|
| ||
| Multiple Computer problems This is one of my older computers. I had it about for three years now. I get lots of pop ups and viruses. Most programs i can't even start up. Here is the hjt log only shows up to 22 for some reason: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:33:32 PM, on 1/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\Program Files\AT&T\Communication Manager\ATTCM.exe C:\Program Files\AT&T\Communication Manager\bmctl.exe C:\WINDOWS\System32\svchost.exe C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\Program Files\AT&T\Communication Manager\bmop.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe, O2 - BHO: (no name) - {026DD580-84D3-4C0C-AB35-B0DAC5669154} - C:\WINDOWS\system32\urqQhFvt.dll O2 - BHO: (no name) - {12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - C:\WINDOWS\system32\hilivoze.dll (file missing) O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe O4 - HKCU\..\Run: [VnrPack22] "C:\Program Files\VnrPack\VnrPack22.exe" O4 - HKCU\..\Run: [GetModule35] C:\Program Files\GetModule\GetModule35.exe O4 - HKCU\..\Run: [GetPack28] "C:\Program Files\GetPack\GetPack28.exe" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusremover2008.com O15 - Trusted Zone: *.virusschlacht.com O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191099616095 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/...jolauncher.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151 O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - AppInit_DLLs: mzwcza.dll uwoowg.dll olqoee.dll xojlqy.dll fjqkdv.dll uspbhd.dll zodpnq.dll djrdvx.dll kqtbda.dll fahoeb.dll phzyog.dll uyzvki.dll aanlvn.dll dixzql.dll amdlbr.dll ynpgdu.dll vigbrk.dll yxhigj.dll olytwt.dll uvhwlu.dll kxczoi.dll yzxdtd.dll piugbj.dll fdanmf.dll cuvlfy.dll kbczhe.dll,C:\WINDOWS\system32\guzapamu.dll O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll O20 - Winlogon Notify: nnnnNDtQ - C:\WINDOWS\SYSTEM32\nnnnNDtQ.dll O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll -- End of file - 8096 bytes Thanks for helping |
| ||
| Re: Multiple Computer problems Hi and welcome to the Daniweb forums :). ========== Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebyt...are_d5756.html) to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform full scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. * Post the log back here. Make sure that you restart the computer. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt Post new HJT log. |
| ||
| Re: Multiple Computer problems i have that program on my computer, but when i start it, it doesn't load up. I tried redownloading it from that site, but i cant access that site for some reason. I had my friend send me the exe file, but when i click run on the exe file it doesn't load up at all. This is very troublesome and thank you for going through the trouble to help me. So what do i do now :( here is another hjt log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:58:57 PM, on 1/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AT&T\Communication Manager\ATTCM.exe C:\Program Files\AT&T\Communication Manager\bmctl.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\Program Files\AT&T\Communication Manager\bmop.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe, O2 - BHO: (no name) - {12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - C:\WINDOWS\system32\hilivoze.dll (file missing) O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\nnnnNDtQ.dll O2 - BHO: (no name) - {C55FDCBA-5EA6-4D92-929B-11593CDCCFF0} - C:\WINDOWS\system32\urqQhFvt.dll O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusremover2008.com O15 - Trusted Zone: *.virusschlacht.com O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191099616095 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/...jolauncher.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151 O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - AppInit_DLLs: mzwcza.dll uwoowg.dll olqoee.dll xojlqy.dll fjqkdv.dll uspbhd.dll zodpnq.dll djrdvx.dll kqtbda.dll fahoeb.dll phzyog.dll uyzvki.dll aanlvn.dll dixzql.dll amdlbr.dll ynpgdu.dll vigbrk.dll yxhigj.dll olytwt.dll uvhwlu.dll kxczoi.dll yzxdtd.dll piugbj.dll fdanmf.dll cuvlfy.dll kbczhe.dll,C:\WINDOWS\system32\guzapamu.dll O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll O20 - Winlogon Notify: nnnnNDtQ - C:\WINDOWS\SYSTEM32\nnnnNDtQ.dll O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll -- End of file - 7287 bytes |
| ||
