Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91805 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] eMachines


  • This topic is locked This topic is locked
12 replies to this topic

#1 jameskris

jameskris

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 16 November 2009 - 08:25 PM

I am working on a friends eMachines el1200-07w. Svchost.exe maxes out the cpu each time I start the computer and when I try to kill the process it takes two or three times before I can continue. I have run Malawarebytes and have listed the log below. I know this is not much information, but it is the best I have at this time. If there are other diagnostics to run please feel free to let me know. Thanks! James Malwarebytes' Anti-Malware 1.36 Database version: 1945 Windows 6.0.6001 Service Pack 1 11/15/2009 8:40:36 PM mbam-log-2009-11-15 (20-40-36).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 241861 Time elapsed: 27 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\Trevor White\AppData\Roaming\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 20 November 2009 - 03:45 PM

Hi jameskris,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

  • Download DDS and save it to your desktop from
  • Here
  • here or
  • here.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click DDS icon to run the tool (may take up to 3 minutes to run)
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
  • We Need to check for Rootkits with RootRepeal
    • Download RootRepeal from one of the following locations and save it to your desktop.
    • Open Posted Image on your desktop.
    • Click the Posted Image tab.
    • Click the Posted Image button.
    • In the Select Scan dialog, check
      Posted Image
    • Push Ok
    • Check the box for your main system drive (Usually C:), and press Ok.
    • Allow RootRepeal to run a scan of your system. This may take some time.
    • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
  • Copy/paste the log (that you've previously saved to your desktop) from RootRepeal onto your post.

  • Copy/paste the DDS.txt log (that you've previously saved to your desktop) onto your post.

  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#3 jameskris

jameskris

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 25 November 2009 - 05:44 AM

Hello Tom. I appreciate your help. The DDS report is below: DDS (Ver_09-06-26.01) - NTFSx86 Run by Trevor White at 20:18:41.88 on Tue 11/24/2009 Internet Explorer: 7.0.6001.18000 Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1790.885 [GMT -6:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\rundll32.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Windows\RtHDVCpl.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Media Player\wmpnscfg.exe c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\system32\agrsmsvc.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\alg.exe C:\Windows\system32\WUDFHost.exe C:\Windows\System32\mobsync.exe C:\Windows\system32\taskeng.exe C:\Users\Trevor White\Desktop\dds.scr C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vb32&d=1007&m=el1200-07w mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vb32&d=1007&m=el1200-07w mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vb32&d=1007&m=el1200-07w BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [osCheck] "c:\program files\norton 360\osCheck.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [eRecoveryService] mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime StartupFolder: c:\users\trevor~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: playrequiem.com\www Trusted Zone: pornhub.com\www ============= SERVICES / DRIVERS =============== R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090427.001\IDSvix86.sys [2009-4-29 272432] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-11 23888] S3 DX4323;Dynex Wireless N USB Adapter Driver;c:\windows\system32\drivers\DX4323.sys [2009-10-27 483200] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320] S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008] S3 WUSB54GSCv2.NTx86;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2_X86.sys [2009-10-31 238072] S4 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2007-10-10 24576] S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-17 149352] S4 WOW;WOW;"c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" wow --> c:\program files\mysql\mysql server 5.0\bin\mysqld-nt [?] =============== Created Last 30 ================ 2009-11-09 21:47 <DIR> --d----- c:\users\trevor~1\appdata\roaming\Malwarebytes 2009-11-09 21:47 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-11-09 21:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-09 21:47 <DIR> --d----- c:\programdata\Malwarebytes 2009-11-09 21:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-11-09 21:47 <DIR> --d----- c:\progra~2\Malwarebytes 2009-11-09 21:21 <DIR> --d----- c:\windows\pss 2009-10-31 10:42 216,160,706 a------- c:\windows\MEMORY.DMP 2009-10-31 10:33 238,072 a------- c:\windows\system32\drivers\WUSB54GSCV2_X86.sys 2009-10-31 10:33 238,072 a------- c:\windows\system32\drivers\SET9D47.tmp 2009-10-29 15:00 1,122,664 a------- c:\windows\system32\WdfCoInstaller01007.dll 2009-10-29 15:00 87,328 a------- c:\windows\system32\bcmwlcoi.dll 2009-10-29 15:00 3,522,560 a------- c:\windows\system32\bcmihvsrv.dll 2009-10-29 15:00 3,182,592 a------- c:\windows\system32\bcmihvui.dll 2009-10-27 21:56 483,200 a------- c:\windows\system32\drivers\DX4323.sys 2009-10-27 21:02 <DIR> --d----- c:\program files\common files\Steam 2009-10-27 21:02 <DIR> --d----- c:\program files\Steam ==================== Find3M ==================== 2009-11-09 21:07 119,296 a------- c:\windows\system32\zlib.dll 2009-10-31 10:34 86,016 a------- c:\windows\inf\infstor.dat 2009-10-31 10:34 51,200 a------- c:\windows\inf\infpub.dat 2009-10-31 10:34 86,016 a------- c:\windows\inf\infstrng.dat 2009-03-18 21:55 63,488 a------- c:\users\trevor white\xobglu16.dll 2009-03-18 21:55 34,768 a------- c:\users\trevor white\xobglu32.dll 2009-03-01 07:59 0 a------- c:\users\trevor~1\appdata\roaming\wklnhst.dat 2008-10-28 14:43 665,600 a------- c:\windows\inf\drvindex.dat 2008-01-20 20:57 174 a--sh--- c:\program files\desktop.ini 2006-11-02 06:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 06:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 06:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 06:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat ============= FINISH: 20:19:43.95 =============== I have attached the attach log. I have tried to run RootRepeal several times, but it locks the computer up every time I run it. It does not matter if it is in safe mode or normal mode, it locks up. Thanks! James

