Edited by VanDavies, 12 November 2009 - 02:24 PM.
[Resolved] Security Tool
#1
Posted 12 November 2009 - 07:48 AM
Register to Remove
#2
Posted 13 November 2009 - 01:18 PM
Please try the following program:
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Please try it in safe mode if it will not run in normal mode
(ps...never follow a fix given to another user - every computer configuration is different)
If this program runs and you are able to now run other programs,
please run DDS and GMER:
Please download DDS from either of these links
LINK 1
LINK 2
and save it to your desktop.
- Disable any script blocking protection
- Double click dds.pif to run the tool.
- When done, two DDS.txt's will open.
- Save both reports to your desktop.
Please include the contents of the following in your next reply:
DDS.txt
Attach.txt.
NEXT
Download GMER Rootkit Scanner from here or here.
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and post it in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#3
Posted 13 November 2009 - 01:40 PM
#4
Posted 13 November 2009 - 02:10 PM
#5
Posted 13 November 2009 - 02:22 PM
DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by Keymar at 20:14:15.22 on 13/11/2009
Internet Explorer: 7.0.6000.16916 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.894.483 [GMT 0:00]
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Keymar\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uStart Page = hxxp://www.hotmail.com/
uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [pihekeyove] Rundll32.exe "c:\programdata\tuwezune\tuwezune.dll",s
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [69947237] c:\programdata\69947237\69947237.exe
uRun: [a0655570] rundll32.exe "c:\programdata\bebojori\bebojori.dll",b
uRun: [yomutujav] Rundll32.exe "c:\progra~2\jojejure\jojejure.dll",a
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TOSHIBA Volume Indicator] "c:\program files\toshiba\utilities\VolControl.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch...acker_url.pl?EN
IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {64269981-636F-4FAD-B04A-F32E57C2C26A} = 212.74.112.66,212.74.112.67
================= FIREFOX ===================
FF - ProfilePath - c:\users\keymar\appdata\roaming\mozilla\firefox\profiles\7orh28pe.default\
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20071212.002\IDSvix86.sys [2007-12-12 180272]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2006-10-24 37008]
=============== Created Last 30 ================
2009-11-13 17:38:23 0 d-----w- c:\programdata\yibuleko
2009-11-13 17:38:23 0 d-----w- c:\programdata\jojejure
2009-11-12 13:18:57 0 d-----w- c:\programdata\zedokupa
2009-11-12 13:18:57 0 d-----w- c:\programdata\yowajaka
2009-11-11 18:30:40 0 d-----w- c:\programdata\69947237
2009-11-11 18:30:30 0 d-----w- c:\programdata\zuhoboku
2009-11-11 18:30:30 0 d-----w- c:\programdata\metuyuli
2009-11-11 18:30:30 0 d-----w- c:\programdata\jehiyile
2009-11-11 18:30:30 0 d-----w- c:\programdata\bebojori
2009-11-10 22:52:10 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 22:51:53 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 12:24:09 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-10 12:15:45 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-11-10 12:15:41 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-11-10 12:15:40 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-11-10 12:15:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-11-10 12:15:34 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-09 10:23:25 0 d-----w- c:\programdata\pojevejo
2009-10-31 01:09:43 0 d-----w- c:\programdata\gehazoze
2009-10-29 18:45:05 0 d-----w- c:\programdata\dakabedu
2009-10-28 17:01:21 0 d-----w- c:\programdata\holusiti
2009-10-27 22:56:05 0 d-----w- c:\programdata\figimeje
2009-10-24 12:51:32 0 d-----w- c:\programdata\wonutego
2009-10-24 12:51:32 0 d-----w- c:\programdata\hawupula
2009-10-22 15:18:23 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-18 13:12:52 0 d-----w- c:\programdata\wufajeda
2009-10-18 13:12:52 0 d-----w- c:\programdata\sakiweto
2009-10-17 15:43:16 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-17 15:43:01 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-17 15:43:01 389120 ----a-w- c:\windows\system32\html.iec
2009-10-17 15:38:37 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-17 15:38:28 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-17 15:35:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-17 15:20:35 0 d-----w- c:\programdata\kepuzuli
2009-10-17 15:20:35 0 d-----w- c:\programdata\jahasuri
==================== Find3M ====================
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-17 22:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-06-22 12:18:59 51200 ----a-w- c:\windows\inf\infpub.dat
2009-06-22 12:18:58 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-06-22 12:18:29 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-13 03:24:54 174 --sha-w- c:\program files\desktop.ini
2008-06-12 07:25:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-10-12 01:00:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-12 01:00:18 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-12 01:00:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
============= FINISH: 20:16:06.62 ===============
#6
Posted 13 November 2009 - 02:24 PM
DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by Keymar at 20:14:15.22 on 13/11/2009
Internet Explorer: 7.0.6000.16916 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.894.483 [GMT 0:00]
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Keymar\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uStart Page = hxxp://www.hotmail.com/
uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [pihekeyove] Rundll32.exe "c:\programdata\tuwezune\tuwezune.dll",s
