 |  |  |  |  |  |  |  |
Multiple Computer problems
 |
This is one of my older computers. I had it about for three years now. I get lots of pop ups and viruses. Most programs i can't even start up.
Here is the hjt log only shows up to 22 for some reason:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:32 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: (no name) - {026DD580-84D3-4C0C-AB35-B0DAC5669154} - C:\WINDOWS\system32\urqQhFvt.dll
O2 - BHO: (no name) - {12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - C:\WINDOWS\system32\hilivoze.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [VnrPack22] "C:\Program Files\VnrPack\VnrPack22.exe"
O4 - HKCU\..\Run: [GetModule35] C:\Program Files\GetModule\GetModule35.exe
O4 - HKCU\..\Run: [GetPack28] "C:\Program Files\GetPack\GetPack28.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/...jolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: mzwcza.dll uwoowg.dll olqoee.dll xojlqy.dll fjqkdv.dll uspbhd.dll zodpnq.dll djrdvx.dll kqtbda.dll fahoeb.dll phzyog.dll uyzvki.dll aanlvn.dll dixzql.dll amdlbr.dll ynpgdu.dll vigbrk.dll yxhigj.dll olytwt.dll uvhwlu.dll kxczoi.dll yzxdtd.dll piugbj.dll fdanmf.dll cuvlfy.dll kbczhe.dll,C:\WINDOWS\system32\guzapamu.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: nnnnNDtQ - C:\WINDOWS\SYSTEM32\nnnnNDtQ.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
--
End of file - 8096 bytes
Thanks for helping
Here is the hjt log only shows up to 22 for some reason:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:32 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: (no name) - {026DD580-84D3-4C0C-AB35-B0DAC5669154} - C:\WINDOWS\system32\urqQhFvt.dll
O2 - BHO: (no name) - {12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - C:\WINDOWS\system32\hilivoze.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [VnrPack22] "C:\Program Files\VnrPack\VnrPack22.exe"
O4 - HKCU\..\Run: [GetModule35] C:\Program Files\GetModule\GetModule35.exe
O4 - HKCU\..\Run: [GetPack28] "C:\Program Files\GetPack\GetPack28.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/...jolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: mzwcza.dll uwoowg.dll olqoee.dll xojlqy.dll fjqkdv.dll uspbhd.dll zodpnq.dll djrdvx.dll kqtbda.dll fahoeb.dll phzyog.dll uyzvki.dll aanlvn.dll dixzql.dll amdlbr.dll ynpgdu.dll vigbrk.dll yxhigj.dll olytwt.dll uvhwlu.dll kxczoi.dll yzxdtd.dll piugbj.dll fdanmf.dll cuvlfy.dll kbczhe.dll,C:\WINDOWS\system32\guzapamu.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: nnnnNDtQ - C:\WINDOWS\SYSTEM32\nnnnNDtQ.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
--
End of file - 8096 bytes
Thanks for helping
•
•
Join Date: Feb 2004
Posts: 9,988
Reputation: 
Solved Threads: 755
Hi and welcome to the Daniweb forums 
.
==========
Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebyt...are_d5756.html) to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Make sure that you restart the computer.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Post new HJT log.
.==========
Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebyt...are_d5756.html) to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Make sure that you restart the computer.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Post new HJT log.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
i have that program on my computer, but when i start it, it doesn't load up. I tried redownloading it from that site, but i cant access that site for some reason. I had my friend send me the exe file, but when i click run on the exe file it doesn't load up at all. This is very troublesome and thank you for going through the trouble to help me. So what do i do now 
here is another hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:57 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: (no name) - {12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - C:\WINDOWS\system32\hilivoze.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\nnnnNDtQ.dll
O2 - BHO: (no name) - {C55FDCBA-5EA6-4D92-929B-11593CDCCFF0} - C:\WINDOWS\system32\urqQhFvt.dll
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/...jolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: mzwcza.dll uwoowg.dll olqoee.dll xojlqy.dll fjqkdv.dll uspbhd.dll zodpnq.dll djrdvx.dll kqtbda.dll fahoeb.dll phzyog.dll uyzvki.dll aanlvn.dll dixzql.dll amdlbr.dll ynpgdu.dll vigbrk.dll yxhigj.dll olytwt.dll uvhwlu.dll kxczoi.dll yzxdtd.dll piugbj.dll fdanmf.dll cuvlfy.dll kbczhe.dll,C:\WINDOWS\system32\guzapamu.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: nnnnNDtQ - C:\WINDOWS\SYSTEM32\nnnnNDtQ.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
--
End of file - 7287 bytes
here is another hjt log:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:57 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: (no name) - {12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - C:\WINDOWS\system32\hilivoze.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\nnnnNDtQ.dll
O2 - BHO: (no name) - {C55FDCBA-5EA6-4D92-929B-11593CDCCFF0} - C:\WINDOWS\system32\urqQhFvt.dll
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/...jolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: mzwcza.dll uwoowg.dll olqoee.dll xojlqy.dll fjqkdv.dll uspbhd.dll zodpnq.dll djrdvx.dll kqtbda.dll fahoeb.dll phzyog.dll uyzvki.dll aanlvn.dll dixzql.dll amdlbr.dll ynpgdu.dll vigbrk.dll yxhigj.dll olytwt.dll uvhwlu.dll kxczoi.dll yzxdtd.dll piugbj.dll fdanmf.dll cuvlfy.dll kbczhe.dll,C:\WINDOWS\system32\guzapamu.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: nnnnNDtQ - C:\WINDOWS\SYSTEM32\nnnnNDtQ.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
--
End of file - 7287 bytes
•
•
Join Date: Jul 2008
Posts: 2,940
Reputation:
Solved Threads: 168
If I may comment here, I believe that your log shows no entries after O22 because you don't seem to have any XP services running.
