Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Backdoor trojan detected plz Help


  • This topic is locked This topic is locked
15 replies to this topic

#1 lisafunkypants

lisafunkypants

    Authentic Member

  • Authentic Member
  • PipPip
  • 206 posts

Posted 21 October 2009 - 03:54 PM

I recently did a scan with iobit and it found Backdoor Trojan,
Symantec says this collects info takes screen shots and records key strokes, I have been on my back account, phone account, e-mails etc
iobit said it had deleted it but i dont trust a free scan to completly remove a trojan:
i also had a problem sometime back with something called Zwangi, it all seems like it had been taken off my comp until one day when looking through the blocked/allowed list on Norton and there it was happily being allowed is it still deep in my system? Ive blocked it anyway.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50:37, on 21/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\WINDOWS\STK02N\STK02NM.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee Security Scan\1.0.150\McUICnt.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\livemessenger.com
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kibagames...derman_Dress_Up
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [EmailChecker] C:\APPS\EmailChecker\ech.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: STK02N 2.3 PNP Monitor.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.co...sreqlab_nvd.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 13930 bytes

    Advertisements

Register to Remove


#2 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 21 October 2009 - 08:52 PM

Hello lisafunkypants! Welcome to WhatTheTech.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

I am checking over your log , I will post back shortly with instructions.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#3 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 22 October 2009 - 09:07 AM

My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems. The logs from our tools can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
Please do not delete anything unless instructed to.

____________________________________________________
STEP 1.
Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?
____________________________________________________
STEP 2.
Please download DDS by sUBs from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scrolling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
____________________________________________________
STEP 3.
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
____________________________________________________

Please make sure you include the following items in your next post:
1. The logs that were produced after running DDS.
2. The log that were produced after running GMER.
3. An update on how your computer is currently running?

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#4 lisafunkypants

lisafunkypants

    Authentic Member

  • Authentic Member
  • PipPip
  • 206 posts

Posted 22 October 2009 - 02:52 PM

Thanks for reply:
DDS (Ver_09-10-13.01) - NTFSx86
Run by bailey at 21:23:29.03 on 22/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.239 [GMT 1:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\STK02N\STK02NM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\bailey.048919120306\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.kibagames.com/Game/Boys/Spiderman_Dress_Up
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [EmailChecker] c:\apps\emailchecker\ech.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\bailey~1.048\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\bailey~1.048\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\stk02n~1.lnk - c:\windows\stk02n\STK02NM.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\bailey~1.048\applic~1\mozilla\firefox\profiles\tvsl80k7.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: d:\documents and settings\bailey.048919120306\application data\mozilla\firefox\profiles\tvsl80k7.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-20 54752]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-10-17 309008]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [2009-8-27 101520]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-10 14336]

=============== Created Last 30 ================

2009-10-22 21:14 <DIR> --d-h--- c:\windows\PIF
2009-10-20 19:49 <DIR> --d----- c:\program files\iPod
2009-10-20 19:48 <DIR> --d----- c:\program files\iTunes
2009-10-17 17:17 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-10-17 16:08 2,516 a--sh--- d:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-10-17 16:08 88 ---shr-- d:\docume~1\alluse~1\applic~1\E5EC4FC83E.sys
2009-10-17 16:03 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Corel
2009-10-17 16:01 <DIR> --d----- c:\program files\Corel
2009-10-17 15:55 <DIR> --d----- d:\docume~1\bailey~1.048\applic~1\Malwarebytes
2009-10-17 10:51 1,497,088 ----h--- c:\windows\system32\wodfamop.dll
2009-10-10 16:18 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-10-07 19:35 <DIR> --d----- d:\docume~1\bailey~1.048\applic~1\OD2
2009-10-06 10:56 0 a------- c:\windows\angelinaballerina.ini
2009-10-06 10:54 <DIR> --d----- c:\program files\GSP
2009-09-30 09:45 <DIR> --d----- d:\docume~1\bailey~1.048\applic~1\CometNetwork
2009-09-27 16:27 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS
2009-09-27 16:27 7,552 a------- c:\windows\system32\dllcache\sonypvu1.sys
2009-09-27 15:47 <DIR> --d----- c:\program files\FrostWire
2009-09-27 14:02 <DIR> --d----- c:\program files\CometBird
2009-09-27 14:00 <DIR> --d----- C:\Downloads
2009-09-27 13:59 <DIR> --d----- c:\program files\BitComet
2009-09-27 13:12 <DIR> --d----- c:\program files\DVDVideoSoft
2009-09-27 13:12 <DIR> --d----- c:\program files\common files\DVDVideoSoft
2009-09-27 13:05 59,576 a---h--- c:\windows\system32\mlfcache.dat
2009-09-25 20:51 4,096 a------- c:\windows\d3dx.dat

==================== Find3M ====================

2009-09-11 15:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 15:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-06 19:21 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-09-04 22:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 22:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 11:28 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 11:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 06:18 634,648 -------- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 06:18 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 09:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 09:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-19 17:53 73,728 a------- c:\windows\ALCFDRTM.EXE
2009-08-19 10:24 503,808 a------- c:\windows\Tranquil - Waterfalls.scr
2009-08-19 10:23 606,848 a------- c:\windows\flashax.exe
2009-08-19 10:23 12,288 a------- c:\windows\impborl.dll
2009-08-18 20:34 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-13 16:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 16:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 15:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 15:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 15:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-29 05:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 05:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-29 05:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-29 05:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll

============= FINISH: 21:23:42.09 ===============


GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-22 21:46:54
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: D:\DOCUME~1\BAILEY~1.048\LOCALS~1\Temp\pxdyrkod.sys


---- System - GMER 1.0.15 ----

SSDT 86517A40 ZwConnectPort
SSDT 8647F2F0 ZwOpenProcess
SSDT 8654C100 ZwOpenThread

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] kernel32.dll!LoadResource 7C80A055 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] kernel32.dll!FindResourceExW 7C80AD28 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] kernel32.dll!FindResourceW 7C80BC6E 7 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] kernel32.dll!SizeofResource 7C80BD09 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] kernel32.dll!FindResourceA 7C80BF29 7 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] kernel32.dll!LockResource 7C80CD37 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] kernel32.dll!CreateEventA 7C8308B5 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] kernel32.dll!FindResourceExA 7C835FA8 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!GetWindowLongW 7E4188A6 7 Bytes JMP 28006B00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 280046C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!SetWindowPlacement 7E41DE46 5 Bytes JMP 28005EA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!CreateDialogParamW 7E41EA3B 5 Bytes JMP 28006120 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!LoadImageW 7E427B97 5 Bytes JMP 28006770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 28003CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!SetWindowRgn 7E42E528 7 Bytes JMP 28005FE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!LoadIconW 7E42E8BC 5 Bytes JMP 28006960 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 28006310 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] USER32.dll!TrackPopupMenuEx 7E46CF62 5 Bytes JMP 28004FA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2800BB90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2800B770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2800B550 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2800B3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2800B950 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 5 Bytes JMP 28003440 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] ole32.dll!CoInitializeEx 774FEF7B 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] ole32.dll!CoRegisterClassObject 77517E90 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 2800A560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] WININET.dll!HttpOpenRequestA 3D94AA7B 5 Bytes JMP 2800A220 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 2800A3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1256] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 2800A490 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\WINDOWS\Explorer.EXE[3172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02230001
.text C:\WINDOWS\Explorer.EXE[3172] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[3172] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[3172] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[3172] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[3172] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----




Hi the comps abit slow but i am trying not to use it to much to be honest not until all my security is checked and ive changed my passwords. My account is totally unusable and my daughters has no desktop picture now like mine, we use my sons account which is still ok.

Attached Files



#5 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 22 October 2009 - 10:25 PM

STEP 1.
While reviewing your logs I noticed that you currently have Peer to Peer program(s) installed on your computer.