| Re: Multiple Computer problems If I may comment here, I believe that your log shows no entries after O22 because you don't seem to have any XP services running. Several other things I note, your O4 entries, which are the auto starting programs that start when the computer starts shows AVG7 antivirus but it is not running on the machine which certainly would explain this log showing multiple infections. The computer is grossly infected. Your Trusted Zone section shows multiple BAD entries: O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusremover2008.com O15 - Trusted Zone: *.virusschlacht.com I see multiple Trojans, password stealers, hijackers. You might try SDFix and see if this works to remove some of them. Download SDFix and save it to the desktop. double-click on the SDFix icon that should be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button. A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions # Next, please reboot your computer into Safe Mode by doing the following: 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the first option, to run Windows in Safe Mode. 5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as. When your computer has started in safe mode, and you see the desktop, close all open Windows. Click on the Start button, click on the Run menu option, and type the following into the Open: field: C:\SDFix\RunThis.bat Then press the OK button. The SDFix window will open containing some brief info and a disclaimer on the use of the tool. please press the Y key on your keyboard and then press enter. SDFix will now start scanning your computer for known infections This process can take a while so be prepared to just sit and wait until it is complete. When the scanning process has finished you will see a new screen stating that you need to restart your computer in order to continue. At this point you should press any key on your computer's keyboard in order to restart the computer. After your computer reboots SDFix will automatically start and perform a last check. You will now be presented with a screen stating that SDFix has finished. At this point you should press any key on your computer's keyboard in order to continue to your desktop. When you are back at your Windows desktop, the SDFix log will automatically be opened in notepad. Please post back here with that log. |
| ||
| Re: Multiple Computer problems Sorry for the full reply and thank you for helping me. Here is the report from SDFIX: SDFix: Version 1.240 Run by user on Thu 01/29/2009 at 09:12 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\user\Desktop\SDFix Checking Services : Rootkit Found : C:\WINDOWS\system32\drivers\WINAF40.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINAF84.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINBG73.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINCH84.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINGL62.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINJO27.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINLQ27.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINOT84.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINUA16.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINVB62.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINWC05.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINWC16.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINXD16.sys - Rootkit Pandex/Cutwail - Runtime.sys C:\WINDOWS\system32\drivers\WINXD84.sys - Rootkit Pandex/Cutwail - Runtime.sys Name : tdssserv WINAF40 WINAF84 WINBG73 WINCH84 WINGL62 WINJO27 WINLQ27 WINOT84 WINUA16 WINVB62 WINWC05 WINWC16 WINXD16 WINXD84 Path : \systemroot\system32\drivers\TDSSserv.sys \??\C:\WINDOWS\System32\drivers\Winaf40.sys \??\C:\WINDOWS\System32\drivers\Winaf84.sys \??\C:\WINDOWS\System32\drivers\Winbg73.sys \??\C:\WINDOWS\System32\drivers\Winch84.sys \??\C:\WINDOWS\System32\drivers\Wingl62.sys \??\C:\WINDOWS\System32\drivers\Winjo27.sys \??\C:\WINDOWS\System32\drivers\Winlq27.sys \??\C:\WINDOWS\System32\drivers\Winot84.sys \??\C:\WINDOWS\System32\drivers\Winua16.sys \??\C:\WINDOWS\System32\drivers\Winvb62.sys \??\C:\WINDOWS\System32\drivers\Winwc05.sys \??\C:\WINDOWS\System32\drivers\Winwc16.sys \??\C:\WINDOWS\System32\drivers\Winxd16.sys \??