Several other things I note, your O4 entries, which are the auto starting programs that start when the computer starts shows AVG7 antivirus but it is not running on the machine which certainly would explain this log showing multiple infections. The computer is grossly infected.
Your Trusted Zone section shows multiple BAD entries:
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
I see multiple Trojans, password stealers, hijackers.
You might try SDFix and see if this works to remove some of them.
Download SDFix and save it to the desktop.
double-click on the SDFix icon that should be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions
# Next, please reboot your computer into Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.
When your computer has started in safe mode, and you see the desktop, close all open Windows.
Click on the Start button, click on the Run menu option, and type the following into the Open: field:
C:\SDFix\RunThis.bat
Then press the OK button.
The SDFix window will open containing some brief info and a disclaimer on the use of the tool.
please press the Y key on your keyboard and then press enter.
SDFix will now start scanning your computer for known infections
This process can take a while so be prepared to just sit and wait until it is complete.
When the scanning process has finished you will see a new screen stating that you need to restart your computer in order to continue.
At this point you should press any key on your computer's keyboard in order to restart the computer.
After your computer reboots SDFix will automatically start and perform a last check.
You will now be presented with a screen stating that SDFix has finished.
At this point you should press any key on your computer's keyboard in order to continue to your desktop.
When you are back at your Windows desktop, the SDFix log will automatically be opened in notepad.
Please post back here with that log.
Several other things I note, your O4 entries, which are the auto starting programs that start when the computer starts shows AVG7 antivirus but it is not running on the machine which certainly would explain this log showing multiple infections. The computer is grossly infected.
Your Trusted Zone section shows multiple BAD entries:
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
I see multiple Trojans, password stealers, hijackers.
You might try SDFix and see if this works to remove some of them.
Download SDFix and save it to the desktop.
double-click on the SDFix icon that should be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions
# Next, please reboot your computer into Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.
When your computer has started in safe mode, and you see the desktop, close all open Windows.
Click on the Start button, click on the Run menu option, and type the following into the Open: field:
C:\SDFix\RunThis.bat
Then press the OK button.
The SDFix window will open containing some brief info and a disclaimer on the use of the tool.
please press the Y key on your keyboard and then press enter.
SDFix will now start scanning your computer for known infections
This process can take a while so be prepared to just sit and wait until it is complete.
When the scanning process has finished you will see a new screen stating that you need to restart your computer in order to continue.
At this point you should press any key on your computer's keyboard in order to restart the computer.
After your computer reboots SDFix will automatically start and perform a last check.
You will now be presented with a screen stating that SDFix has finished.
At this point you should press any key on your computer's keyboard in order to continue to your desktop.
When you are back at your Windows desktop, the SDFix log will automatically be opened in notepad.
Please post back here with that log.
Sorry for the full reply and thank you for helping me. Here is the report from SDFIX:
SDFix: Version 1.240
Run by user on Thu 01/29/2009 at 09:12 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\user\Desktop\SDFix
Checking Services :
Rootkit Found :
C:\WINDOWS\system32\drivers\WINAF40.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINAF84.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINBG73.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINCH84.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINGL62.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINJO27.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINLQ27.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINOT84.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINUA16.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINVB62.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINWC05.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINWC16.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINXD16.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINXD84.sys - Rootkit Pandex/Cutwail - Runtime.sys
Name :
tdssserv
WINAF40
WINAF84
WINBG73
WINCH84
WINGL62
WINJO27
WINLQ27
WINOT84
WINUA16
WINVB62
WINWC05
WINWC16
WINXD16
WINXD84
Path :
\systemroot\system32\drivers\TDSSserv.sys
\??\C:\WINDOWS\System32\drivers\Winaf40.sys
\??\C:\WINDOWS\System32\drivers\Winaf84.sys
\??\C:\WINDOWS\System32\drivers\Winbg73.sys
\??\C:\WINDOWS\System32\drivers\Winch84.sys
\??\C:\WINDOWS\System32\drivers\Wingl62.sys
\??\C:\WINDOWS\System32\drivers\Winjo27.sys
\??\C:\WINDOWS\System32\drivers\Winlq27.sys
\??\C:\WINDOWS\System32\drivers\Winot84.sys
\??\C:\WINDOWS\System32\drivers\Winua16.sys
\??\C:\WINDOWS\System32\drivers\Winvb62.sys
\??\C:\WINDOWS\System32\drivers\Winwc05.sys