You currently have the following P2P programs installed:
  • LimeWire 5.2.13
  • FrostWire 4.18.3
Most of the infections that we see today are through P2P file sharing. By uninstalling the programs that I mentioned above you will be doing yourself a favor. It's impossible to trust the source of what is being downloaded from them and a file may or may not be what it appears to be.

Should you decide to keep these programs installed on your computer PLEASE do not use these programs while we are getting your P.C. cleaned up.

How to Uninstall the P2P Programs:

For Windows XP Users
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    FrostWire 4.18.3
    LimeWire 5.2.13
PLEASE NOTE: When your uninstalling the P2P Program(s) some questions are worded in various ways to try and deceive you and keep you from uninstalling their Program.
____________________________________________________
STEP 2.
Download CKScanner from <<here>>
Important - Save it to your desktop.
Double-Click CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
____________________________________________________
STEP 3.

We need to remove a program. To do this please do the following:
For Windows XP Users
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    Zwangi 1.0 build 110
___________________________________________________
STEP 4.
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

____________________________________________________
Please make sure you include the following items in your next post:
1. The log that was produced after running CKScanner.
2. Let me know if you were successful in removing: Zwangi 1.0 build 110
3. The log that was produced after running ComboFix.
4. How is your computer currently running?

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#6 lisafunkypants

lisafunkypants

    Authentic Member

  • Authentic Member
  • PipPip
  • 206 posts

Posted 23 October 2009 - 05:02 AM

1: CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----

2: Zwangi isnt showing on add/remove to delete it

3: ComboFix 09-10-22.01 - bailey 23/10/2009 11:44.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.208 [GMT 1:00]
Running from: d:\documents and settings\bailey.048919120306\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-22 20:14 . 2009-10-22 20:14 -------- d--h--w- c:\windows\PIF
2009-10-20 18:49 . 2009-10-20 18:49 -------- d-----w- c:\program files\iPod
2009-10-20 18:48 . 2009-10-20 18:50 -------- d-----w- c:\program files\iTunes
2009-10-17 16:23 . 2009-10-17 16:23 -------- d-----w- c:\program files\Adobe Media Player
2009-10-17 16:21 . 2009-10-17 16:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-17 16:17 . 2009-10-17 16:17 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-17 15:22 . 2009-10-17 15:36 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\Download Manager
2009-10-17 15:11 . 2009-10-17 15:39 -------- d-----w- d:\documents and settings\bailey.048919120306\Local Settings\Application Data\Corel
2009-10-17 15:03 . 2009-10-22 00:33 -------- d-----w- d:\documents and settings\All Users\Application Data\Corel
2009-10-17 15:01 . 2009-10-22 00:33 -------- d-----w- c:\program files\Corel
2009-10-17 15:01 . 2009-10-17 15:01 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\InstallShield
2009-10-17 14:55 . 2009-10-17 14:55 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\Malwarebytes
2009-10-17 09:51 . 2009-10-17 11:32 1497088 ---h--w- c:\windows\system32\wodfamop.dll
2009-10-15 17:57 . 2009-10-15 17:57 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY.016\Local Settings\Application Data\Apple
2009-10-10 15:45 . 2009-10-10 15:45 -------- d-----w- c:\program files\NOS
2009-10-10 15:18 . 2009-10-10 15:18 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-10 14:07 . 2009-10-11 19:26 -------- d-----w- d:\documents and settings\All Users\Application Data\NOS
2009-10-07 18:35 . 2009-10-07 18:35 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\OD2
2009-10-06 09:54 . 2009-10-06 09:54 -------- d-----w- c:\program files\GSP
2009-09-30 08:45 . 2009-09-30 08:45 -------- d-----w- d:\documents and settings\bailey.048919120306\Local Settings\Application Data\CometNetwork
2009-09-30 08:45 . 2009-09-30 08:45 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\CometNetwork
2009-09-29 09:49 . 2009-09-29 09:49 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\AdobeUM
2009-09-27 15:27 . 2001-08-17 12:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2009-09-27 15:27 . 2001-08-17 12:56 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-09-27 14:48 . 2009-09-27 14:52 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\FrostWire
2009-09-27 13:02 . 2009-09-27 13:02 -------- d-----w- d:\documents and settings\leah.048919120306.000\Local Settings\Application Data\CometNetwork
2009-09-27 13:02 . 2009-09-27 13:02 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\CometNetwork
2009-09-27 13:02 . 2009-10-22 00:31 -------- d-----w- c:\program files\CometBird
2009-09-27 13:00 . 2009-09-27 13:00 -------- d-----w- C:\Downloads
2009-09-27 12:59 . 2009-10-22 00:30 -------- d-----w- c:\program files\BitComet
2009-09-27 12:12 . 2009-09-27 12:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-09-27 12:12 . 2009-09-27 12:12 -------- d-----w- c:\program files\DVDVideoSoft
2009-09-27 12:05 . 2009-09-27 12:05 59576 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-25 19:51 . 2009-09-25 19:51 4096 ----a-w- c:\windows\d3dx.dat
2009-09-25 17:43 . 2009-09-25 17:43 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 10:43 . 2009-08-19 02:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-22 00:37 . 2009-08-29 14:49 -------- d-----w- c:\program files\SpywareGuard
2009-10-22 00:36 . 2009-09-18 13:07 -------- d-----w- c:\program files\Shockwave.com
2009-10-22 00:35 . 2009-09-19 14:43 -------- d-----w- c:\program files\McAfee Security Scan
2009-10-21 17:41 . 2009-09-15 20:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 21:59 . 2009-08-21 01:03 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\Apple Computer
2009-10-20 18:49 . 2009-08-21 01:00 -------- d-----w- c:\program files\Common Files\Apple
2009-10-17 22:05 . 2009-08-20 21:04 71528 ----a-w- d:\documents and settings\leah.048919120306.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-17 16:41 . 2009-08-19 08:06 71528 ----a-w- d:\documents and settings\bailey.048919120306\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-17 16:25 . 2009-08-19 02:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-17 15:10 . 2009-10-17 15:08 88 --sh--r- d:\documents and settings\All Users\Application Data\E5EC4FC83E.sys
2009-10-17 15:10 . 2009-10-17 15:08 2516 --sha-w- d:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-10-15 16:03 . 2009-08-19 02:40 -------- d-----w- c:\program files\Norton Internet Security
2009-10-07 18:35 . 2009-08-30 19:24 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\Apple Computer
2009-10-07 14:56 . 2009-10-03 23:23 180 ----a-w- d:\documents and settings\leah.048919120306.000\Application Data\wklnhst.dat
2009-10-06 09:54 . 2009-08-19 02:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-03 16:41 . 2008-08-07 17:38 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-09-27 12:42 . 2009-08-20 22:58 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\LimeWire
2009-09-25 17:43 . 2008-08-06 12:24 -------- d-----w- d:\documents and settings\All Users\Application Data\PlayFirst
2009-09-20 19:34 . 2009-09-20 19:34 -------- d-----w- c:\program files\Google
2009-09-20 12:05 . 2009-09-20 12:04 -------- d-----w- d:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 12:03 . 2009-09-20 12:02 -------- d-----w- c:\program files\QuickTime
2009-09-20 00:11 . 2009-09-20 00:11 -------- d-----w- d:\documents and settings\All Users\Application Data\McAfee
2009-09-19 14:43 . 2009-09-19 14:43 -------- d-----w- d:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-18 14:10 . 2009-09-18 14:10 -------- d-----w- d:\documents and settings\All Users\Application Data\GameHouse
2009-09-16 23:33 . 2009-09-16 23:33 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\AdobeUM
2009-09-11 14:18 . 2004-08-10 15:38 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 10:32 . 2009-09-11 10:32 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\IObit
2009-09-10 02:08 . 2009-08-20 21:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-10 15:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 18:01 . 2009-08-19 10:07 -------- d-----w- c:\program files\SpywareBlaster
2009-08-29 20:32 . 2009-08-29 20:32 -------- d-----w- c:\program files\ERUNT
2009-08-29 19:57 . 2009-08-29 19:57 -------- d-----w- c:\program files\WOT
2009-08-29 07:36 . 2004-08-10 15:38 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-10 15:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-10 15:37 17408 ------w- c:\windows\system32\corpol.dll
2009-08-28 20:24 . 2009-08-19 02:40 -------- d-----w- c:\program files\Java
2009-08-28 18:42 . 2009-09-20 12:00 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 18:42 . 2009-09-20 12:00 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 13:57 . 2009-08-28 13:35 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\LimeWire
2009-08-27 18:44 . 2009-08-27 18:44 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\ArcSoft
2009-08-27 18:40 . 2009-08-27 18:40 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-08-27 18:40 . 2009-08-27 18:40 -------- d-----w- c:\program files\ArcSoft
2009-08-27 18:37 . 2009-08-27 18:37 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\InstallShield
2009-08-27 18:23 . 2009-08-27 18:23 -------- d-----w- c:\program files\Common Files\PCCamera
2009-08-27 18:23 . 2009-08-27 18:23 -------- d-----w- c:\program files\ORITE
2009-08-27 18:22 . 2009-08-19 02:40 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-27 18:03 . 2009-08-27 18:03 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\Blitware
2009-08-27 10:38 . 2009-08-27 10:38 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\IObit
2009-08-26 10:27 . 2009-08-26 10:27 -------- d-----w- c:\program files\ESET
2009-08-26 08:00 . 2004-08-10 15:38 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 22:59 . 2009-08-25 22:59 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\Ulead Systems
2009-08-19 16:53 . 2009-08-19 16:53 73728 ----a-w- c:\windows\ALCFDRTM.EXE
2009-08-19 09:24 . 2009-08-19 09:24 503808 ----a-w- c:\windows\Tranquil - Waterfalls.scr
2009-08-19 09:23 . 2009-08-19 09:23 606848 ----a-w- c:\windows\flashax.exe
2009-08-19 09:23 . 2009-08-19 09:23 12288 ----a-w- c:\windows\impborl.dll
2009-08-18 19:34 . 2009-08-18 19:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-18 10:14 . 2009-08-18 10:14 0 ----a-w- d:\documents and settings\Lisa's Internett x\Application Data\wklnhst.dat
2009-08-11 19:31 . 2009-04-28 13:05 111472 ----a-w- d:\documents and settings\Lisa's Internett x\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 17:34 . 2008-02-09 16:15 111472 -c--a-w- d:\documents and settings\Renshai Warrior.048919120306.001\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 21:48 . 2009-08-20 21:19 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-08-05 09:01 . 2004-08-10 15:38 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:44 . 2004-08-10 15:38 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 21:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 12:36 . 2009-08-19 10:09 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-08-19 10:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 04:37 . 2004-08-10 15:38 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-10 15:37 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-05-11 127118]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"EmailChecker"="c:\apps\EmailChecker\ech.exe" [2003-07-02 40960]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-08-18 100056]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-08 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-18 149280]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-09-28 1241872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2004-09-10 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-09-15 2557952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\bailey.048919120306\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

