jj1.gif C:\Program Files\Windows Police Pro\tmp\images\jj2.gif C:\Program Files\Windows Police Pro\tmp\images\jj3.gif C:\Program Files\Windows Police Pro\tmp\images\l1.gif C:\Program Files\Windows Police Pro\tmp\images\l2.gif C:\Program Files\Windows Police Pro\tmp\images\l3.gif C:\Program Files\Windows Police Pro\tmp\images\pix.gif C:\Program Files\Windows Police Pro\tmp\images\t1.gif C:\Program Files\Windows Police Pro\tmp\images\t2.gif C:\Program Files\Windows Police Pro\tmp\images\up1.gif C:\Program Files\Windows Police Pro\tmp\images\up2.gif C:\Program Files\Windows Police Pro\tmp\images\w1.gif C:\Program Files\Windows Police Pro\tmp\images\w11.gif C:\Program Files\Windows Police Pro\tmp\images\w2.gif C:\Program Files\Windows Police Pro\tmp\images\w3.gif C:\Program Files\Windows Police Pro\tmp\images\w3.jpg C:\Program Files\Windows Police Pro\tmp\images\wt1.gif C:\Program Files\Windows Police Pro\tmp\images\wt2.gif C:\Program Files\Windows Police Pro\tmp\images\wt3.gif C:\Program Files\Windows Police Pro\tmp\wispex.html C:\RECYCLER\S-1-5-21-3097140657-671521930-546896526-1009 C:\RECYCLER\S-1-5-21-3097140657-671521930-546896526-500 C:\WINDOWS\dat.txt C:\WINDOWS\Installer\105c11.msi C:\WINDOWS\Installer\115a6ec6.msp C:\WINDOWS\Installer\126b024.msp C:\WINDOWS\Installer\149379d1.msp C:\WINDOWS\Installer\14df5613.msp C:\WINDOWS\Installer\163b657.msp C:\WINDOWS\Installer\163b67c.msp C:\WINDOWS\Installer\16f5cc34.msp C:\WINDOWS\Installer\16f5cc4e.msp C:\WINDOWS\Installer\1847d66.msi C:\WINDOWS\Installer\18ac4.msi C:\WINDOWS\Installer\1c39c765.msp C:\WINDOWS\Installer\1e29906a.msp C:\WINDOWS\Installer\1e299080.msp C:\WINDOWS\Installer\1e299096.msp C:\WINDOWS\Installer\20f4f0c5.msi C:\WINDOWS\Installer\21063f6.msp C:\WINDOWS\Installer\22c51b6d.msp C:\WINDOWS\Installer\22c51b83.msp C:\WINDOWS\Installer\22c51b99.msp C:\WINDOWS\Installer\23e6dd6.msp C:\WINDOWS\Installer\23e6e78.msp C:\WINDOWS\Installer\27f11ef0.msp C:\WINDOWS\Installer\27f11f06.msp C:\WINDOWS\Installer\27f11f1c.msp C:\WINDOWS\Installer\27f11f32.msp C:\WINDOWS\Installer\27f11f48.msp C:\WINDOWS\Installer\27f11f5e.msp C:\WINDOWS\Installer\28b4759.msi C:\WINDOWS\Installer\29fb401.msp C:\WINDOWS\Installer\2f3f863.msp C:\WINDOWS\Installer\2f3f876.msp C:\WINDOWS\Installer\2f3f889.msp C:\WINDOWS\Installer\2f3f890.msi C:\WINDOWS\Installer\2f3f8a2.msp C:\WINDOWS\Installer\2f3f8b5.msp C:\WINDOWS\Installer\317a68.msp C:\WINDOWS\Installer\35988821.msi C:\WINDOWS\Installer\3b24e71.msp C:\WINDOWS\Installer\3bb5e08.msp C:\WINDOWS\Installer\3bb5e54.msp C:\WINDOWS\Installer\3df5a57.msi C:\WINDOWS\Installer\41f10c6.msp C:\WINDOWS\Installer\41f10e8.msp C:\WINDOWS\Installer\481303ea.msp C:\WINDOWS\Installer\48130400.msp C:\WINDOWS\Installer\499d18fc.msp C:\WINDOWS\Installer\499d1914.msp C:\WINDOWS\Installer\499d192a.msp C:\WINDOWS\Installer\59250387.msi C:\WINDOWS\Installer\5925039c.msp C:\WINDOWS\Installer\592503b2.msp C:\WINDOWS\Installer\5ad7a276.msp C:\WINDOWS\Installer\5ad7a2a2.msp C:\WINDOWS\Installer\5ad7a2b9.msp C:\WINDOWS\Installer\5ad7a2cf.msp C:\WINDOWS\Installer\605c9d0e.msp C:\WINDOWS\Installer\605c9d24.msp C:\WINDOWS\Installer\605c9d3a.msp C:\WINDOWS\Installer\605c9d4f.msp C:\WINDOWS\Installer\605c9d68.msp C:\WINDOWS\Installer\6112d.msp C:\WINDOWS\Installer\734fb5d.msp C:\WINDOWS\Installer\734fb74.msp C:\WINDOWS\Installer\74ced.msi C:\WINDOWS\Installer\840a7ebc.msp C:\WINDOWS\Installer\86384f5.msp C:\WINDOWS\Installer\863852f.msp C:\WINDOWS\Installer\8aa80b9.msp C:\WINDOWS\Installer\9810113.msp C:\WINDOWS\Installer\b406a.msi C:\WINDOWS\Installer\b430c.msi C:\WINDOWS\Installer\b4312.msi C:\WINDOWS\Installer\b4534b.msp C:\WINDOWS\Installer\b8c07a.msp C:\WINDOWS\Installer\b8c08f.msp C:\WINDOWS\Installer\b8c0b5.msp C:\WINDOWS\Installer\c793639.msi C:\WINDOWS\Installer\c793642.msp C:\WINDOWS\Installer\db10bac.msp C:\WINDOWS\Installer\db10bd2.msp C:\WINDOWS\Installer\db10bf8.msp C:\WINDOWS\Installer\e08afcb.msp C:\WINDOWS\Installer\eb0e1207.msp C:\WINDOWS\Installer\ff08f5.msi C:\WINDOWS\privacy_danger C:\WINDOWS\rs.txt C:\WINDOWS\search_res.txt C:\WINDOWS\svchast.exe C:\WINDOWS\system32\bennuar.old C:\WINDOWS\system32\drivers\gasfkywnyxqnej.sys C:\WINDOWS\system32\gasfkyhimpmhjy.dll C:\WINDOWS\system32\gasfkyigvjnsve.dat C:\WINDOWS\system32\gasfkyqmuecuxs.dll C:\WINDOWS\system32\gasfkyugqvawuh.dat C:\WINDOWS\system32\gasfkyyreyorbg.dll C:\WINDOWS\system32\images C:\WINDOWS\system32\images\i1.gif C:\WINDOWS\system32\images\i2.gif C:\WINDOWS\system32\images\i3.gif C:\WINDOWS\system32\images\j1.gif C:\WINDOWS\system32\images\j2.gif