\C:\WINDOWS\System32\drivers\Winxd84.sys tdssserv - Deleted WINAF40 - Deleted WINAF84 - Deleted WINBG73 - Deleted WINCH84 - Deleted WINGL62 - Deleted WINJO27 - Deleted WINLQ27 - Deleted WINOT84 - Deleted WINUA16 - Deleted WINVB62 - Deleted WINWC05 - Deleted WINWC16 - Deleted WINXD16 - Deleted WINXD84 - Deleted Restoring Default Security Values Restoring Default Hosts File Restoring Default Schedule Service Path Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\nnnnNDtQ.dll - Deleted C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe - Deleted C:\Documents and Settings\user\Application Data\SpeedRunner\config.cfg - Deleted C:\Temp\1cb\syscheck.log - Deleted C:\Program Files\GetModule\GetModule35.exe - Deleted C:\Program Files\GetPack\dictame.gz - Deleted C:\Program Files\GetPack\GetPack27.exe - Deleted C:\Program Files\GetPack\GetPack28.exe - Deleted C:\Program Files\GetPack\trgtame.gz - Deleted C:\Program Files\iCheck\Uninstall.exe - Deleted C:\Program Files\Mjcore\Mjcore.dll - Deleted C:\Program Files\VnrPack\dicts.gz - Deleted C:\Program Files\VnrPack\trgts.gz - Deleted C:\Program Files\VnrPack\VnrPack22.exe - Deleted C:\Program Files\Webtools\webtools.dll - Deleted C:\DOCUME~1\user\LOCALS~1\Temp\gettpa135.exe - Deleted C:\DOCUME~1\user\LOCALS~1\Temp\gettpa227.exe - Deleted C:\DOCUME~1\user\LOCALS~1\Temp\gettpa228.exe - Deleted C:\DOCUME~1\user\LOCALS~1\Temp\TMP43.tmp - Deleted C:\DOCUME~1\user\LOCALS~1\Temp\Csrssc.exe - Deleted C:\WINDOWS\system32\crypts.dll - Deleted C:\WINDOWS\system32\WinCtrl32.dll - Deleted C:\WINDOWS\system32\windows_update.exe - Deleted C:\WINDOWS\system32\drivers\TDSSserv.sys - Deleted C:\WINDOWS\system32\TDSSoiqn.dll - Deleted C:\WINDOWS\system32\TDSShlxr.dll - Deleted C:\WINDOWS\system32\TDSSrtqp.dll - Deleted C:\WINDOWS\system32\TDSSxfum.dll - Deleted C:\WINDOWS\system32\TDSSlxwp.dll - Deleted C:\WINDOWS\system32\TDSSorvd.dat - Deleted C:\WINDOWS\system32\TDSSrhyp.log - Deleted C:\WINDOWS\system32\TDSSkkbi.log - Deleted C:\WINDOWS\system32\drivers\WINAF40.sys - Deleted C:\WINDOWS\system32\drivers\WINAF84.sys - Deleted C:\WINDOWS\system32\drivers\WINBG73.sys - Deleted C:\WINDOWS\system32\drivers\WINCH84.sys - Deleted C:\WINDOWS\system32\drivers\WINGL62.sys - Deleted C:\WINDOWS\system32\drivers\WINJO27.sys - Deleted C:\WINDOWS\system32\drivers\WINLQ27.sys - Deleted C:\WINDOWS\system32\drivers\WINOT84.sys - Deleted C:\WINDOWS\system32\drivers\WINUA16.sys - Deleted C:\WINDOWS\system32\drivers\WINVB62.sys - Deleted C:\WINDOWS\system32\drivers\WINWC05.sys - Deleted C:\WINDOWS\system32\drivers\WINWC16.sys - Deleted C:\WINDOWS\system32\drivers\WINXD16.sys - Deleted C:\WINDOWS\system32\drivers\WINXD84.sys - Deleted Folder C:\Documents and Settings\user\Application Data\gadcom - Removed Folder C:\Documents and Settings\user\Application Data\SpeedRunner - Removed Folder C:\Program Files\GetModule - Removed Folder C:\Program Files\GetPack - Removed Folder C:\Program Files\iCheck - Removed Folder C:\Program Files\InetGet2 - Removed Folder C:\Program Files\Mjcore - Removed Folder C:\Program Files\VnrPack - Removed Folder C:\Program Files\Webtools - Removed Folder C:\Temp\1cb - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-29 12:42:00 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TDSSserv.sys] @="driver" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDSSserv.sys] @="driver" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys" "group"="file system" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv] "start"=dword:00000004 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys" "group"="file system" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys" "group"="file system" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules] "TDSSserv"="\systemroot\system32\drivers\TDSSpqlt.sys" "TDSSl"="\systemroot\system32\TDSSoiqn.dll" "tdssservers"="\systemroot\system32\TDSSorvd.dat" "tdssmain"="\systemroot\system32\TDSShlxr.dll" "tdsslog"="\systemroot\system32\TDSSrtqp.dll" "tdssadw"="\systemroot\system32\TDSSxfum.dll" "tdssinit"="\systemroot\system32\TDSSlxwp.dll" "tdssurls"="\systemroot\system32\TDSSnmxh.log" "tdsspanels"="\systemroot\system32\TDSSsihc.dll" "tdsserrors"="\systemroot\system32\TDSSrhyp.log" "TDSSproc"="\systemroot\system32\TDSSkkbi.log" scanning hidden registry entries ... scanning hidden files ... C:\WINDOWS\system32\dunulaju.dll 69120 bytes executable C:\WINDOWS\system32\drivers\TDSSpqlt.sys 60416 bytes executable C:\WINDOWS\system32\guzapamu.dll 69120 bytes executable C:\WINDOWS\system32\hilivoze.dll 69120 bytes executable C:\WINDOWS\system32\gaheduwe 6456 bytes C:\Documents and Settings\user\Desktop\SDFix\backups\tdssserv.reg 1268 bytes C:\Documents and Settings\user\Local Settings\Temp\TDSS48e0.tmp 102400 bytes executable