d:\documents and settings\lisa.SN048919120306\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-1-30 225280]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
STK02N 2.3 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2009-8-27 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"d:\\Documents and Settings\\leah.048919120306.000\\My Documents\\Downloads\\IMG00098714911567251832-JPG.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18202:TCP"= 18202:TCP:BitComet 18202 TCP
"18202:UDP"= 18202:UDP:BitComet 18202 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/08/2009 22:19 54752]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [17/10/2009 21:23 309008]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [27/08/2009 19:37 101520]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [10/08/2004 16:38 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3965977090-3551812889-490671574-1007Core.job
- d:\documents and settings\leah.048919120306.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 14:25]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3965977090-3551812889-490671574-1007UA.job
- d:\documents and settings\leah.048919120306.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 14:25]

2009-09-04 c:\windows\Tasks\Norton AntiVirus - Scan my computer - bailey.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.EXE [2004-10-28 11:54]

2009-10-23 c:\windows\Tasks\Setup my PC.job
- c:\apps\SMP\PCSETUP.EXE [2005-05-11 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kibagames.com/Game/Boys/Spiderman_Dress_Up
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
FF - ProfilePath - d:\documents and settings\bailey.048919120306\Application Data\Mozilla\Firefox\Profiles\tvsl80k7.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: d:\documents and settings\bailey.048919120306\Application Data\Mozilla\Firefox\Profiles\tvsl80k7.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 11:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3232)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-10-23 11:53
ComboFix-quarantined-files.txt 2009-10-23 10:53

Pre-Run: 10,902,634,496 bytes free
Post-Run: 10,880,679,936 bytes free

- - End Of File - - 2CDCD3B425A4D2D9D6034787B610F944


4: comp ok bit slow keep getting itunes agreement poping up (very annoying)
Have been getting pop up message about "blank" path with security message after will note down full details when it next does it,
I now have no icons at the bottom of the page near clock.
What is BitComet? it downloaded itself a while back thought i'd deleted it, it looks deceiving like firefox.

Edited by lisafunkypants, 23 October 2009 - 05:07 AM.


#7 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 23 October 2009 - 10:12 PM

STEP 1.

comp ok bit slow keep getting itunes agreement poping up (very annoying)

How often would you say that the iTunes agreement is popping up?? What exactly are you doing when you are prompted to accept the iTunes agreement?? What are you selecting when the iTunes agreement is popping up??

Have been getting pop up message about "blank" path with security message after will note down full details when it next does it,

It would be helpful if you could note the message you receive the next time that the pop up message appears in regards to the about "blank" path. Is your anti-virus program displaying the security message that you are receiving?

I now have no icons at the bottom of the page near clock.

Try to do the following:

Right click a blank area on the Taskbar (near where the clock should be) and select Properties.
Under Notification area, click Customize.
Alternatively, Right click a blank area of the Notifications Area and select Customize Notifications.

Under Customize Notifications right click the down arrow next to the ones you'd like to show and select the "Always Show" option.
Click OK twice.

What is BitComet? it downloaded itself a while back thought I'd deleted it, it looks deceiving like firefox.

I think that you may be referring to CometBird instead of BitComet. CometBird is a program that is developed using the source codes of Mozilla Firefox and it also follows the source code license of Mozilla. CometBird uses the same source codes as FireFox they are exactly the same except for some of logo pictures and a few add ons that have been carefully selected.
____________________________________________________
STEP 2.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File:: 
d:\Documents and Settings\leah.048919120306.000\My Documents\Downloads\IMG00098714911567251832-JPG.EXE"
Folder::
c:\program files\BitComet
d:\documents and settings\leah.048919120306.000\Application Data\Blitware
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\Documents and Settings\leah.048919120306.000\My Documents\Downloads\IMG00098714911567251832-JPG.EXE"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zwangi 1.0 build 110]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop.


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screen-shot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
____________________________________________________
STEP 3.
  • Please open up MalwareBytes' Anti-Malware.
  • Click on the Update tab at the top. Please click on the "Check for Updates" button.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
____________________________________________________
Please make sure you include the following items in your next post:
1. Answers to question under Step: 1
2. The log that was produced after running ComboFix with the script.
3. The log that was produced after running MalwareBytes' Anti-Malware.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#8 lisafunkypants

lisafunkypants

    Authentic Member

  • Authentic Member
  • PipPip
  • 206 posts

Posted 24 October 2009 - 06:29 PM

Itunes agreement: This tends to pop up at any time i have not noticed any particular time it does it, we are just browsing the web maybe google images or even on e-mail.

The "blank" path message hasnt poped up as yet to give more details but it is not my security program which gives a message afterwards that i am aware of, it is a cream coloured retangular box with a red circle and a white cross inside it at the top left hand side if any help.


Also noticed last night tried to play my sims game but the comp really crackled a black screen appeared and then my moniter went into standby and i couldnt get back onto windows screen or turn pc off had to turn off without shutting down,, do you think i may have a hardware problem with graphics card?