C:\WINDOWS\system32\images\j3.gif C:\WINDOWS\system32\images\jj1.gif C:\WINDOWS\system32\images\jj2.gif C:\WINDOWS\system32\images\jj3.gif C:\WINDOWS\system32\images\l1.gif C:\WINDOWS\system32\images\l2.gif C:\WINDOWS\system32\images\l3.gif C:\WINDOWS\system32\images\pix.gif C:\WINDOWS\system32\images\t1.gif C:\WINDOWS\system32\images\t2.gif C:\WINDOWS\system32\images\up1.gif C:\WINDOWS\system32\images\up2.gif C:\WINDOWS\system32\images\w1.gif C:\WINDOWS\system32\images\w11.gif C:\WINDOWS\system32\images\w2.gif C:\WINDOWS\system32\images\w3.gif C:\WINDOWS\system32\images\w3.jpg C:\WINDOWS\system32\images\wt1.gif C:\WINDOWS\system32\images\wt2.gif C:\WINDOWS\system32\images\wt3.gif C:\WINDOWS\system32\ps2.bat C:\WINDOWS\system32\sonhelp.htm C:\WINDOWS\system32\wispex.html D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AntipPolice_ -------\Service_AntipPolice_ -------\Service_gasfkyiwiutvsd ((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 ))))))))))))))))))))))))))))))) . 2009-09-08 18:39:12 . 2009-06-21 21:44:50 153088 ------w- C:\WINDOWS\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-04 01:41:12 . 2009-03-01 16:29:04 0 d-----w- C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\AdobeUM 2009-08-20 02:47:59 . 2009-08-20 02:47:59 0 d-----w- C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\Template 2009-08-20 02:47:54 . 2009-08-20 02:47:54 0 ----a-w- C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\wklnhst.dat 2009-08-16 11:43:01 . 2005-05-06 06:35:29 0 d-----w- C:\Program Files\Java 2009-08-05 09:01:48 . 2004-08-04 12:00:00 204800 ----a-w- C:\WINDOWS\system32\mswebdvd.dll 2009-07-25 10:23:00 . 2009-02-20 02:00:07 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll 2009-07-17 19:01:06 . 2004-08-04 12:00:00 58880 ----a-w- C:\WINDOWS\system32\atl.dll 2009-07-13 15:08:14 . 2004-08-04 11:00:00 286720 ----a-w- C:\WINDOWS\system32\wmpdxm.dll 2009-06-26 16:50:05 . 2004-08-04 11:00:00 666624 ----a-w- C:\WINDOWS\system32\wininet.dll 2009-06-26 16:50:04 . 2004-08-04 12:00:00 81920 -c--a-w- C:\WINDOWS\system32\ieencode.dll 2009-06-25 08:25:26 . 2004-08-04 12:00:00 56832 ----a-w- C:\WINDOWS\system32\secur32.dll 2009-06-25 08:25:26 . 2004-08-04 12:00:00 54272 ----a-w- C:\WINDOWS\system32\wdigest.dll 2009-06-25 08:25:26 . 2004-08-04 12:00:00 301568 ----a-w- C:\WINDOWS\system32\kerberos.dll 2009-06-25 08:25:26 . 2004-08-04 12:00:00 147456 ----a-w- C:\WINDOWS\system32\schannel.dll 2009-06-25 08:25:26 . 2004-08-04 12:00:00 136192 ----a-w- C:\WINDOWS\system32\msv1_0.dll 2009-06-25 08:25:26 . 2004-08-04 11:00:00 730112 ----a-w- C:\WINDOWS\system32\lsasrv.dll 2009-06-24 11:18:41 . 2004-08-04 18:00:00 92928 ----a-w- C:\WINDOWS\system32\drivers\ksecdd.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12:28 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 17:31:34 126976] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 05:34:02 245760] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 20:54:32 253952] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 21:08:45 81000] "AdobeCS4ServiceManager"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 12:58:34 611712] "LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.EXE" [2002-05-06 12:40:20 900096] "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-07-25 10:23:12 149280] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Auto Detect.lnk - C:\Program Files\iConcepts Music Express\MEAutoDetect.exe [2008-3-12 270336] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:TCP"= 5353:TCP:Adobe CSI CS4 R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2/19/2009 10:15:30 PM 114768] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [2/19/2009 10:15:30 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html IE: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html IE: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 IE: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html FF - ProfilePath - C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\Mozilla\Firefox\Profiles\ya32wjpq.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=13&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=13&tid={CA7EA5FE-C8D3-DB42-E5CA-AA0956DCA6BD}&q= FF - plugin: C:\Program Files\Common Files\ParallelGraphics\Cortona\npCortona.dll FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npCortona.dll FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npkimi.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. - - - - ORPHANS REMOVED - - - - HKLM-Run-AutoTBar - c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