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [69947237] c:\programdata\69947237\69947237.exe
uRun: [a0655570] rundll32.exe "c:\programdata\bebojori\bebojori.dll",b
uRun: [yomutujav] Rundll32.exe "c:\progra~2\jojejure\jojejure.dll",a
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TOSHIBA Volume Indicator] "c:\program files\toshiba\utilities\VolControl.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch...acker_url.pl?EN
IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {64269981-636F-4FAD-B04A-F32E57C2C26A} = 212.74.112.66,212.74.112.67
================= FIREFOX ===================
FF - ProfilePath - c:\users\keymar\appdata\roaming\mozilla\firefox\profiles\7orh28pe.default\
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20071212.002\IDSvix86.sys [2007-12-12 180272]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2006-10-24 37008]
=============== Created Last 30 ================
2009-11-13 17:38:23 0 d-----w- c:\programdata\yibuleko
2009-11-13 17:38:23 0 d-----w- c:\programdata\jojejure
2009-11-12 13:18:57 0 d-----w- c:\programdata\zedokupa
2009-11-12 13:18:57 0 d-----w- c:\programdata\yowajaka
2009-11-11 18:30:40 0 d-----w- c:\programdata\69947237
2009-11-11 18:30:30 0 d-----w- c:\programdata\zuhoboku
2009-11-11 18:30:30 0 d-----w- c:\programdata\metuyuli
2009-11-11 18:30:30 0 d-----w- c:\programdata\jehiyile
2009-11-11 18:30:30 0 d-----w- c:\programdata\bebojori
2009-11-10 22:52:10 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 22:51:53 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 12:24:09 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-10 12:15:45 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-11-10 12:15:41 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-11-10 12:15:40 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-11-10 12:15:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-11-10 12:15:34 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-09 10:23:25 0 d-----w- c:\programdata\pojevejo
2009-10-31 01:09:43 0 d-----w- c:\programdata\gehazoze
2009-10-29 18:45:05 0 d-----w- c:\programdata\dakabedu
2009-10-28 17:01:21 0 d-----w- c:\programdata\holusiti
2009-10-27 22:56:05 0 d-----w- c:\programdata\figimeje
2009-10-24 12:51:32 0 d-----w- c:\programdata\wonutego
2009-10-24 12:51:32 0 d-----w- c:\programdata\hawupula
2009-10-22 15:18:23 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-18 13:12:52 0 d-----w- c:\programdata\wufajeda
2009-10-18 13:12:52 0 d-----w- c:\programdata\sakiweto
2009-10-17 15:43:16 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-17 15:43:01 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-17 15:43:01 389120 ----a-w- c:\windows\system32\html.iec
2009-10-17 15:38:37 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-17 15:38:28 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-17 15:35:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-17 15:20:35 0 d-----w- c:\programdata\kepuzuli
2009-10-17 15:20:35 0 d-----w- c:\programdata\jahasuri
==================== Find3M ====================
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-17 22:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-06-22 12:18:59 51200 ----a-w- c:\windows\inf\infpub.dat
2009-06-22 12:18:58 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-06-22 12:18:29 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-13 03:24:54 174 --sha-w- c:\program files\desktop.ini
2008-06-12 07:25:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-10-12 01:00:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-12 01:00:18 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-12 01:00:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
============= FINISH: 20:16:06.62 ===============
#7
Posted 13 November 2009 - 02:38 PM
GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-13 20:35:17
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Keymar\AppData\Local\Temp\kxliafoc.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a62aa5d
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a3a62aa5d (not active ControlSet)
---- EOF - GMER 1.0.15 ----
#8
Posted 13 November 2009 - 02:50 PM
#9
Posted 13 November 2009 - 03:08 PM
Good enough for me to get a diagnosis:
Please do the following:
(run this in Normal mode- only run it in safe mode if it will not run in normal mode:)
Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------
Double click on ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt for further review.
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#10
Posted 13 November 2009 - 03:35 PM
Register to Remove
#11
Posted 13 November 2009 - 03:48 PM
I downloaded ComboFix to my desktop and ran it anyway and it has come up with a blue screen saying:
The sytem cannot find message text for message number 0x8 in the message file for System.
Please wait.
ComboFix is preparing to run.
Access Denied. Administrator permissions are needed to use the selected options.
Use an administrator command prompt to complete these tasks.
The system cannot find message text for message number 0x8 in the message file for System.
Please note that I could not highlight/ copy the above and have instead typed it out.
#12
Posted 13 November 2009 - 04:00 PM
#13
Posted 13 November 2009 - 04:36 PM
Please do the following:
Note: for Vista, you need to right click the icons and choose to run as administrator
Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"
If that doesn't help, delete the copy of ComboFix from your desktop.
download a fresh copy from one of the previous links provided.
Rename it to combo.com before saving it. Save as file type - "All Files"
run it in safe mode if it will not run in normal mode.
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#14
Posted 13 November 2009 - 04:54 PM
#15
Posted 13 November 2009 - 04:56 PM
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users