ComboFix 09-10-24.01 - bailey 24/10/2009 23:32.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.527 [GMT 1:00]
Running from: d:\documents and settings\bailey.048919120306\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\bailey.048919120306\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"d:\documents and settings\leah.048919120306.000\My Documents\Downloads\IMG00098714911567251832-JPG.EXE"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BitComet
c:\program files\BitComet\BitComet.xml
c:\program files\BitComet\Downloads.xml
c:\program files\BitComet\Downloads.xml.bak
c:\program files\BitComet\rules\dhtnodes.dat
c:\program files\BitComet\torrents\image.html.xml
c:\program files\BitComet\torrents\never leave ya!.xml
d:\documents and settings\leah.048919120306.000\Application Data\Blitware
d:\documents and settings\leah.048919120306.000\Application Data\Blitware\DriverRobot\downloads\active_downloads.dat
d:\documents and settings\leah.048919120306.000\Application Data\Blitware\DriverRobot\downloads\downloads.dat
d:\documents and settings\leah.048919120306.000\Application Data\Blitware\DriverRobot\downloads\install_log.dat
d:\documents and settings\leah.048919120306.000\My Documents\Downloads\IMG00098714911567251832-JPG.EXE

.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-24 22:54 . 2009-10-24 22:54 0 ----a-w- c:\program files\SNDMonPrivTest.dat
2009-10-23 19:54 . 2009-10-23 19:54 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\SystemRequirementsLab
2009-10-22 20:14 . 2009-10-22 20:14 -------- d--h--w- c:\windows\PIF
2009-10-20 18:49 . 2009-10-20 18:49 -------- d-----w- c:\program files\iPod
2009-10-20 18:48 . 2009-10-20 18:50 -------- d-----w- c:\program files\iTunes
2009-10-17 16:23 . 2009-10-17 16:23 -------- d-----w- c:\program files\Adobe Media Player
2009-10-17 16:21 . 2009-10-17 16:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-17 16:17 . 2009-10-17 16:17 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-17 15:22 . 2009-10-17 15:36 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\Download Manager
2009-10-17 15:11 . 2009-10-17 15:39 -------- d-----w- d:\documents and settings\bailey.048919120306\Local Settings\Application Data\Corel
2009-10-17 15:03 . 2009-10-22 00:33 -------- d-----w- d:\documents and settings\All Users\Application Data\Corel
2009-10-17 15:01 . 2009-10-22 00:33 -------- d-----w- c:\program files\Corel
2009-10-17 15:01 . 2009-10-17 15:01 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\InstallShield
2009-10-17 14:55 . 2009-10-17 14:55 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\Malwarebytes
2009-10-17 09:51 . 2009-10-17 11:32 1497088 ---h--w- c:\windows\system32\wodfamop.dll
2009-10-15 17:57 . 2009-10-15 17:57 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY.016\Local Settings\Application Data\Apple
2009-10-10 15:45 . 2009-10-10 15:45 -------- d-----w- c:\program files\NOS
2009-10-10 15:18 . 2009-10-10 15:18 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-10 14:07 . 2009-10-23 22:13 -------- d-----w- d:\documents and settings\All Users\Application Data\NOS
2009-10-07 18:35 . 2009-10-07 18:35 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\OD2
2009-10-06 09:54 . 2009-10-06 09:54 -------- d-----w- c:\program files\GSP
2009-09-30 08:45 . 2009-09-30 08:45 -------- d-----w- d:\documents and settings\bailey.048919120306\Local Settings\Application Data\CometNetwork
2009-09-30 08:45 . 2009-09-30 08:45 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\CometNetwork
2009-09-29 09:49 . 2009-09-29 09:49 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\AdobeUM
2009-09-27 17:20 . 2009-09-27 17:20 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 17:20 . 2009-09-27 17:20 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-09-27 17:19 . 2009-09-27 17:19 3166208 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 17:19 . 2009-09-27 17:19 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 17:19 . 2009-09-27 17:19 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 17:19 . 2009-09-27 17:19 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 17:19 . 2009-09-27 17:19 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 17:19 . 2009-09-27 17:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 17:19 . 2009-09-27 17:19 4935680 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 17:19 . 2009-09-27 17:19 172100 ----a-w- c:\windows\system32\nvsvc32.exe
2009-09-27 17:19 . 2009-09-27 17:19 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-09-27 17:19 . 2009-09-27 17:19 13918208 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-27 17:19 . 2009-09-27 17:19 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-09-27 15:27 . 2001-08-17 12:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2009-09-27 15:27 . 2001-08-17 12:56 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-09-27 14:48 . 2009-09-27 14:52 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\FrostWire
2009-09-27 13:02 . 2009-09-27 13:02 -------- d-----w- d:\documents and settings\leah.048919120306.000\Local Settings\Application Data\CometNetwork
2009-09-27 13:02 . 2009-09-27 13:02 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\CometNetwork
2009-09-27 13:02 . 2009-10-22 00:31 -------- d-----w- c:\program files\CometBird
2009-09-27 13:00 . 2009-09-27 13:00 -------- d-----w- C:\Downloads
2009-09-27 12:12 . 2009-09-27 12:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-09-27 12:12 . 2009-09-27 12:12 -------- d-----w- c:\program files\DVDVideoSoft
2009-09-27 12:05 . 2009-09-27 12:05 59576 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-25 19:51 . 2009-09-25 19:51 4096 ----a-w- c:\windows\d3dx.dat
2009-09-25 17:43 . 2009-09-25 17:43 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 10:43 . 2009-08-19 02:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-22 00:37 . 2009-08-29 14:49 -------- d-----w- c:\program files\SpywareGuard
2009-10-22 00:36 . 2009-09-18 13:07 -------- d-----w- c:\program files\Shockwave.com
2009-10-22 00:35 . 2009-09-19 14:43 -------- d-----w- c:\program files\McAfee Security Scan
2009-10-21 17:41 . 2009-09-15 20:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 21:59 . 2009-08-21 01:03 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\Apple Computer
2009-10-20 18:49 . 2009-08-21 01:00 -------- d-----w- c:\program files\Common Files\Apple
2009-10-17 22:05 . 2009-08-20 21:04 71528 ----a-w- d:\documents and settings\leah.048919120306.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-17 16:41 . 2009-08-19 08:06 71528 ----a-w- d:\documents and settings\bailey.048919120306\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-17 16:25 . 2009-08-19 02:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-17 15:10 . 2009-10-17 15:08 88 --sh--r- d:\documents and settings\All Users\Application Data\E5EC4FC83E.sys
2009-10-17 15:10 . 2009-10-17 15:08 2516 --sha-w- d:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-10-15 16:03 . 2009-08-19 02:40 -------- d-----w- c:\program files\Norton Internet Security
2009-10-07 18:35 . 2009-08-30 19:24 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\Apple Computer
2009-10-07 14:56 . 2009-10-03 23:23 180 ----a-w- d:\documents and settings\leah.048919120306.000\Application Data\wklnhst.dat