#23 bigbadkitty

bigbadkitty

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 21 September 2009 - 11:54 AM

I so appreciate everything you have done, this really helped! I don't know if there is more I need to do, I will check back periodically...thank you again! :notworthy: Lisa

#24 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 September 2009 - 12:27 PM

Please do the following:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so.

NEXT
It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner:
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#25 bigbadkitty

bigbadkitty

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 21 September 2009 - 01:10 PM

OK doing malwarebytes now

    Advertisements

Register to Remove


#26 bigbadkitty

bigbadkitty

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 21 September 2009 - 01:35 PM

Malwarebytes' Anti-Malware 1.41 Database version: 2837 Windows 5.1.2600 Service Pack 3 9/21/2009 2:34:33 PM mbam-log-2009-09-21 (14-34-33).txt Scan type: Quick Scan Objects scanned: 116439 Time elapsed: 18 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkyiwiutvsd (Rootkit.TDSS) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

#27 bigbadkitty

bigbadkitty

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 21 September 2009 - 05:18 PM

holy cow, this kaspersky scan takes forever...

#28 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 September 2009 - 05:50 PM

Yes, it can take quite a long time, it is very thorough.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#29 bigbadkitty

bigbadkitty

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 22 September 2009 - 04:13 AM

finally!! -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, September 22, 2009 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, September 22, 2009 02:08:46 Records in database: 2867570 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ G:\ H:\ I:\ J:\ Scan statistics: Objects scanned: 79379 Threats found: 4 Infected objects found: 10 Suspicious objects found: 0 Scan duration: 02:54:07 File name / Threat / Threats count C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1 C:\Qoobox\Quarantine\C\Program Files\Uninstall Fun Web Products.dll.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.cu 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyhimpmhjy.dll.vir Infected: Packed.Win32.TDSS.z 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyqmuecuxs.dll.vir Infected: Packed.Win32.TDSS.z 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyyreyorbg.dll.vir Infected: Packed.Win32.TDSS.z 1 C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP242\A0022675.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.cu 1 C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP242\A0022697.dll Infected: Packed.Win32.TDSS.z 1 C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP242\A0022698.dll Infected: Packed.Win32.TDSS.z 1 C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP242\A0022699.dll Infected: Packed.Win32.TDSS.z 1 D:\I386\Apps\APP07885\src\HPSummer2005.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1 Selected area has been scanned.

#30 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 22 September 2009 - 04:55 AM

Hi, Please post a fresh DDS and Attach.txt and also run the GMER program once more. Also, please describe how your computer is running now and if there are any outstanding issues. The items found by Kaspersky are in old restore points or already in quarantine, or not a concern, which we will be cleaning up shortly.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users