Attached Files



#4 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 25 November 2009 - 11:50 AM

jameskris,

Please download gmer.zip from Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.

Note: Do not run any programs while Gmer is running.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#5 jameskris

jameskris

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 29 November 2009 - 10:12 PM

Got the gmer scan run. The log is below. Thanks!
James

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-29 22:11:03
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\TREVOR~1\AppData\Local\Temp\kxdorpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#6 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 29 November 2009 - 10:50 PM

jameskris,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#7 jameskris

jameskris

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 30 November 2009 - 09:15 PM

Ok. The combofix.txt is attached.

Attached Files



#8 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 30 November 2009 - 09:29 PM

jameskris, Please don't attach unless I specifically ask you to. It's easier for me when you post it and I'm lazy. :P Was there some reason you ran ComboFix in safe mode? Would it not run in normal mode? Is there a good reason that these are in the trusted zone? Trusted Zone: playrequiem.com\www Trusted Zone: pornhub.com\www

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#9 jameskris

jameskris

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 01 December 2009 - 05:26 AM

Sorry about that TomK. I will remember to put the logs in the message next time. :thumbup: I have had to run all of the scans in safe mode. It doesn't matter how I kill services.exe it always comes back and fouls things up. I let combofix run for 5 hours yesterday in normal mode and it did not scan at all. As for the trusted websites I don't believe there is any reason besides this is my friends teenage son's computer. LOL. Nuff said there.

#10 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 01 December 2009 - 10:27 AM

jameskris,

You might want to print out the first part so you have the information in hand.

Click Start menu, and then click the Run icon.
In the small box that Opens, type the three letters: cmd then click the OK button.
In the command prompt window that just opened (a black background and white text), type the following commands, pressing the ENTER key on your keyboard after each line:
net stop cryptsvc
ren %systemroot%\system32\catroot2 oldcatroot2
net start cryptsvc
exit


Then please try this in normal mode:

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv.exe -o"
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\http://www.playrequiem.com]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\http://www.pornhub.com]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#11 jameskris

jameskris

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 01 December 2009 - 09:24 PM

Ok. Cryptsvc would not stop in the command line, but I was able to stop it with the task manager and then put in the rest of the command lines you said. The log is below.

ComboFix 09-11-29.06 - Trevor White 12/01/2009 20:40.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1790.1162 [GMT -6:00]
Running from: c:\users\Trevor White\Desktop\ComboFix.exe
Command switches used :: c:\users\Trevor White\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wbem\Performance\WmiApRpl_new.ini

.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-02 02:50 . 2009-12-02 02:51 -------- d-----w- c:\users\Trevor White\AppData\Local\temp
2009-12-02 02:50 . 2009-12-02 02:50 -------- d-----w- c:\users\yfl\AppData\Local\temp
2009-12-02 02:50 . 2009-12-02 02:50 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-02 02:50 . 2009-12-02 02:50 -------- d-----w- c:\users\Mom and Rick\AppData\Local\temp
2009-12-02 02:50 . 2009-12-02 02:50 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-12-02 02:50 . 2009-12-02 02:50 -------- d-----w- c:\users\Guest.TrevorWhite-PC\AppData\Local\temp
2009-12-02 02:50 . 2009-12-02 02:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-02 02:38 . 2009-12-02 02:39 12288 d-----w- c:\windows\system32\catroot2
2009-11-17 01:48 . 2009-11-17 01:48 -------- d-----w- c:\users\Trevor White\AppData\Local\Adobe
2009-11-17 01:44 . 2009-11-17 01:44 -------- d-----w- c:\users\Trevor White\AppData\Local\Apple
2009-11-10 03:47 . 2009-11-10 03:47 -------- d-----w- c:\users\Trevor White\AppData\Roaming\Malwarebytes
2009-11-10 03:47 . 2009-04-06 21:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 03:47 . 2009-04-06 21:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 03:47 . 2009-11-16 02:08 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 03:47 . 2009-11-10 03:47 -------- d-----w- c:\programdata\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 02:11 . 2009-03-28 20:41 4096 d-----w- c:\program files\Project64 1.6
2009-11-10 03:12 . 2009-10-28 03:02 8192 d-----w- c:\program files\Steam
2009-11-10 03:07 . 2009-03-22 21:40 119296 ----a-w- c:\windows\system32\zlib.dll
2009-10-31 16:33 . 2008-10-28 21:00 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-10-29 20:59 . 2009-10-29 21:00 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll
2009-10-29 20:59 . 2009-10-29 21:00 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-10-29 20:59 . 2009-10-29 21:00 3522560 ----a-w- c:\windows\system32\bcmihvsrv.dll
2009-10-29 20:59 . 2009-10-29 21:00 3182592 ----a-w- c:\windows\system32\bcmihvui.dll
2009-10-28 03:02 . 2009-10-28 03:02 -------- d-----w- c:\program files\Common Files\Steam
2009-10-19 12:07 . 2009-03-18 17:11 -------- d-----w- c:\users\Trevor White\AppData\Roaming\CyberLink
2009-10-13 21:06 . 2009-03-07 23:40 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-10-12 23:18 . 2009-10-12 23:18 -------- d-----w- c:\program files\MySQL
2009-10-12 22:32 . 2009-03-22 07:16 4096 d-----w- c:\users\Trevor White\AppData\Roaming\Any Video Converter
2009-10-12 22:28 . 2006-11-02 12:35 4096 d-----w- c:\program files\Microsoft Games
.

((((((((((((((((((((((((((((( SnapShot@2009-12-01_02.42.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 01:58 . 2009-11-30 11:26 51280 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-21 01:58 . 2009-12-02 02:11 51280 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-12-02 02:13 72374 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-28 23:32 . 2009-12-02 02:13 10594 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1435818145-1775016462-1809947513-1000_UserData.bin
- 2009-02-28 23:32 . 2009-11-30 11:29 10594 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1435818145-1775016462-1809947513-1000_UserData.bin
- 2009-02-28 23:29 . 2009-11-30 23:02 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-28 23:29 . 2009-12-02 02:22 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-28 23:29 . 2009-12-02 02:22 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-28 23:29 . 2009-11-30 23:02 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-28 23:29 . 2009-12-02 02:22 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-28 23:29 . 2009-11-30 23:02 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-02 02:07 . 2009-12-02 02:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-01 02:08 . 2009-12-01 02:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-01 02:08 . 2009-12-01 02:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-02 02:07 . 2009-12-02 02:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-12-01 03:14 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-30 12:02 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-30 12:02 101144 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-12-01 03:14 101144 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-25 988512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-13 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-01 198160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-05-20 6144000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv.exe" - c:\windows\System32\grpconv.exe [2006-11-02 16896]

c:\users\Trevor White\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1435818145-1775016462-1809947513-1000]
"EnableNotificationsRef"=dword:00000003

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090427.001\IDSvix86.sys [4/29/2009 11:59 AM 272432]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [1/11/2008 9:32 PM 23888]
S3 DX4323;Dynex Wireless N USB Adapter Driver;c:\windows\System32\drivers\DX4323.sys [10/27/2009 9:56 PM 483200]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [8/21/2008 10:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [8/21/2008 10:49 PM 8320]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2/19/2009 11:31 AM 41008]
S3 WUSB54GSCv2.NTx86;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\System32\drivers\WUSB54GSCV2_X86.sys [10/31/2009 10:33 AM 238072]
S4 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [10/10/2007 1:22 AM 24576]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/17/2008 2:37 PM 149352]
S4 WOW;WOW;"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\MySQL\MySQL Server 5.0\my.ini" WOW --> c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vb32&d=1007&m=el1200-07w
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: playrequiem.com\www
Trusted Zone: pornhub.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 20:51
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\TREVOR~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WOW]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" WOW"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-12-01 20:54
ComboFix-quarantined-files.txt 2009-12-02 02:54
ComboFix2.txt 2009-12-01 02:45

Pre-Run: 32,976,470,016 bytes free
Post-Run: 34,366,722,048 bytes free

- - End Of File - - EF051E5106927D48E95FC0080898D086

#12 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 01 December 2009 - 10:35 PM

jameskris,

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Yes and press Enter


Then



Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#13 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 07 December 2009 - 12:19 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users