2009-10-06 09:54 . 2009-08-19 02:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-03 16:41 . 2008-08-07 17:38 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-09-27 15:12 . 2009-08-18 21:05 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 15:12 . 2009-08-18 21:05 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 15:12 . 2009-08-18 21:05 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-27 15:12 . 2009-08-18 21:05 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 15:12 . 2009-08-18 21:05 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-27 15:12 . 2005-10-17 19:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-27 15:12 . 1979-12-31 23:00 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-09-27 15:12 . 1979-12-31 23:00 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-27 15:12 . 1979-12-31 23:00 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-27 15:12 . 1979-12-31 23:00 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 15:12 . 1979-12-31 23:00 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-27 12:42 . 2009-08-20 22:58 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\LimeWire
2009-09-25 17:43 . 2008-08-06 12:24 -------- d-----w- d:\documents and settings\All Users\Application Data\PlayFirst
2009-09-24 08:24 . 2005-10-17 19:22 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-20 19:34 . 2009-09-20 19:34 -------- d-----w- c:\program files\Google
2009-09-20 12:05 . 2009-09-20 12:04 -------- d-----w- d:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 12:03 . 2009-09-20 12:02 -------- d-----w- c:\program files\QuickTime
2009-09-20 00:11 . 2009-09-20 00:11 -------- d-----w- d:\documents and settings\All Users\Application Data\McAfee
2009-09-19 14:43 . 2009-09-19 14:43 -------- d-----w- d:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-18 14:10 . 2009-09-18 14:10 -------- d-----w- d:\documents and settings\All Users\Application Data\GameHouse
2009-09-16 23:33 . 2009-09-16 23:33 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\AdobeUM
2009-09-11 14:18 . 2004-08-10 15:38 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 10:32 . 2009-09-11 10:32 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\IObit
2009-09-10 02:08 . 2009-08-20 21:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-10 15:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 18:01 . 2009-08-19 10:07 -------- d-----w- c:\program files\SpywareBlaster
2009-08-29 20:32 . 2009-08-29 20:32 -------- d-----w- c:\program files\ERUNT
2009-08-29 19:57 . 2009-08-29 19:57 -------- d-----w- c:\program files\WOT
2009-08-29 07:36 . 2004-08-10 15:38 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-10 15:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-10 15:37 17408 ------w- c:\windows\system32\corpol.dll
2009-08-28 20:24 . 2009-08-19 02:40 -------- d-----w- c:\program files\Java
2009-08-28 18:42 . 2009-09-20 12:00 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 18:42 . 2009-09-20 12:00 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 13:57 . 2009-08-28 13:35 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\LimeWire
2009-08-27 18:44 . 2009-08-27 18:44 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\ArcSoft
2009-08-27 18:40 . 2009-08-27 18:40 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-08-27 18:40 . 2009-08-27 18:40 -------- d-----w- c:\program files\ArcSoft
2009-08-27 18:37 . 2009-08-27 18:37 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\InstallShield
2009-08-27 18:23 . 2009-08-27 18:23 -------- d-----w- c:\program files\Common Files\PCCamera
2009-08-27 18:23 . 2009-08-27 18:23 -------- d-----w- c:\program files\ORITE
2009-08-27 18:22 . 2009-08-19 02:40 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-27 10:38 . 2009-08-27 10:38 -------- d-----w- d:\documents and settings\bailey.048919120306\Application Data\IObit
2009-08-26 10:27 . 2009-08-26 10:27 -------- d-----w- c:\program files\ESET
2009-08-26 08:00 . 2004-08-10 15:38 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 22:59 . 2009-08-25 22:59 -------- d-----w- d:\documents and settings\leah.048919120306.000\Application Data\Ulead Systems
2009-08-19 16:53 . 2009-08-19 16:53 73728 ----a-w- c:\windows\ALCFDRTM.EXE
2009-08-19 09:24 . 2009-08-19 09:24 503808 ----a-w- c:\windows\Tranquil - Waterfalls.scr
2009-08-19 09:23 . 2009-08-19 09:23 606848 ----a-w- c:\windows\flashax.exe
2009-08-19 09:23 . 2009-08-19 09:23 12288 ----a-w- c:\windows\impborl.dll
2009-08-18 19:34 . 2009-08-18 19:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-18 10:14 . 2009-08-18 10:14 0 ----a-w- d:\documents and settings\Lisa's Internett x\Application Data\wklnhst.dat
2009-08-11 19:31 . 2009-04-28 13:05 111472 ----a-w- d:\documents and settings\Lisa's Internett x\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 17:34 . 2008-02-09 16:15 111472 -c--a-w- d:\documents and settings\Renshai Warrior.048919120306.001\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 21:48 . 2009-08-20 21:19 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-08-05 09:01 . 2004-08-10 15:38 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:44 . 2004-08-10 15:38 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 21:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 12:36 . 2009-08-19 10:09 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-08-19 10:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 04:37 . 2004-08-10 15:38 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-10 15:37 81920 ----a-w- c:\windows\system32\fontsub.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-23_10.51.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-24 22:41 . 2009-10-24 22:41 16384 c:\windows\temp\Perflib_Perfdata_44c.dat
+ 2009-10-23 22:13 . 2009-10-23 22:13 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-10-23 19:57 . 2009-07-14 18:54 151552 c:\windows\system32\ReinstallBackups\0004\DriverFiles\nvcod.dll
+ 2009-10-23 19:57 . 2009-07-14 18:54 868352 c:\windows\system32\ReinstallBackups\0004\DriverFiles\nvapi.dll
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-10-24 11:43 . 2009-10-24 11:43 180224 c:\windows\ERDNT\AutoBackup\24-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-24 11:44 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\24-10-2009\ERDNT.EXE
+ 2009-10-23 19:57 . 2009-07-14 18:54 1597690 c:\windows\system32\ReinstallBackups\0004\DriverFiles\nvdata.bin
+ 2009-10-23 19:57 . 2009-07-14 18:54 2189856 c:\windows\system32\ReinstallBackups\0004\DriverFiles\nvcuvid.dll
+ 2009-10-23 19:57 . 2009-07-14 18:54 1706528 c:\windows\system32\ReinstallBackups\0004\DriverFiles\nvcuvenc.dll
+ 2009-10-23 19:57 . 2009-07-14 18:54 2002944 c:\windows\system32\ReinstallBackups\0004\DriverFiles\nvcuda.dll
+ 2009-10-23 19:57 . 2009-07-14 18:54 7741664 c:\windows\system32\ReinstallBackups\0004\DriverFiles\nv4_mini.sys
+ 2009-10-23 19:57 . 2009-07-14 18:54 5842816 c:\windows\system32\ReinstallBackups\0004\DriverFiles\nv4_disp.dll
+ 1979-12-31 23:00 . 2009-09-27 15:12 7655872 c:\windows\system32\dllcache\nv4_mini.sys
+ 2009-10-24 11:43 . 2009-10-24 11:43 3993600 c:\windows\ERDNT\AutoBackup\24-10-2009\Users\00000001\ntuser.dat
+ 2009-10-23 19:57 . 2009-07-14 18:54 10457088 c:\windows\system32\ReinstallBackups\0004\DriverFiles\nvoglnt.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-05-11 127118]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"EmailChecker"="c:\apps\EmailChecker\ech.exe" [2003-07-02 40960]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-08-18 100056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-18 149280]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-09-28 1241872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-09-23 1657448]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2004-09-10 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-09-15 2557952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\bailey.048919120306\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