\??\C:\WINDOWS\System32\drivers\Winwc16.sys
\??\C:\WINDOWS\System32\drivers\Winxd16.sys
\??\C:\WINDOWS\System32\drivers\Winxd84.sys
tdssserv - Deleted
WINAF40 - Deleted
WINAF84 - Deleted
WINBG73 - Deleted
WINCH84 - Deleted
WINGL62 - Deleted
WINJO27 - Deleted
WINLQ27 - Deleted
WINOT84 - Deleted
WINUA16 - Deleted
WINVB62 - Deleted
WINWC05 - Deleted
WINWC16 - Deleted
WINXD16 - Deleted
WINXD84 - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Schedule Service Path
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\nnnnNDtQ.dll - Deleted
C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe - Deleted
C:\Documents and Settings\user\Application Data\SpeedRunner\config.cfg - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\GetModule\GetModule35.exe - Deleted
C:\Program Files\GetPack\dictame.gz - Deleted
C:\Program Files\GetPack\GetPack27.exe - Deleted
C:\Program Files\GetPack\GetPack28.exe - Deleted
C:\Program Files\GetPack\trgtame.gz - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted
C:\Program Files\Mjcore\Mjcore.dll - Deleted
C:\Program Files\VnrPack\dicts.gz - Deleted
C:\Program Files\VnrPack\trgts.gz - Deleted
C:\Program Files\VnrPack\VnrPack22.exe - Deleted
C:\Program Files\Webtools\webtools.dll - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\gettpa135.exe - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\gettpa227.exe - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\gettpa228.exe - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP43.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\Csrssc.exe - Deleted
C:\WINDOWS\system32\crypts.dll - Deleted
C:\WINDOWS\system32\WinCtrl32.dll - Deleted
C:\WINDOWS\system32\windows_update.exe - Deleted
C:\WINDOWS\system32\drivers\TDSSserv.sys - Deleted
C:\WINDOWS\system32\TDSSoiqn.dll - Deleted
C:\WINDOWS\system32\TDSShlxr.dll - Deleted
C:\WINDOWS\system32\TDSSrtqp.dll - Deleted
C:\WINDOWS\system32\TDSSxfum.dll - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSorvd.dat - Deleted
C:\WINDOWS\system32\TDSSrhyp.log - Deleted
C:\WINDOWS\system32\TDSSkkbi.log - Deleted
C:\WINDOWS\system32\drivers\WINAF40.sys - Deleted
C:\WINDOWS\system32\drivers\WINAF84.sys - Deleted
C:\WINDOWS\system32\drivers\WINBG73.sys - Deleted
C:\WINDOWS\system32\drivers\WINCH84.sys - Deleted
C:\WINDOWS\system32\drivers\WINGL62.sys - Deleted
C:\WINDOWS\system32\drivers\WINJO27.sys - Deleted
C:\WINDOWS\system32\drivers\WINLQ27.sys - Deleted
C:\WINDOWS\system32\drivers\WINOT84.sys - Deleted
C:\WINDOWS\system32\drivers\WINUA16.sys - Deleted
C:\WINDOWS\system32\drivers\WINVB62.sys - Deleted
C:\WINDOWS\system32\drivers\WINWC05.sys - Deleted
C:\WINDOWS\system32\drivers\WINWC16.sys - Deleted
C:\WINDOWS\system32\drivers\WINXD16.sys - Deleted
C:\WINDOWS\system32\drivers\WINXD84.sys - Deleted
Folder C:\Documents and Settings\user\Application Data\gadcom - Removed
Folder C:\Documents and Settings\user\Application Data\SpeedRunner - Removed
Folder C:\Program Files\GetModule - Removed
Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Mjcore - Removed
Folder C:\Program Files\VnrPack - Removed
Folder C:\Program Files\Webtools - Removed
Folder C:\Temp\1cb - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 12:42:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TDSSserv.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDSSserv.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv]
"start"=dword:00000004
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqlt.sys"
"TDSSl"="\systemroot\system32\TDSSoiqn.dll"
"tdssservers"="\systemroot\system32\TDSSorvd.dat"
"tdssmain"="\systemroot\system32\TDSShlxr.dll"
"tdsslog"="\systemroot\system32\TDSSrtqp.dll"
"tdssadw"="\systemroot\system32\TDSSxfum.dll"
"tdssinit"="\systemroot\system32\TDSSlxwp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsihc.dll"
"tdsserrors"="\systemroot\system32\TDSSrhyp.log"
"TDSSproc"="\systemroot\system32\TDSSkkbi.log"
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\system32\dunulaju.dll 69120 bytes executable
C:\WINDOWS\system32\drivers\TDSSpqlt.sys 60416 bytes executable
C:\WINDOWS\system32\guzapamu.dll 69120 bytes executable
C:\WINDOWS\system32\hilivoze.dll 69120 bytes executable
C:\WINDOWS\system32\gaheduwe 6456 bytes
C:\Documents and Settings\user\Desktop\SDFix\backups\tdssserv.reg 1268 bytes
C:\Documents and Settings\user\Local Settings\Temp\TDSS48e0.tmp 102400 bytes executable
C:\Documents and Settings\user\Local Settings\Temp\TDSS4a3f.tmp 617472 bytes executable
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 8
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe
:enabled
xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe
isabled:Firefox"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:Enabled:Veoh Client"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:Enabled:Trillian"
"C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exeisabled:a"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:Enabled:avgcc.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:Enabled:æTorrent"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exeisabled
altalkScene"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:Enabled:Explorer"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:Enabled:winlogon"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - C:\DOCUME~1\user\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
--- 69,120 A.SH. --- "C:\WINDOWS\system32\dunulaju.dll"
--- 69,120 A.SH. --- "C:\WINDOWS\system32\guzapamu.dll"
--- 69,120 A.SH. --- "C:\WINDOWS\system32\hilivoze.dll"
Mon 25 Feb 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 10 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Finished!