C:\Documents and Settings\user\Local Settings\Temp\TDSS4a3f.tmp 617472 bytes executable scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 8 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client" "C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian" "C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe:*:Disabled:a" "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent" "C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Disabled:PaltalkScene" "C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer" "C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" Remaining Files : File Backups: - C:\DOCUME~1\user\Desktop\SDFix\backups\backups.zip Files with Hidden Attributes : Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe" Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe" --- 69,120 A.SH. --- "C:\WINDOWS\system32\dunulaju.dll" --- 69,120 A.SH. --- "C:\WINDOWS\system32\guzapamu.dll" --- 69,120 A.SH. --- "C:\WINDOWS\system32\hilivoze.dll" Mon 25 Feb 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 10 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Finished! |
| ||
| Re: Multiple Computer problems Download ComboFix Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop. Once the download is complete you will see the Combofix on the desktop. * Close all open Windows including this one. * Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Doubleclick the combofix icon on the desktop to run the program. Windows will issue a prompt asking whether you wish to run the program, click Run You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer. Now just sit back and allow the program to run Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete. When ComboFix has finished running, you will see a screen stating that it is preparing the log report. This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. When all is complete then please post back here with that log. |
| ||
| Re: Multiple Computer problems I am having problems running combofix.exe, When i open up task manager i can see combofix in the back ground but when i run combofix nothing pops up. Other exe files do the same. I tried running in safe mode and ran combofix but the same thing happened. |
| ||
| Re: Multiple Computer problems 2 Attachment(s) Open Device Manager and on the VIEW Tab, select the Show hidden devices option. Go down to non plug and play drivers and see if there is one called TDSSserv and disable it. == Reboot and try again to run combofix if you found it. == If that does not work,
Note: Do not mouse-click combofix's window while it is running. That may cause it to stall. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. |
| ||
| Re: Multiple Computer problems Post removed as I didn't see Crunchie's instructions. |
| ||
| Re: Multiple Computer problems Wow that really worked Thanks. okay here is the Combofix log: ComboFix 09-02-01.01 - user 2009-02-01 13:34:49.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1439 [GMT -8:00] Running from: c:\documents and settings\user\Desktop\ComboFix.exe AV: AVG 7.5.549 *On-access scanning enabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\user\Application Data\GetModule c:\documents and settings\user\Application Data\GetModule\dicik.gz c:\documents and settings\user\Application Data\GetModule\kwdik.gz c:\documents and settings\user\Application Data\GetModule\ofadik.gz c:\documents and settings\user\Application Data\shca35j0ejdn c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts c:\windows\BM2feafb14.txt c:\windows\system32\aanlvn.dll c:\windows\system32\aecbcewa.dll c:\windows\system32\amdlbr.dll c:\windows\system32\anmkrpm.dll c:\windows\system32\anmkrpmp.dll c:\windows\system32\awtrRHYQ.dll c:\windows\system32\bxmdlspe.ini c:\windows\system32\cbXNFurp.dll c:\windows\system32\ccaideuk.dll c:\windows\system32\coecxsph.ini c:\windows\system32\crypts.dll c:\windows\system32\cuvlfy.dll c:\windows\system32\cvrapgul.ini c:\windows\system32\dbyefacd.ini c:\windows\system32\dcafeybd.dll c:\windows\system32\dixzql.dll c:\windows\system32\djrdvx.dll c:\windows\system32\drivers\seneka.sys c:\windows\system32\Drivers\TDSSpqlt.sys c:\windows\system32\dunulaju.dll c:\windows\system32\dwopoxfk.ini c:\windows\system32\efcCspOh.dll c:\windows\system32\eqyttkhj.ini c:\windows\system32\fahoeb.dll c:\windows\system32\fakeskyr.ini c:\windows\system32\favdxjtr.dll c:\windows\system32\fbgdikjj.ini c:\windows\system32\fdanmf.dll c:\windows\system32\fhtpnyim.ini c:\windows\system32\geBspmnl.dll