d:\documents and settings\lisa.SN048919120306\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-1-30 225280]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
STK02N 2.3 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2009-8-27 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18202:TCP"= 18202:TCP:BitComet 18202 TCP
"18202:UDP"= 18202:UDP:BitComet 18202 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/08/2009 22:19 54752]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [17/10/2009 21:23 309008]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [27/08/2009 19:37 101520]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [10/08/2004 16:38 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3965977090-3551812889-490671574-1007Core.job
- d:\documents and settings\leah.048919120306.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 14:25]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3965977090-3551812889-490671574-1007UA.job
- d:\documents and settings\leah.048919120306.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 14:25]

2009-09-04 c:\windows\Tasks\Norton AntiVirus - Scan my computer - bailey.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.EXE [2004-10-28 11:54]

2009-10-24 c:\windows\Tasks\Setup my PC.job
- c:\apps\SMP\PCSETUP.EXE [2005-05-11 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kibagames.com/Game/Boys/Spiderman_Dress_Up
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
FF - ProfilePath - d:\documents and settings\bailey.048919120306\Application Data\Mozilla\Firefox\Profiles\tvsl80k7.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: d:\documents and settings\bailey.048919120306\Application Data\Mozilla\Firefox\Profiles\tvsl80k7.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 23:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3100)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF1014.exe
c:\apps\ABoard\AOSD.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Messenger\msmsgs.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 23:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 22:56
ComboFix2.txt 2009-10-23 10:56

Pre-Run: 10,629,087,232 bytes free
Post-Run: 10,591,604,736 bytes free

- - End Of File - - CC65CD69415340AD6119ACE4BC0BAA1F




Malwarebytes' Anti-Malware 1.41
Database version: 3027
Windows 5.1.2600 Service Pack 3

25/10/2009 01:28:36
mbam-log-2009-10-25 (01-28-36).txt

Scan type: Quick Scan
Objects scanned: 434501
Time elapsed: 1 hour(s), 13 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 25 October 2009 - 11:52 AM

STEP 1.