SDFix: Version 1.240
Run by user on Thu 01/29/2009 at 09:12 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\user\Desktop\SDFix
Checking Services :
Rootkit Found :
C:\WINDOWS\system32\drivers\WINAF40.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINAF84.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINBG73.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINCH84.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINGL62.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINJO27.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINLQ27.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINOT84.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINUA16.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINVB62.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINWC05.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINWC16.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINXD16.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINXD84.sys - Rootkit Pandex/Cutwail - Runtime.sys
Name :
tdssserv
WINAF40
WINAF84
WINBG73
WINCH84
WINGL62
WINJO27
WINLQ27
WINOT84
WINUA16
WINVB62
WINWC05
WINWC16
WINXD16
WINXD84
Path :
\systemroot\system32\drivers\TDSSserv.sys
\??\C:\WINDOWS\System32\drivers\Winaf40.sys
\??\C:\WINDOWS\System32\drivers\Winaf84.sys
\??\C:\WINDOWS\System32\drivers\Winbg73.sys
\??\C:\WINDOWS\System32\drivers\Winch84.sys
\??\C:\WINDOWS\System32\drivers\Wingl62.sys
\??\C:\WINDOWS\System32\drivers\Winjo27.sys
\??\C:\WINDOWS\System32\drivers\Winlq27.sys
\??\C:\WINDOWS\System32\drivers\Winot84.sys
\??\C:\WINDOWS\System32\drivers\Winua16.sys
\??\C:\WINDOWS\System32\drivers\Winvb62.sys
\??\C:\WINDOWS\System32\drivers\Winwc05.sys
\??\C:\WINDOWS\System32\drivers\Winwc16.sys
\??\C:\WINDOWS\System32\drivers\Winxd16.sys
\??\C:\WINDOWS\System32\drivers\Winxd84.sys
tdssserv - Deleted
WINAF40 - Deleted
WINAF84 - Deleted
WINBG73 - Deleted
WINCH84 - Deleted
WINGL62 - Deleted
WINJO27 - Deleted
WINLQ27 - Deleted
WINOT84 - Deleted
WINUA16 - Deleted
WINVB62 - Deleted
WINWC05 - Deleted
WINWC16 - Deleted
WINXD16 - Deleted
WINXD84 - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Schedule Service Path
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\nnnnNDtQ.dll - Deleted
C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe - Deleted
C:\Documents and Settings\user\Application Data\SpeedRunner\config.cfg - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\GetModule\GetModule35.exe - Deleted
C:\Program Files\GetPack\dictame.gz - Deleted
C:\Program Files\GetPack\GetPack27.exe - Deleted
C:\Program Files\GetPack\GetPack28.exe - Deleted
C:\Program Files\GetPack\trgtame.gz - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted
C:\Program Files\Mjcore\Mjcore.dll - Deleted
C:\Program Files\VnrPack\dicts.gz - Deleted
C:\Program Files\VnrPack\trgts.gz - Deleted
C:\Program Files\VnrPack\VnrPack22.exe - Deleted
C:\Program Files\Webtools\webtools.dll - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\gettpa135.exe - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\gettpa227.exe - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\gettpa228.exe - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP43.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\Csrssc.exe - Deleted
C:\WINDOWS\system32\crypts.dll - Deleted
C:\WINDOWS\system32\WinCtrl32.dll - Deleted
C:\WINDOWS\system32\windows_update.exe - Deleted
C:\WINDOWS\system32\drivers\TDSSserv.sys - Deleted
C:\WINDOWS\system32\TDSSoiqn.dll - Deleted
C:\WINDOWS\system32\TDSShlxr.dll - Deleted
C:\WINDOWS\system32\TDSSrtqp.dll - Deleted
C:\WINDOWS\system32\TDSSxfum.dll - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSorvd.dat - Deleted
C:\WINDOWS\system32\TDSSrhyp.log - Deleted
C:\WINDOWS\system32\TDSSkkbi.log - Deleted
C:\WINDOWS\system32\drivers\WINAF40.sys - Deleted
C:\WINDOWS\system32\drivers\WINAF84.sys - Deleted
C:\WINDOWS\system32\drivers\WINBG73.sys - Deleted
C:\WINDOWS\system32\drivers\WINCH84.sys - Deleted
C:\WINDOWS\system32\drivers\WINGL62.sys - Deleted
C:\WINDOWS\system32\drivers\WINJO27.sys - Deleted
C:\WINDOWS\system32\drivers\WINLQ27.sys - Deleted
C:\WINDOWS\system32\drivers\WINOT84.sys - Deleted
C:\WINDOWS\system32\drivers\WINUA16.sys - Deleted
C:\WINDOWS\system32\drivers\WINVB62.sys - Deleted
C:\WINDOWS\system32\drivers\WINWC05.sys - Deleted
C:\WINDOWS\system32\drivers\WINWC16.sys - Deleted
C:\WINDOWS\system32\drivers\WINXD16.sys - Deleted
C:\WINDOWS\system32\drivers\WINXD84.sys - Deleted
Folder C:\Documents and Settings\user\Application Data\gadcom - Removed
Folder C:\Documents and Settings\user\Application Data\SpeedRunner - Removed
Folder C:\Program Files\GetModule - Removed
Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Mjcore - Removed
Folder C:\Program Files\VnrPack - Removed
Folder C:\Program Files\Webtools - Removed
Folder C:\Temp\1cb - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 12:42:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TDSSserv.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDSSserv.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv]
"start"=dword:00000004
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqlt.sys"
"TDSSl"="\systemroot\system32\TDSSoiqn.dll"
"tdssservers"="\systemroot\system32\TDSSorvd.dat"
"tdssmain"="\systemroot\system32\TDSShlxr.dll"
"tdsslog"="\systemroot\system32\TDSSrtqp.dll"
"tdssadw"="\systemroot\system32\TDSSxfum.dll"
"tdssinit"="\systemroot\system32\TDSSlxwp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsihc.dll"
"tdsserrors"="\systemroot\system32\TDSSrhyp.log"
"TDSSproc"="\systemroot\system32\TDSSkkbi.log"
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\system32\dunulaju.dll 69120 bytes executable
C:\WINDOWS\system32\drivers\TDSSpqlt.sys 60416 bytes executable
C:\WINDOWS\system32\guzapamu.dll 69120 bytes executable
C:\WINDOWS\system32\hilivoze.dll 69120 bytes executable
C:\WINDOWS\system32\gaheduwe 6456 bytes
C:\Documents and Settings\user\Desktop\SDFix\backups\tdssserv.reg 1268 bytes
C:\Documents and Settings\user\Local Settings\Temp\TDSS48e0.tmp 102400 bytes executable
C:\Documents and Settings\user\Local Settings\Temp\TDSS4a3f.tmp 617472 bytes executable
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 8
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe
:enabledxpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe
:Enabledxpsp3res.dll,-20000""C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe
isabled:Firefox""C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe
:Enabled:Yahoo! Messenger""C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
:Enabled:Yahoo! FT Server""C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe
:Enabled:Veoh Client""C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe
:Enabled:Trillian""C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe
isabled:a""C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe
:Enabled:avginet.exe""C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe
:Enabled:avgamsvr.exe""C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe
:Enabled:avgcc.exe""C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe
:Enabled:Windows Live Messenger""C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe
:Enabled:Windows Live Messenger (Phone)""C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe
:Enabled:æTorrent""C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe
isabledaltalkScene""C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe
:Enabled:Explorer""C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe
:Enabled:winlogon"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe
:enabledxpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe
:Enabledxpsp3res.dll,-20000""C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe
:Enabled:Windows Live Messenger""C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe
:Enabled:Windows Live Messenger (Phone)"Remaining Files :
File Backups: - C:\DOCUME~1\user\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
--- 69,120 A.SH. --- "C:\WINDOWS\system32\dunulaju.dll"
--- 69,120 A.SH. --- "C:\WINDOWS\system32\guzapamu.dll"
--- 69,120 A.SH. --- "C:\WINDOWS\system32\hilivoze.dll"
Mon 25 Feb 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 10 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Finished!
•
•
Join Date: Jul 2008
Posts: 2,940
Reputation:
Solved Threads: 168
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.
Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.
Now just sit back and allow the program to run
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When all is complete then please post back here with that log.
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.
Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.
Now just sit back and allow the program to run
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When all is complete then please post back here with that log.
I am having problems running combofix.exe, When i open up task manager i can see combofix in the back ground but when i run combofix nothing pops up. Other exe files do the same. I tried running in safe mode and ran combofix but the same thing happened.
•
•
Join Date: Feb 2004
Posts: 9,988
Reputation:
Solved Threads: 755
Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.
==
Reboot and try again to run combofix if you found it.
==
If that does not work,
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.
==
Reboot and try again to run combofix if you found it.
==
If that does not work,
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.
- You must rename combofix BEFORE saving it to your pc.
- You must download it to and run it from your Desktop
- Physically disconnect from the internet.
- Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
- Double click combofix.exe & follow the prompts.
- When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
- Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Last edited by crunchie; Jan 30th, 2009 at 10:02 pm.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Jul 2008
Posts: 2,940
Reputation:
Solved Threads: 168
Post removed as I didn't see Crunchie's instructions.
Last edited by jholland1964; Jan 30th, 2009 at 10:00 pm.
Wow that really worked Thanks. okay here is the Combofix log:
ComboFix 09-02-01.01 - user 2009-02-01 13:34:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1439 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\user\Application Data\GetModule
c:\documents and settings\user\Application Data\GetModule\dicik.gz
c:\documents and settings\user\Application Data\GetModule\kwdik.gz
c:\documents and settings\user\Application Data\GetModule\ofadik.gz
c:\documents and settings\user\Application Data\shca35j0ejdn
c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\BM2feafb14.txt
c:\windows\system32\aanlvn.dll
c:\windows\system32\aecbcewa.dll
c:\windows\system32\amdlbr.dll
c:\windows\system32\anmkrpm.dll
c:\windows\system32\anmkrpmp.dll
c:\windows\system32\awtrRHYQ.dll
c:\windows\system32\bxmdlspe.ini
c:\windows\system32\cbXNFurp.dll
c:\windows\system32\ccaideuk.dll
c:\windows\system32\coecxsph.ini
c:\windows\system32\crypts.dll
c:\windows\system32\cuvlfy.dll
c:\windows\system32\cvrapgul.ini
c:\windows\system32\dbyefacd.ini
c:\windows\system32\dcafeybd.dll
c:\windows\system32\dixzql.dll
c:\windows\system32\djrdvx.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\Drivers\TDSSpqlt.sys
c:\windows\system32\dunulaju.dll
c:\windows\system32\dwopoxfk.ini
c:\windows\system32\efcCspOh.dll
c:\windows\system32\eqyttkhj.ini
c:\windows\system32\fahoeb.dll
c:\windows\system32\fakeskyr.ini
c:\windows\system32\favdxjtr.dll
c:\windows\system32\fbgdikjj.ini
c:\windows\system32\fdanmf.dll
c:\windows\system32\fhtpnyim.ini
c:\windows\system32\geBspmnl.dll
c:\windows\system32\gusvynkf.dll
c:\windows\system32\guzapamu.dll
c:\windows\system32\gwgdbeef.ini
c:\windows\system32\hilivoze.dll
c:\windows\system32\hpsxceoc.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\ihsocl.dll
c:\windows\system32\ilkfcdix.ini
c:\windows\system32\iqjyfdhj.dll
c:\windows\system32\iukbpfik.dll
c:\windows\system32\jjkidgbf.dll
c:\windows\system32\jolvtpqf.dll
c:\windows\system32\jvopeuho.dll
c:\windows\system32\jyhyfawl.ini
c:\windows\system32\kbczhe.dll
c:\windows\system32\kehmhwve.dll
c:\windows\system32\kfpuyjkq.dll
c:\windows\system32\kfxopowd.dll
c:\windows\system32\khfFXrQI.dll
c:\windows\system32\kifpbkui.ini
c:\windows\system32\klemfxud.ini
c:\windows\system32\kqgqwolr.ini
c:\windows\system32\kqtbda.dll
c:\windows\system32\kxczoi.dll
c:\windows\system32\kxotruvb.ini
c:\windows\system32\L5
c:\windows\system32\ljJYQGvT.dll
c:\windows\system32\lugparvc.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mfmcsonf.ini
c:\windows\system32\mgicmcoh.dll
c:\windows\system32\mjmwelui.dll
c:\windows\system32\nbwoxnbq.ini
c:\windows\system32\obqdwosy.dll
c:\windows\system32\olytwt.dll
c:\windows\system32\pawpbxsw.dll
c:\windows\system32\phzyog.dll
c:\windows\system32\piugbj.dll
c:\windows\system32\pkboofff.dll
c:\windows\system32\pkxmqdua.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\qbnxowbn.dll
c:\windows\system32\qorsjxbn.dll
c:\windows\system32\ratkqfir.dll
c:\windows\system32\rpguwr.dll
c:\windows\system32\rqRJAttQ.dll
c:\windows\system32\rtjxdvaf.ini
c:\windows\system32\ssjbarhc.ini
c:\windows\system32\ssqQjIAp.dll
c:\windows\system32\ssqRLeeE.dll
c:\windows\system32\TDSShlxr.dll
c:\windows\system32\TDSSoiqn.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSrtqp.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\tncdxxlh.dll
c:\windows\system32\tnprfkdx.dll
c:\windows\system32\tvFhQqru.ini
c:\windows\system32\tvFhQqru.ini2
c:\windows\system32\twex.exe
c:\windows\system32\tyshb36rfjdf.dll
c:\windows\system32\udpvbuig.ini
c:\windows\system32\uerdoilh.dll
c:\windows\system32\urqQhFvt.dll
c:\windows\system32\uvhwlu.dll
c:\windows\system32\uyzvki.dll
c:\windows\system32\vgpflmag.ini
c:\windows\system32\vigbrk.dll
c:\windows\system32\vpvvtyny.ini
c:\windows\system32\vuugnyla.ini
c:\windows\system32\wcapmact.dll
c:\windows\system32\wsxbpwap.ini
c:\windows\system32\xidcfkli.dll
c:\windows\system32\xoyjwlvt.dll
c:\windows\system32\xshfrpft.ini
c:\windows\system32\xxyvusrR.dll
c:\windows\system32\xxywUKdE.dll
c:\windows\system32\yedmomaa.ini
c:\windows\system32\yhenqlcx.dll
c:\windows\system32\ynpgdu.dll
c:\windows\system32\ypcstnlw.ini
c:\windows\system32\yppppiru.dll
c:\windows\system32\yxhigj.dll
c:\windows\system32\yzxdtd.dll
c:\windows\system32\zodpnq.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
----- BITS: Possible infected sites -----
hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.
2009-01-30 02:09 . 2009-02-01 11:51 2,190 --a------ c:\windows\system32\TDSSlxwp.dll
2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-24 20:45 . 2009-01-24 20:45 266,248 --a------ c:\windows\sysguard.exe
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\AT&T
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-18 06:09 <DIR> d-------- c:\documents and settings\user\Application Data\Research In Motion
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-01-18 06:07 <DIR> d-------- c:\program files\Research In Motion
2009-01-18 06:07 . 2009-01-28 15:34 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 16:00 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCPxpsp2res.dll,-22015
"1701:UDP"= 1701:UDPxpsp2res.dll,-22016
"500:UDP"= 500:UDPxpsp2res.dll,-22017
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]
.
- - - - ORPHANS REMOVED - - - -
BHO-{12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - c:\windows\system32\hilivoze.dll
BHO-{4CE528E2-58C1-4256-9567-7DC19D3C4886} - c:\windows\system32\urqQhFvt.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll
MSConfigStartUp-2ef07 - c:\program files\rhedelzvdocyw\nfvsrsz.exe
MSConfigStartUp-AACKWin - c:\progra~1\KSYSCO~1\smss.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-bihomivabu - c:\windows\system32\dunulaju.dll
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-Control Center - c:\program files\ASUS\WLAN Card Utilities\Center.exe
MSConfigStartUp-GetModule35 - c:\program files\GetModule\GetModule35.exe
MSConfigStartUp-GetPack28 - c:\program files\GetPack\GetPack28.exe
MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\user\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-jsf8j34rgfght - c:\docume~1\user\LOCALS~1\Temp\winloggn.exe
MSConfigStartUp-lphcc35j0ejdn - c:\windows\system32\lphcc35j0ejdn.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-runner1 - c:\windows\mrofinu1535.exe
MSConfigStartUp-SpeedX - c:\progra~1\MyPortal\Speed-X\SpeedX.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-sysrest32 - c:\windows\system32\sysrest32.exe
MSConfigStartUp-tezrtsjhfr84iusjfo84f - c:\docume~1\user\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-VnrPack22 - c:\program files\VnrPack\VnrPack22.exe
MSConfigStartUp-winlogon - c:\documents and settings\user\svchost.exe
MSConfigStartUp-[system] - c:\windows\system32\drivers\services.exe
MSConfigStartUp-Cm102Sound - cm102.cpl
MSConfigStartUp-CTHelper - CTHELPER.EXE
MSConfigStartUp-CTxfiHlp - CTXFIHLP.EXE
.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 13:48:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-02-01 13:50:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 21:50:14
Pre-Run: 67,190,714,368 bytes free
Post-Run: 67,343,056,896 bytes free
340 --- E O F --- 2008-12-12 11:02:28
ComboFix 09-02-01.01 - user 2009-02-01 13:34:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1439 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\user\Application Data\GetModule
c:\documents and settings\user\Application Data\GetModule\dicik.gz
c:\documents and settings\user\Application Data\GetModule\kwdik.gz
c:\documents and settings\user\Application Data\GetModule\ofadik.gz
c:\documents and settings\user\Application Data\shca35j0ejdn
c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\BM2feafb14.txt
c:\windows\system32\aanlvn.dll
c:\windows\system32\aecbcewa.dll
c:\windows\system32\amdlbr.dll
c:\windows\system32\anmkrpm.dll
c:\windows\system32\anmkrpmp.dll
c:\windows\system32\awtrRHYQ.dll
c:\windows\system32\bxmdlspe.ini
c:\windows\system32\cbXNFurp.dll
c:\windows\system32\ccaideuk.dll
c:\windows\system32\coecxsph.ini
c:\windows\system32\crypts.dll
c:\windows\system32\cuvlfy.dll
c:\windows\system32\cvrapgul.ini
c:\windows\system32\dbyefacd.ini
c:\windows\system32\dcafeybd.dll
c:\windows\system32\dixzql.dll
c:\windows\system32\djrdvx.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\Drivers\TDSSpqlt.sys
c:\windows\system32\dunulaju.dll
c:\windows\system32\dwopoxfk.ini
c:\windows\system32\efcCspOh.dll
c:\windows\system32\eqyttkhj.ini
c:\windows\system32\fahoeb.dll
c:\windows\system32\fakeskyr.ini
c:\windows\system32\favdxjtr.dll
c:\windows\system32\fbgdikjj.ini
c:\windows\system32\fdanmf.dll
c:\windows\system32\fhtpnyim.ini
c:\windows\system32\geBspmnl.dll
c:\windows\system32\gusvynkf.dll
c:\windows\system32\guzapamu.dll
c:\windows\system32\gwgdbeef.ini
c:\windows\system32\hilivoze.dll
c:\windows\system32\hpsxceoc.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\ihsocl.dll
c:\windows\system32\ilkfcdix.ini
c:\windows\system32\iqjyfdhj.dll
c:\windows\system32\iukbpfik.dll
c:\windows\system32\jjkidgbf.dll
c:\windows\system32\jolvtpqf.dll
c:\windows\system32\jvopeuho.dll
c:\windows\system32\jyhyfawl.ini
c:\windows\system32\kbczhe.dll
c:\windows\system32\kehmhwve.dll
c:\windows\system32\kfpuyjkq.dll
c:\windows\system32\kfxopowd.dll
c:\windows\system32\khfFXrQI.dll
c:\windows\system32\kifpbkui.ini
c:\windows\system32\klemfxud.ini
c:\windows\system32\kqgqwolr.ini
c:\windows\system32\kqtbda.dll
c:\windows\system32\kxczoi.dll
c:\windows\system32\kxotruvb.ini
c:\windows\system32\L5
c:\windows\system32\ljJYQGvT.dll
c:\windows\system32\lugparvc.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mfmcsonf.ini
c:\windows\system32\mgicmcoh.dll
c:\windows\system32\mjmwelui.dll
c:\windows\system32\nbwoxnbq.ini
c:\windows\system32\obqdwosy.dll
c:\windows\system32\olytwt.dll
c:\windows\system32\pawpbxsw.dll
c:\windows\system32\phzyog.dll
c:\windows\system32\piugbj.dll
c:\windows\system32\pkboofff.dll
c:\windows\system32\pkxmqdua.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\qbnxowbn.dll
c:\windows\system32\qorsjxbn.dll
c:\windows\system32\ratkqfir.dll
c:\windows\system32\rpguwr.dll
c:\windows\system32\rqRJAttQ.dll
c:\windows\system32\rtjxdvaf.ini
c:\windows\system32\ssjbarhc.ini
c:\windows\system32\ssqQjIAp.dll
c:\windows\system32\ssqRLeeE.dll
c:\windows\system32\TDSShlxr.dll
c:\windows\system32\TDSSoiqn.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSrtqp.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\tncdxxlh.dll
c:\windows\system32\tnprfkdx.dll
c:\windows\system32\tvFhQqru.ini
c:\windows\system32\tvFhQqru.ini2
c:\windows\system32\twex.exe
c:\windows\system32\tyshb36rfjdf.dll
c:\windows\system32\udpvbuig.ini
c:\windows\system32\uerdoilh.dll
c:\windows\system32\urqQhFvt.dll
c:\windows\system32\uvhwlu.dll
c:\windows\system32\uyzvki.dll
c:\windows\system32\vgpflmag.ini
c:\windows\system32\vigbrk.dll
c:\windows\system32\vpvvtyny.ini
c:\windows\system32\vuugnyla.ini
c:\windows\system32\wcapmact.dll
c:\windows\system32\wsxbpwap.ini
c:\windows\system32\xidcfkli.dll
c:\windows\system32\xoyjwlvt.dll
c:\windows\system32\xshfrpft.ini
c:\windows\system32\xxyvusrR.dll
c:\windows\system32\xxywUKdE.dll
c:\windows\system32\yedmomaa.ini
c:\windows\system32\yhenqlcx.dll
c:\windows\system32\ynpgdu.dll
c:\windows\system32\ypcstnlw.ini
c:\windows\system32\yppppiru.dll
c:\windows\system32\yxhigj.dll
c:\windows\system32\yzxdtd.dll
c:\windows\system32\zodpnq.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
----- BITS: Possible infected sites -----
hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.
2009-01-30 02:09 . 2009-02-01 11:51 2,190 --a------ c:\windows\system32\TDSSlxwp.dll
2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-24 20:45 . 2009-01-24 20:45 266,248 --a------ c:\windows\sysguard.exe
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\AT&T
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-18 06:09 <DIR> d-------- c:\documents and settings\user\Application Data\Research In Motion
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-01-18 06:07 <DIR> d-------- c:\program files\Research In Motion
2009-01-18 06:07 . 2009-01-28 15:34 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 16:00 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP
xpsp2res.dll,-22015"1701:UDP"= 1701:UDP
xpsp2res.dll,-22016"500:UDP"= 500:UDP
xpsp2res.dll,-22017R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]
.
- - - - ORPHANS REMOVED - - - -
BHO-{12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - c:\windows\system32\hilivoze.dll
BHO-{4CE528E2-58C1-4256-9567-7DC19D3C4886} - c:\windows\system32\urqQhFvt.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll
MSConfigStartUp-2ef07 - c:\program files\rhedelzvdocyw\nfvsrsz.exe
MSConfigStartUp-AACKWin - c:\progra~1\KSYSCO~1\smss.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-bihomivabu - c:\windows\system32\dunulaju.dll
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-Control Center - c:\program files\ASUS\WLAN Card Utilities\Center.exe
MSConfigStartUp-GetModule35 - c:\program files\GetModule\GetModule35.exe
MSConfigStartUp-GetPack28 - c:\program files\GetPack\GetPack28.exe
MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\user\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-jsf8j34rgfght - c:\docume~1\user\LOCALS~1\Temp\winloggn.exe
MSConfigStartUp-lphcc35j0ejdn - c:\windows\system32\lphcc35j0ejdn.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-runner1 - c:\windows\mrofinu1535.exe
MSConfigStartUp-SpeedX - c:\progra~1\MyPortal\Speed-X\SpeedX.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-sysrest32 - c:\windows\system32\sysrest32.exe
MSConfigStartUp-tezrtsjhfr84iusjfo84f - c:\docume~1\user\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-VnrPack22 - c:\program files\VnrPack\VnrPack22.exe
MSConfigStartUp-winlogon - c:\documents and settings\user\svchost.exe
MSConfigStartUp-[system] - c:\windows\system32\drivers\services.exe
MSConfigStartUp-Cm102Sound - cm102.cpl
MSConfigStartUp-CTHelper - CTHELPER.EXE
MSConfigStartUp-CTxfiHlp - CTXFIHLP.EXE
.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 13:48:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-02-01 13:50:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 21:50:14
Pre-Run: 67,190,714,368 bytes free
Post-Run: 67,343,056,896 bytes free
340 --- E O F --- 2008-12-12 11:02:28
|
Similar Threads
- formatting problems (Windows NT / 2000 / XP)
- Windows xp sp2 installation problems (Windows NT / 2000 / XP)
- one OSX on more than one computer? (OS X)
- Various log-in problems (Web Browsers)
- Outlook Express Problems Changing my E-mails (Windows NT / 2000 / XP)
- Hijack This log, I'm sure i have alot of problems (Viruses, Spyware and other Nasties)
- Problems Installing Window PRO; have ME now on computer (Windows NT / 2000 / XP)
- Computer freezes like crazy... (Windows NT / 2000 / XP)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Hijackthis - what to delete?
- Next Thread: Either big virus or small problem
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect reliability report research risk rogueantivirus samhain sans school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war windows worm yahoo zeroday