c:\windows\system32\gusvynkf.dll c:\windows\system32\guzapamu.dll c:\windows\system32\gwgdbeef.ini c:\windows\system32\hilivoze.dll c:\windows\system32\hpsxceoc.dll c:\windows\system32\iehelper.dll c:\windows\system32\ihsocl.dll c:\windows\system32\ilkfcdix.ini c:\windows\system32\iqjyfdhj.dll c:\windows\system32\iukbpfik.dll c:\windows\system32\jjkidgbf.dll c:\windows\system32\jolvtpqf.dll c:\windows\system32\jvopeuho.dll c:\windows\system32\jyhyfawl.ini c:\windows\system32\kbczhe.dll c:\windows\system32\kehmhwve.dll c:\windows\system32\kfpuyjkq.dll c:\windows\system32\kfxopowd.dll c:\windows\system32\khfFXrQI.dll c:\windows\system32\kifpbkui.ini c:\windows\system32\klemfxud.ini c:\windows\system32\kqgqwolr.ini c:\windows\system32\kqtbda.dll c:\windows\system32\kxczoi.dll c:\windows\system32\kxotruvb.ini c:\windows\system32\L5 c:\windows\system32\ljJYQGvT.dll c:\windows\system32\lugparvc.dll c:\windows\system32\mcrh.tmp c:\windows\system32\mfmcsonf.ini c:\windows\system32\mgicmcoh.dll c:\windows\system32\mjmwelui.dll c:\windows\system32\nbwoxnbq.ini c:\windows\system32\obqdwosy.dll c:\windows\system32\olytwt.dll c:\windows\system32\pawpbxsw.dll c:\windows\system32\phzyog.dll c:\windows\system32\piugbj.dll c:\windows\system32\pkboofff.dll c:\windows\system32\pkxmqdua.ini c:\windows\system32\prunnet.exe c:\windows\system32\qbnxowbn.dll c:\windows\system32\qorsjxbn.dll c:\windows\system32\ratkqfir.dll c:\windows\system32\rpguwr.dll c:\windows\system32\rqRJAttQ.dll c:\windows\system32\rtjxdvaf.ini c:\windows\system32\ssjbarhc.ini c:\windows\system32\ssqQjIAp.dll c:\windows\system32\ssqRLeeE.dll c:\windows\system32\TDSShlxr.dll c:\windows\system32\TDSSoiqn.dll c:\windows\system32\TDSSorvd.dat c:\windows\system32\TDSSrtqp.dll c:\windows\system32\TDSSxfum.dll c:\windows\system32\tncdxxlh.dll c:\windows\system32\tnprfkdx.dll c:\windows\system32\tvFhQqru.ini c:\windows\system32\tvFhQqru.ini2 c:\windows\system32\twex.exe c:\windows\system32\tyshb36rfjdf.dll c:\windows\system32\udpvbuig.ini c:\windows\system32\uerdoilh.dll c:\windows\system32\urqQhFvt.dll c:\windows\system32\uvhwlu.dll c:\windows\system32\uyzvki.dll c:\windows\system32\vgpflmag.ini c:\windows\system32\vigbrk.dll c:\windows\system32\vpvvtyny.ini c:\windows\system32\vuugnyla.ini c:\windows\system32\wcapmact.dll c:\windows\system32\wsxbpwap.ini c:\windows\system32\xidcfkli.dll c:\windows\system32\xoyjwlvt.dll c:\windows\system32\xshfrpft.ini c:\windows\system32\xxyvusrR.dll c:\windows\system32\xxywUKdE.dll c:\windows\system32\yedmomaa.ini c:\windows\system32\yhenqlcx.dll c:\windows\system32\ynpgdu.dll c:\windows\system32\ypcstnlw.ini c:\windows\system32\yppppiru.dll c:\windows\system32\yxhigj.dll c:\windows\system32\yzxdtd.dll c:\windows\system32\zodpnq.dll c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete ----- BITS: Possible infected sites ----- hxxp://77.74.48.101 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 ))))))))))))))))))))))))))))))) . 2009-01-30 02:09 . 2009-02-01 11:51 2,190 --a------ c:\windows\system32\TDSSlxwp.dll 2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe 2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT 2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2 2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32 2009-01-24 20:45 . 2009-01-24 20:45 266,248 --a------ c:\windows\sysguard.exe 2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless 2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater 2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T 2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys 2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys 2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc 2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared 2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\AT&T 2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T 2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option 2009-01-18 06:09 . 2009-01-18 06:09 <DIR> d-------- c:\documents and settings\user\Application Data\Research In Motion 2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin 2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys 2009-01-18 06:07 . 2009-01-18 06:07 <DIR> d-------- c:\program files\Research In Motion 2009-01-18 06:07 . 