Itunes agreement: This tends to pop up at any time i have not noticed any particular time it does it, we are just browsing the web maybe google images or even on e-mail.

Is iTunes a program that you use? and have you ever accepted the iTunes agreement?

The "blank" path message hasnt poped up as yet to give more details but it is not my security program which gives a message afterwards that i am aware of, it is a cream coloured retangular box with a red circle and a white cross inside it at the top left hand side if any help.

if it pops up again please make sure you write down any details that you can.

Also noticed last night tried to play my sims game but the comp really crackled a black screen appeared and then my moniter went into standby and i couldnt get back onto windows screen or turn pc off had to turn off without shutting down,, do you think i may have a hardware problem with graphics card?

I'd like to revisit this issue after we have gotten your computer all cleaned up.
____________________________________________________
STEP 2.
I need you to run the following scan: Eset Online Scanner

*Note
It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
____________________________________________________
STEP 3.
Please re-run DDS by sUBs.
Make sure to pay attention to the directions below:
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scrolling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
____________________________________________________
Please make sure you include the following items in your next post:
1. Answers to my questions for you in Step 1.
2. The log that was produced after running the ESET Online Scanner.
3. The logs that were produced after you ran DDS.
4. An update on how your computer is currently running?

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#10 lisafunkypants

lisafunkypants

    Authentic Member

  • Authentic Member
  • PipPip
  • 206 posts

Posted 25 October 2009 - 06:39 PM

Hi we do use Itunes and we have accepted the agreement. ESETSmartInstaller@High as downloader log: all ok # version=6 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=b0ec79aaf033084da520ac121ff4ae84 # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-10-26 12:28:32 # local_time=2009-10-26 12:28:32 (+0000, GMT Standard Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=3586 21 100 89 3774152343750 # scanned=140685 # found=2 # cleaned=0 # scan_time=3481 C:\Qoobox\Quarantine\d\Documents and Settings\leah.048919120306.000\My Documents\Downloads\IMG00098714911567251832-JPG.EXE.vir IRC/SdBot trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP49\A0024311.com IRC/SdBot trojan 00000000000000000000000000000000 I DDS (Ver_09-10-13.01) - NTFSx86 Run by bailey at 0:34:44.25 on 26/10/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.486 [GMT 0:00] AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\Program Files\IObit\IObit Security 360\IS360srv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wdfmgr.exe c:\APPS\Powercinema\Kernel\TV\CLSched.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe C:\Apps\Powercinema\PCMService.exe C:\apps\ABoard\ABoard.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\apps\ABoard\AOSD.exe C:\Program Files\IObit\IObit Security 360\IS360tray.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\STK02N\STK02NM.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\IObit\IObit Security 360\is360.exe C:\Program Files\IObit\IObit Security 360\IS360tray.exe C:\Program Files\IObit\IObit Security 360\is360.exe C:\WINDOWS\system32\NOTEPAD.EXE D:\Documents and Settings\bailey.048919120306\Desktop\dds.pif C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.kibagames.com/Game/Boys/Spiderman_Dress_Up BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe mRun: [SoundMan] SOUNDMAN.EXE mRun: [AlcWzrd] ALCWZRD.EXE mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe mRun: [PCMService] "c:\apps\powercinema\PCMService.exe" mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe mRun: [EmailChecker] c:\apps\emailchecker\ech.exe mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: d:\docume~1\bailey~1.048\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE StartupFolder: d:\docume~1\bailey~1.048\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\stk02n~1.lnk - c:\windows\stk02n\STK02NM.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll ================= FIREFOX =================== FF - ProfilePath - d:\docume~1\bailey~1.048\applic~1\mozilla\firefox\profiles\tvsl80k7.default\ FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - plugin: d:\documents and settings\bailey.048919120306\application data\mozilla\firefox\profiles\tvsl80k7.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ============= SERVICES / DRIVERS =============== R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-20 54752] R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-10-17 309008] S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [2009-8-27 101520] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864] S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-10 14336] =============== Created Last 30 ================ 2009-10-23 10:42 236,544 a------- c:\windows\PEV.exe 2009-10-23 10:42 161,792 a------- c:\windows\SWREG.exe 2009-10-23 10:42 98,816 a------- c:\windows\sed.exe 2009-10-22 20:14 <DIR> --d-h--- c:\windows\PIF 2009-10-20 18:49 <DIR> --d----- c:\program files\iPod 2009-10-20 18:48 <DIR> --d----- c:\program files\iTunes 2009-10-17 16:17 <DIR> --d----- c:\program files\common files\Macrovision Shared 2009-10-17 15:08 2,516 a--sh--- d:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2009-10-17 15:08 88 ---shr-- d:\docume~1\alluse~1\applic~1\E5EC4FC83E.sys 2009-10-17 15:03 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Corel 2009-10-17 15:01 <DIR> --d----- c:\program files\Corel 2009-10-17 14:55 <DIR> --d----- d:\docume~1\bailey~1.048\applic~1\Malwarebytes 2009-10-17 09:51 1,497,088 ----h--- c:\windows\system32\wodfamop.dll 2009-10-10 15:18 <DIR> --d----- c:\windows\system32\wbem\Repository 2009-10-07 18:35 <DIR> --d----- d:\docume~1\bailey~1.048\applic~1\OD2 2009-10-06 09:56 0 a------- c:\windows\angelinaballerina.ini 2009-10-06 09:54 <DIR> --d----- c:\program files\GSP 2009-09-30 08:45 <DIR> --d----- d:\docume~1\bailey~1.048\applic~1\CometNetwork 2009-09-27 17:20 2,173,544 a------- c:\windows\system32\nvcplui.exe 2009-09-27 17:20 420,456 a------- c:\windows\system32\nvcpl.cpl 2009-09-27 17:20 81,920 a------- c:\windows\system32\nvwddi.dll 2009-09-27 15:27 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS 2009-09-27 15:27 7,552 a------- c:\windows\system32\dllcache\sonypvu1.sys 2009-09-27 13:02 <DIR> --d----- c:\program files\CometBird 2009-09-27 13:00 <DIR> --d----- C:\Downloads 2009-09-27 12:12 <DIR> --d----- c:\program files\DVDVideoSoft 2009-09-27 12:12 <DIR> --d----- c:\program files\common files\DVDVideoSoft 2009-09-27 12:05 59,576 a---h--- c:\windows\system32\mlfcache.dat ==================== Find3M ==================== 2009-09-27 17:19 3,166,208 a------- c:\windows\system32\nvwss.dll 2009-09-27 17:19 4,026,368 a------- c:\windows\system32\nvvitvs.dll 2009-09-27 17:19 3,547,136 a------- c:\windows\system32\nvgames.dll 2009-09-27 17:19 1,286,144 a------- c:\windows\system32\nvmobls.dll 2009-09-27 17:19 188,416 a------- c:\windows\system32\nvmccss.dll 2009-09-27 17:19 13,918,208 a------- c:\windows\system32\nvcpl.dll 2009-09-27 17:19 4,935,680 a------- c:\windows\system32\nvdisps.dll 2009-09-27 17:19 172,100 a------- c:\windows\system32\nvsvc32.exe 2009-09-27 17:19 143,360 a------- c:\windows\system32\nvcolor.exe 2009-09-27 17:19 86,016 a------- c:\windows\system32\nvmctray.dll 2009-09-27 17:19 229,376 a------- c:\windows\system32\nvmccs.dll 2009-09-27 15:12 10,756,096 a------- c:\windows\system32\nvoglnt.dll 2009-09-27 15:12 7,655,872 a------- c:\windows\system32\drivers\nv4_mini.sys 2009-09-27 15:12 7,655,872 a------- c:\windows\system32\dllcache\nv4_mini.sys 2009-09-27 15:12 5,900,416 a------- c:\windows\system32\nv4_disp.dll 2009-09-27 15:12 2,194,024 a------- c:\windows\system32\nvcuvid.dll 2009-09-27 15:12 2,007,040 a------- c:\windows\system32\nvcuda.dll 2009-09-27 15:12 1,714,792 a------- c:\windows\system32\nvcuvenc.dll 2009-09-27 15:12 1,604,482 a------- c:\windows\system32\nvdata.bin 2009-09-27 15:12 888,832 a------- c:\windows\system32\nvapi.dll 2009-09-27 15:12 490,088 a------- c:\windows\system32\nvudisp.exe 2009-09-27 15:12 170,600 a------- c:\windows\system32\nvcodins.dll 2009-09-27 15:12 170,600 a------- c:\windows\system32\nvcod.dll 2009-09-25 19:51 4,096 a------- c:\windows\d3dx.dat 2009-09-24 08:24 490,088 a------- c:\windows\system32\NVUNINST.EXE 2009-09-11 14:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-11 14:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll 2009-09-10 13:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 13:53 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-09-06 18:21 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-09-04 21:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-09-04 21:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll 2009-08-28 18:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll 2009-08-28 18:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys 2009-08-28 10:28 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-28 10:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe 2009-08-27 05:18 634,648 -------- c:\windows\system32\dllcache\iexplore.exe 2009-08-27 05:18 161,792 -------- c:\windows\system32\dllcache\ieakui.dll 2009-08-26 08:00 247,326 a------- c:\windows\system32\strmdll.dll 2009-08-26 08:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll 2009-08-19 16:53 73,728 a------- c:\windows\ALCFDRTM.EXE 2009-08-19 09:24 503,808 a------- c:\windows\Tranquil - Waterfalls.scr 2009-08-19 09:23 606,848 a------- c:\windows\flashax.exe 2009-08-19 09:23 12,288 a------- c:\windows\impborl.dll 2009-08-18 19:34 411,368 a------- c:\windows\system32\deploytk.dll 2009-08-13 15:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll 2009-08-05 09:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 09:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-04 19:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe 2009-08-04 19:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-08-04 15:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-08-04 14:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-08-04 14:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe 2009-08-04 14:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-07-29 04:37 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-29 04:37 81,920 a------- c:\windows\system32\fontsub.dll 2009-07-29 04:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll 2009-07-29 04:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll ============= FINISH: 0:35:30.64 ===============

Attached Files


    Advertisements

Register to Remove


#11 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 25 October 2009 - 09:00 PM

STEP 1.

Open Notepad

Click Start > Run type notepad into the run box click OK
Click Format and make certain that Word Wrap is NOT checked.

Copy the text inside of the code box, Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Now paste the copied text into the open notepad. Press CTRL+V (or right click and choose 'paste')

Note: There must be NO blank lines in front of the pasted text, but ensure that there is a blank line at the end of the text, otherwise the registry merge will not work.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zwangi]

Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.
Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it anymore.
____________________________________________________
STEP 2.
Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 16. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the drop-down menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
____________________________________________________
STEP 4.
Please re-run DDS by sUBs.
Make sure to pay attention to the directions below:
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by doing the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post
____________________________________________________
Please make sure you include the following items in your next post:
1. The logs that were produced after running DDS.
2. An update on how your computer is currently running.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#12 lisafunkypants

lisafunkypants

    Authentic Member

  • Authentic Member
  • PipPip
  • 206 posts

Posted 26 October 2009 - 07:39 AM

DDS (Ver_09-10-13.01) - NTFSx86 Run by bailey at 13:30:34.85 on 26/10/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.338 [GMT 0:00] AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\Program Files\IObit\IObit Security 360\IS360srv.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wdfmgr.exe c:\APPS\Powercinema\Kernel\TV\CLSched.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\ALCWZRD.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe C:\Apps\Powercinema\PCMService.exe C:\apps\ABoard\ABoard.exe C:\Program Files\IObit\IObit Security 360\IS360tray.exe C:\apps\ABoard\AOSD.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\STK02N\STK02NM.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\IObit\IObit Security 360\is360.exe C:\WINDOWS\system32\wbem\wmiprvse.exe D:\Documents and Settings\bailey.048919120306\Desktop\dds.pif C:\Program Files\Messenger\msmsgs.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.kibagames.com/Game/Boys/Spiderman_Dress_Up BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe mRun: [SoundMan] SOUNDMAN.EXE mRun: [AlcWzrd] ALCWZRD.EXE mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe mRun: [PCMService] "c:\apps\powercinema\PCMService.exe" mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe mRun: [EmailChecker] c:\apps\emailchecker\ech.exe mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: d:\docume~1\bailey~1.048\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE StartupFolder: d:\docume~1\bailey~1.048\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\stk02n~1.lnk - c:\windows\stk02n\STK02NM.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll ================= FIREFOX =================== FF - ProfilePath - d:\docume~1\bailey~1.048\applic~1\mozilla\firefox\profiles\tvsl80k7.default\ FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - plugin: d:\documents and settings\bailey.048919120306\application data\mozilla\firefox\profiles\tvsl80k7.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-20 54752] R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-10-17 309008] S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [2009-8-27 101520] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864] S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-10 14336] =============== Created Last 30 ================ 2009-10-26 13:17 73,728 a------- c:\windows\system32\javacpl.cpl 2009-10-23 10:42 236,544 a------- c:\windows\PEV.exe 2009-10-23 10:42 161,792 a------- c:\windows\SWREG.exe 2009-10-23 10:42 98,816 a------- c:\windows\sed.exe 2009-10-22 20:14 <DIR> --d-h--- c:\windows\PIF 2009-10-20 18:49 <DIR> --d----- c:\program files\iPod 2009-10-20 18:48 <DIR> --d----- c:\program files\iTunes 2009-10-17 16:17 <DIR> --d----- c:\program files\common files\Macrovision Shared 2009-10-17 15:08 2,516 a--sh--- d:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2009-10-17 15:08 88 ---shr-- d:\docume~1\alluse~1\applic~1\E5EC4FC83E.sys 2009-10-17 15:03 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Corel 2009-10-17 15:01 <DIR> --d----- c:\program files\Corel 2009-10-17 14:55 <DIR> --d----- d:\docume~1\bailey~1.048\applic~1\Malwarebytes 2009-10-17 09:51 1,497,088 ----h--- c:\windows\system32\wodfamop.dll 2009-10-10 15:18 <DIR> --d----- c:\windows\system32\wbem\Repository 2009-10-07 18:35 <DIR> --d----- d:\docume~1\bailey~1.048\applic~1\OD2 2009-10-06 09:56 0 a------- c:\windows\angelinaballerina.ini 2009-10-06 09:54 <DIR> --d----- c:\program files\GSP 2009-09-30 08:45 <DIR> --d----- d:\docume~1\bailey~1.048\applic~1\CometNetwork 2009-09-27 17:20 2,173,544 a------- c:\windows\system32\nvcplui.exe 2009-09-27 17:20 420,456 a------- c:\windows\system32\nvcpl.cpl 2009-09-27 17:20 81,920 a------- c:\windows\system32\nvwddi.dll 2009-09-27 15:27 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS 2009-09-27 15:27 7,552 a------- c:\windows\system32\dllcache\sonypvu1.sys 2009-09-27 13:02 <DIR> --d----- c:\program files\CometBird 2009-09-27 13:00 <DIR> --d----- C:\Downloads 2009-09-27 12:12 <DIR> --d----- c:\program files\DVDVideoSoft 2009-09-27 12:12 <DIR> --d----- c:\program files\common files\DVDVideoSoft 2009-09-27 12:05 59,576 a---h--- c:\windows\system32\mlfcache.dat ==================== Find3M ==================== 2009-10-26 13:17 411,368 a------- c:\windows\system32\deploytk.dll 2009-09-27 17:19 3,166,208 a------- c:\windows\system32\nvwss.dll 2009-09-27 17:19 4,026,368 a------- c:\windows\system32\nvvitvs.dll 2009-09-27 17:19 3,547,136 a------- c:\windows\system32\nvgames.dll 2009-09-27 17:19 1,286,144 a------- c:\windows\system32\nvmobls.dll 2009-09-27 17:19 188,416 a------- c:\windows\system32\nvmccss.dll 2009-09-27 17:19 13,918,208 a------- c:\windows\system32\nvcpl.dll 2009-09-27 17:19 4,935,680 a------- c:\windows\system32\nvdisps.dll 2009-09-27 17:19 172,100 a------- c:\windows\system32\nvsvc32.exe 2009-09-27 17:19 143,360 a------- c:\windows\system32\nvcolor.exe 2009-09-27 17:19 86,016 a------- c:\windows\system32\nvmctray.dll 2009-09-27 17:19 229,376 a------- c:\windows\system32\nvmccs.dll 2009-09-27 15:12 10,756,096 a------- c:\windows\system32\nvoglnt.dll 2009-09-27 15:12 7,655,872 a------- c:\windows\system32\drivers\nv4_mini.sys 2009-09-27 15:12 7,655,872 a------- c:\windows\system32\dllcache\nv4_mini.sys 2009-09-27 15:12 5,900,416 a------- c:\windows\system32\nv4_disp.dll 2009-09-27 15:12 2,194,024 a------- c:\windows\system32\nvcuvid.dll 2009-09-27 15:12 2,007,040 a------- c:\windows\system32\nvcuda.dll 2009-09-27 15:12 1,714,792 a------- c:\windows\system32\nvcuvenc.dll 2009-09-27 15:12 1,604,482 a------- c:\windows\system32\nvdata.bin 2009-09-27 15:12 888,832 a------- c:\windows\system32\nvapi.dll 2009-09-27 15:12 490,088 a------- c:\windows\system32\nvudisp.exe 2009-09-27 15:12 170,600 a------- c:\windows\system32\nvcodins.dll 2009-09-27 15:12 170,600 a------- c:\windows\system32\nvcod.dll 2009-09-25 19:51 4,096 a------- c:\windows\d3dx.dat 2009-09-24 08:24 490,088 a------- c:\windows\system32\NVUNINST.EXE 2009-09-11 14:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-11 14:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll 2009-09-10 13:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 13:53 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-09-06 18:21 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-09-04 21:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-09-04 21:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll 2009-08-28 18:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll 2009-08-28 18:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys 2009-08-28 10:28 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-28 10:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe 2009-08-27 05:18 634,648 -------- c:\windows\system32\dllcache\iexplore.exe 2009-08-27 05:18 161,792 -------- c:\windows\system32\dllcache\ieakui.dll 2009-08-26 08:00 247,326 a------- c:\windows\system32\strmdll.dll 2009-08-26 08:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll 2009-08-19 16:53 73,728 a------- c:\windows\ALCFDRTM.EXE 2009-08-19 09:24 503,808 a------- c:\windows\Tranquil - Waterfalls.scr 2009-08-19 09:23 606,848 a------- c:\windows\flashax.exe 2009-08-19 09:23 12,288 a------- c:\windows\impborl.dll 2009-08-13 15:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll 2009-08-05 09:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 09:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-04 19:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe 2009-08-04 19:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-08-04 15:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-08-04 14:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-08-04 14:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe 2009-08-04 14:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-07-29 04:37 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-29 04:37 81,920 a------- c:\windows\system32\fontsub.dll 2009-07-29 04:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll 2009-07-29 04:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll ============= FINISH: 13:30:58.32 =============== Attached File  Attach4.txt   13.58KB   292 downloads Comps being ok, havent had the blank message as yet, i noticed after eset scan that there were 2 IRC/SDBot Trojan which i believe are the backdoor trojans, has eset quarantined these. I turned off anti-virus auto-protect but I noticed Norton security is still enabled would it interfere with dds? would you like me to turn the whole thing off? if i havent been posting the attach.txt properly i can only apologize, think i did it right this time ;)

#13 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 27 October 2009 - 03:18 PM

STEP 1.

Comps being ok, havent had the blank message as yet, i noticed after eset scan that there were 2 IRC/SDBot Trojan which i believe are the backdoor trojans, has eset quarantined these.

Yes, these things have been quarantined. We will take care of these few things very shortly.

I turned off anti-virus auto-protect but I noticed Norton security is still enabled would it interfere with dds? would you like me to turn the whole thing off?

Nope that shouldn't interfere with DDS.

With that said please proceed with the following:

STEP 2.

Also noticed last night tried to play my sims game but the comp really crackled a black screen appeared and then my moniter went into standby and i couldnt get back onto windows screen or turn pc off had to turn off without shutting down,, do you think i may have a hardware problem with graphics card?

I said earlier that I was going to come back to this issue after we have gotten you all cleaned up. I feel that at this stage your machine looks to be clean of malware, so the problems you are experiencing are not likely to be malware related. I think the best and fastest solution for you is to post in our General Hardware section of the WTT forums. When posting there please make sure that include a link to this thread. They specialize in handling problems like this so you are certain to get expert assistance and a speedy resolution is very likely.

But before I send you off to the Tech Team we need to clean up a few things.
____________________________________________________

STEP 3.
Time for some housekeeping
From your Desktop please delete the following things:
  • Any notepad/logs that we created
  • fixme.reg
  • DDS.scr
  • GMER.zip from wherever you downloaded the file to.
  • GMER.exe from where you extracted it.
  • You may also remove ESET Online Scan via your Add/Remove Programs.
Then:

The following will implement some cleanup procedures as well as reset System Restore points:
Posted Image
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

____________________________________________________
All Clean Speech

=======> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <=======


Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
OR, after uninstalling Adobe Reader, you could try installing Foxit Reader from >here<
Foxit Reader has fewer add-ons therefore loads more quickly.

Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE
  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here
    • If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
      • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond to this thread one last time so that I know you've completed the steps listed above. If you have any questions or require any other assistance please let me know

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#14 lisafunkypants

lisafunkypants

    Authentic Member

  • Authentic Member
  • PipPip
  • 206 posts

Posted 28 October 2009 - 08:37 AM

hi thanks for all your help, the comp is not running as it has in the past and i have most of the recommended sites advised already on pc, i think i may have to go to the hardware tech guys as its most likely i have other issues than software/spyware etc.. I think i may have deleted acrobat reader can you advise me where to download that from. Once again thankyou for your time it is very much appreciated. :thumbup:

#15 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 29 October 2009 - 01:04 PM

hi thanks for all your help, the comp is not running as it has in the past and i have most of the recommended sites advised already on pc, i think i may have to go to the hardware tech guys as its most likely i have other issues than software/spyware etc..

As I previously mentioned your best bet is to post a new thread in the General Hardware section of the forums. You should post there if you are still experiencing issues with your monitor going blank while playing Sims.

In regards to your computer being slow I recommend that you post a new thread in the Microsoft Windows forum. Make sure once again to provide them with a link to this thread.

===> NOTE: If you decide to post in both the General Hardware forum and the Microsoft Windows forum make sure you include a link to each of the threads, meaning in the General Hardware thread include a link to your thread that you posted in the Microsoft Windows forum and then in your thread in the Microsoft Windows forum include a link to your thread in the General Hardware forum.

I think i may have deleted acrobat reader can you advise me where to download that from.

Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe ReaderOR, after uninstalling Adobe Reader, you could try installing Foxit Reader from >here<
Foxit Reader has fewer add-ons therefore loads more quickly.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users