57 replies to this topic

[VanDavies]

Hi I noticed that you are helping TC, I am having a very similar problem; the only differences seemingly being that I am running on VIsta, and my desktop is constantly black instead of blue. I've followed your steps up to where you told TC to go to the file and move it to desktop- unfortunately, I can't locate the file on mine. Also, after about 20 minutes of my laptop being on, the screen all goes blue saying there is a problem then computer shuts itself off. Just to confirm: No .exe files are able to run- Security Tool stops them I've downloaded the 6 files you told TC to download- none of them worked Please can you help me? EDIT (20:23PM 12/11/09): I'm really resisting the urge to bump this topic, if anyone else could possibly help me, I'd be extremely grateful. Thanks in advance.

Edited by VanDavies, 12 November 2009 - 02:24 PM.

[CatByte]

Hi,

Please try the following program:

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Please try it in safe mode if it will not run in normal mode


(ps...never follow a fix given to another user - every computer configuration is different)


If this program runs and you are able to now run other programs,

please run DDS and GMER:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

NEXT



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[VanDavies]

OK about to restart in Safe Mode- thank you for getting back to me and also thank you for the heads up about not following advice given to other people I'll post back in a minute after I've started in safe mode.

[VanDavies]

OK I'm still in safe mode- I ran exehelper fine. This is from "exehelperlog" saved on my desktop: exeHelper by Raktor exeHelper by Raktor Build 20091021 Run at 20:06:26 on 11/13/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Deleting file C:\Users\Keymar\Desktop\Security Tool.lnk Deleting file C:\Users\Keymar\Start Menu\Programs\Security Tool.lnk Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished--

[VanDavies]

Ok, here is DDS:


DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by Keymar at 20:14:15.22 on 13/11/2009
Internet Explorer: 7.0.6000.16916 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.894.483 [GMT 0:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Keymar\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uStart Page = hxxp://www.hotmail.com/
uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [pihekeyove] Rundll32.exe "c:\programdata\tuwezune\tuwezune.dll",s
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [69947237] c:\programdata\69947237\69947237.exe
uRun: [a0655570] rundll32.exe "c:\programdata\bebojori\bebojori.dll",b
uRun: [yomutujav] Rundll32.exe "c:\progra~2\jojejure\jojejure.dll",a
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TOSHIBA Volume Indicator] "c:\program files\toshiba\utilities\VolControl.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch...acker_url.pl?EN
IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {64269981-636F-4FAD-B04A-F32E57C2C26A} = 212.74.112.66,212.74.112.67

================= FIREFOX ===================

FF - ProfilePath - c:\users\keymar\appdata\roaming\mozilla\firefox\profiles\7orh28pe.default\
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20071212.002\IDSvix86.sys [2007-12-12 180272]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2006-10-24 37008]

=============== Created Last 30 ================

2009-11-13 17:38:23 0 d-----w- c:\programdata\yibuleko
2009-11-13 17:38:23 0 d-----w- c:\programdata\jojejure
2009-11-12 13:18:57 0 d-----w- c:\programdata\zedokupa
2009-11-12 13:18:57 0 d-----w- c:\programdata\yowajaka
2009-11-11 18:30:40 0 d-----w- c:\programdata\69947237
2009-11-11 18:30:30 0 d-----w- c:\programdata\zuhoboku
2009-11-11 18:30:30 0 d-----w- c:\programdata\metuyuli
2009-11-11 18:30:30 0 d-----w- c:\programdata\jehiyile
2009-11-11 18:30:30 0 d-----w- c:\programdata\bebojori
2009-11-10 22:52:10 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 22:51:53 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 12:24:09 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-10 12:15:45 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-11-10 12:15:41 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-11-10 12:15:40 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-11-10 12:15:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-11-10 12:15:34 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-09 10:23:25 0 d-----w- c:\programdata\pojevejo
2009-10-31 01:09:43 0 d-----w- c:\programdata\gehazoze
2009-10-29 18:45:05 0 d-----w- c:\programdata\dakabedu
2009-10-28 17:01:21 0 d-----w- c:\programdata\holusiti
2009-10-27 22:56:05 0 d-----w- c:\programdata\figimeje
2009-10-24 12:51:32 0 d-----w- c:\programdata\wonutego
2009-10-24 12:51:32 0 d-----w- c:\programdata\hawupula
2009-10-22 15:18:23 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-18 13:12:52 0 d-----w- c:\programdata\wufajeda
2009-10-18 13:12:52 0 d-----w- c:\programdata\sakiweto
2009-10-17 15:43:16 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-17 15:43:01 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-17 15:43:01 389120 ----a-w- c:\windows\system32\html.iec
2009-10-17 15:38:37 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-17 15:38:28 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-17 15:35:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-17 15:20:35 0 d-----w- c:\programdata\kepuzuli
2009-10-17 15:20:35 0 d-----w- c:\programdata\jahasuri

==================== Find3M ====================

2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-17 22:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-06-22 12:18:59 51200 ----a-w- c:\windows\inf\infpub.dat
2009-06-22 12:18:58 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-06-22 12:18:29 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-13 03:24:54 174 --sha-w- c:\program files\desktop.ini
2008-06-12 07:25:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-10-12 01:00:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-12 01:00:18 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-12 01:00:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 20:16:06.62 ===============

[VanDavies]

And this Attach:


DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by Keymar at 20:14:15.22 on 13/11/2009
Internet Explorer: 7.0.6000.16916 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.894.483 [GMT 0:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Keymar\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uStart Page = hxxp://www.hotmail.com/
uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [pihekeyove] Rundll32.exe "c:\programdata\tuwezune\tuwezune.dll",s
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [69947237] c:\programdata\69947237\69947237.exe
uRun: [a0655570] rundll32.exe "c:\programdata\bebojori\bebojori.dll",b
uRun: [yomutujav] Rundll32.exe "c:\progra~2\jojejure\jojejure.dll",a
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TOSHIBA Volume Indicator] "c:\program files\toshiba\utilities\VolControl.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch...acker_url.pl?EN
IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {64269981-636F-4FAD-B04A-F32E57C2C26A} = 212.74.112.66,212.74.112.67

================= FIREFOX ===================

FF - ProfilePath - c:\users\keymar\appdata\roaming\mozilla\firefox\profiles\7orh28pe.default\
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20071212.002\IDSvix86.sys [2007-12-12 180272]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2006-10-24 37008]

=============== Created Last 30 ================

2009-11-13 17:38:23 0 d-----w- c:\programdata\yibuleko
2009-11-13 17:38:23 0 d-----w- c:\programdata\jojejure
2009-11-12 13:18:57 0 d-----w- c:\programdata\zedokupa
2009-11-12 13:18:57 0 d-----w- c:\programdata\yowajaka
2009-11-11 18:30:40 0 d-----w- c:\programdata\69947237
2009-11-11 18:30:30 0 d-----w- c:\programdata\zuhoboku
2009-11-11 18:30:30 0 d-----w- c:\programdata\metuyuli
2009-11-11 18:30:30 0 d-----w- c:\programdata\jehiyile
2009-11-11 18:30:30 0 d-----w- c:\programdata\bebojori
2009-11-10 22:52:10 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 22:51:53 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 12:24:09 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-10 12:15:45 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-11-10 12:15:41 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-11-10 12:15:40 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-11-10 12:15:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-11-10 12:15:34 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-09 10:23:25 0 d-----w- c:\programdata\pojevejo
2009-10-31 01:09:43 0 d-----w- c:\programdata\gehazoze
2009-10-29 18:45:05 0 d-----w- c:\programdata\dakabedu
2009-10-28 17:01:21 0 d-----w- c:\programdata\holusiti
2009-10-27 22:56:05 0 d-----w- c:\programdata\figimeje
2009-10-24 12:51:32 0 d-----w- c:\programdata\wonutego
2009-10-24 12:51:32 0 d-----w- c:\programdata\hawupula
2009-10-22 15:18:23 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-18 13:12:52 0 d-----w- c:\programdata\wufajeda
2009-10-18 13:12:52 0 d-----w- c:\programdata\sakiweto
2009-10-17 15:43:16 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-17 15:43:01 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-17 15:43:01 389120 ----a-w- c:\windows\system32\html.iec
2009-10-17 15:38:37 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-17 15:38:28 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-17 15:35:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-17 15:20:35 0 d-----w- c:\programdata\kepuzuli
2009-10-17 15:20:35 0 d-----w- c:\programdata\jahasuri

==================== Find3M ====================

2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-17 22:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-06-22 12:18:59 51200 ----a-w- c:\windows\inf\infpub.dat
2009-06-22 12:18:58 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-06-22 12:18:29 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-13 03:24:54 174 --sha-w- c:\program files\desktop.ini
2008-06-12 07:25:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-10-12 01:00:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-12 01:00:18 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-12 01:00:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 20:16:06.62 ===============

[VanDavies]

And this is the gmer:

GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-13 20:35:17
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Keymar\AppData\Local\Temp\kxliafoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a62aa5d
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a3a62aa5d (not active ControlSet)

---- EOF - GMER 1.0.15 ----

[VanDavies]

By the way, all of the above was done in "safe mode with network support"- should I have done it in normal mode?

[CatByte]

Hi,

Good enough for me to get a diagnosis:

Please do the following:

(run this in Normal mode- only run it in safe mode if it will not run in normal mode:)



Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt for further review.

[VanDavies]

OK, Mozilla and Internet Explorer won't run in normal mode- it said "waiting" so might have run in the end but I left it for about 5 minutes. I'll do what you requested in Safe Mode with Network

[VanDavies]

OK, I'm not sure how to diasble my anti-virus and anti-spyware while in Safe Mode.

I downloaded ComboFix to my desktop and ran it anyway and it has come up with a blue screen saying:

The sytem cannot find message text for message number 0x8 in the message file for System.

Please wait.
ComboFix is preparing to run.
Access Denied. Administrator permissions are needed to use the selected options.
Use an administrator command prompt to complete these tasks.
The system cannot find message text for message number 0x8 in the message file for System.


Please note that I could not highlight/ copy the above and have instead typed it out.

[VanDavies]

I've managed to get Mozilla working in normal mode, tried running ComboFix but Security Tool keeps on blocking it (it is still blocking .exe files)

[CatByte]

Hi,

Please do the following:

Note: for Vista, you need to right click the icons and choose to run as administrator

Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"


If that doesn't help, delete the copy of ComboFix from your desktop.

download a fresh copy from one of the previous links provided.

Rename it to combo.com before saving it. Save as file type - "All Files"


run it in safe mode if it will not run in normal mode.

[VanDavies]

Thanks again for the response. Tried all of the above in safe mode, it came up with the same message when I try to run ComboFix as it did before: The sytem cannot find message text for message number 0x8 in the message file for System. Please wait. ComboFix is preparing to run. Access Denied. Administrator permissions are needed to use the selected options. Use an administrator command prompt to complete these tasks. The system cannot find message text for message number 0x8 in the message file for System.

[CatByte]

did you drag the combo.com into inherit?