2009-01-28 15:34 <DIR> d-------- c:\program files\Common Files\Research In Motion 2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache 2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-21 16:00 --------- d-----w c:\documents and settings\user\Application Data\AVG7 2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI 2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming 2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys 2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys 2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL 2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL 2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.X264"= x264vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager] --a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] --a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] --a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "NMIndexingService"=3 (0x3) "Nero BackItUp Scheduler 3"=2 (0x2) "Avg7UpdSvc"=2 (0x2) "Avg7Alrt"=2 (0x2) "aawservice"=2 (0x2) "a2AntiMalware"=2 (0x2) "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "Schedule"=2 (0x2) "NVSvc"=2 (0x2) "ATTRcAppSvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749] R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600] S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?] S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880] S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269] S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656] S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344] S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320] S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768] S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?] S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152] . - - - - ORPHANS REMOVED - - - - BHO-{12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - c:\windows\system32\hilivoze.dll BHO-{4CE528E2-58C1-4256-9567-7DC19D3C4886} - c:\windows\system32\urqQhFvt.dll BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll MSConfigStartUp-2ef07 - c:\program files\rhedelzvdocyw\nfvsrsz.exe MSConfigStartUp-AACKWin - c:\progra~1\KSYSCO~1\smss.exe MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe MSConfigStartUp-bihomivabu - c:\windows\system32\dunulaju.dll MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe MSConfigStartUp-Control Center - c:\program files\ASUS\WLAN Card Utilities\Center.exe MSConfigStartUp-GetModule35 - c:\program files\GetModule\GetModule35.exe MSConfigStartUp-GetPack28 - c:\program files\GetPack\GetPack28.exe MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\user\LOCALS~1\Temp\csrssc.exe MSConfigStartUp-jsf8j34rgfght - c:\docume~1\user\LOCALS~1\Temp\winloggn.exe MSConfigStartUp-lphcc35j0ejdn - c:\windows\system32\lphcc35j0ejdn.exe MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe MSConfigStartUp-runner1 - c:\windows\mrofinu1535.exe MSConfigStartUp-SpeedX - c:\progra~1\MyPortal\Speed-X\SpeedX.exe MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe MSConfigStartUp-sysrest32 - c:\windows\system32\sysrest32.exe MSConfigStartUp-tezrtsjhfr84iusjfo84f - c:\docume~1\user\LOCALS~1\Temp\csrssc.exe MSConfigStartUp-VnrPack22 - c:\program files\VnrPack\VnrPack22.exe MSConfigStartUp-winlogon - c:\documents and settings\user\svchost.exe MSConfigStartUp-[system] - c:\windows\system32\drivers\services.exe MSConfigStartUp-Cm102Sound - cm102.cpl MSConfigStartUp-CTHelper - CTHELPER.EXE MSConfigStartUp-CTxfiHlp - CTXFIHLP.EXE . ------- Supplementary Scan ------- . LSP: bmnet.dll Trusted Zone: amaena.com Trusted Zone: avsystemcare.com Trusted Zone: onerateld.com Trusted Zone: safetydownload.com Trusted Zone: trustedantivirus.com Trusted Zone: virusremover2008.com Trusted Zone: virusschlacht.com TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222 TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222 TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222 TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222 FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\ FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-01 13:48:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(728) c:\windows\system32\bmnet.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\wscntfy.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe . ************************************************************************** . Completion time: 2009-02-01 13:50:21 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-01 21:50:14 Pre-Run: 67,190,714,368 bytes free Post-Run: 67,343,056,896 bytes free 340 --- E O F --- 2008-12-12 11:02:28 |
| All times are GMT -4. The time now is 11:28 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC