Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bad Image, Server Busy, Pop-Ups, and more.... [Solved]


  • This topic is locked This topic is locked

#1
iowakingpin

iowakingpin

    Member

  • Member
  • PipPip
  • 13 posts
I am getting winlognn.exe-Bad Image, csrssc.exe-Bad Image (Please check against your instillation diskette), Server busy, and
Pop-ups from internet speed monitor. I have Ad-Aware installed and have ran a bunch of scans but I cant get rid of whatever is causing
these problems.

Any help would be greatly appreciated.
  • 0

Advertisements


#2
iowakingpin

iowakingpin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is my HJT log.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:01 PM, on 28/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\winlognn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Mike\Application Data\cogad\cogad.exe
C:\Documents and Settings\Mike\Application Data\Twain\Twain.exe
C:\Program Files\GetPack\GetPack28.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {991c032e-60ef-42ca-b8e0-7e11646be16a} - C:\WINDOWS\system32\wvUoNHbY.dll (file missing)
O2 - BHO: HelloWorldBHO - {d88e1558-7c2d-407a-953a-c044f5607cea} - C:\Program Files\Mjcore\Mjcore.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Mike\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [GetModule35] C:\Program Files\GetModule\GetModule35.exe
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Mike\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Mike\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Mike\Application Data\cogad\cogad.exe" 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Mike\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [GetPack28] "C:\Program Files\GetPack\GetPack28.exe"
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\dvd\DVD Shrink\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\dvd\DVD Shrink\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\dvd\DVD Shrink\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\dvd\DVD Shrink\Free Download Manager\dllink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: OddsMaker button - {81A821B9-34D0-41E7-AE23-84256B96C427} - http://www.oddsmaker.com (file missing)
O9 - Extra 'Tools' menuitem: OddsMaker Menu - {81A821B9-34D0-41E7-AE23-84256B96C427} - http://www.oddsmaker.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.ca
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt...m/files/777.cab
O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt...les/_ipsec_.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt...iles/epl7bd.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - http://www.www2.p0rt...etup-875498.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187124672328
O20 - AppInit_DLLs: xvfkxd.dll czrqvi.dll
O20 - Winlogon Notify: qomdcuvt - qoMdCuvt.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

--
End of file - 10895 bytes
  • 0

#3
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#4
iowakingpin

iowakingpin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is my combofix log. Thank you so much for your help!





ComboFix 09-01-21.04 - Mike 2009-01-29 10:34:51.1 - NTFSx86
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\Mike\Application Data\GetModule
c:\documents and settings\Mike\Application Data\GetModule\dicik.gz
c:\documents and settings\Mike\Application Data\GetModule\kwdik.gz
c:\documents and settings\Mike\Application Data\GetModule\ofadik.gz
c:\documents and settings\Mike\Application Data\twain\Twain.exe
c:\documents and settings\Mike\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Mike\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\GetModule\GetModule35.exe
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack28.exe
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Mjcore
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\settings.dat
c:\program files\Need2Find\bar\Settings\settings.htm
c:\program files\security toolbar
c:\program files\security toolbar\Uninstall.bat
c:\program files\VnrPack
c:\program files\VnrPack\dicts.gz
c:\program files\VnrPack\trgts.gz
c:\program files\VnrPack\VnrPack22.exe
c:\windows\cdmxtras
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\IE4 Error Log.txt
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
c:\windows\system32\asbmebqc.dll
c:\windows\system32\bszip.dll
c:\windows\system32\byXQKeEW.dll
c:\windows\system32\cfwjnova.dll
c:\windows\system32\cqbembsa.ini
c:\windows\system32\czrqvi.dll
c:\windows\system32\dfrgsrv.exe
c:\windows\system32\digeste.dll
c:\windows\system32\dkcshrku.dll
c:\windows\system32\iifeeEvw.dll
c:\windows\system32\khfDTlKC.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\nscrydiq.dll
c:\windows\system32\psjfolpw.ini
c:\windows\system32\ukrhsckd.ini
c:\windows\system32\uvgdiawl.dll
c:\windows\system32\vbsys2.dll
c:\windows\system32\wpv181232845748.cpx
c:\windows\system32\wpv631232809217.cpx
c:\windows\system32\wpv911232809217.cpx
c:\windows\system32\xxyxWOFu.dll
c:\windows\system32\YbHNoUvw.ini
c:\windows\system32\YbHNoUvw.ini2
c:\windows\Tasks\yyzfrioj.job
c:\windows\Temp\tmp3.tmp
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_network_monitor
-------\Service_network monitor


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 14:18 . 2009-01-28 14:18 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 14:17 . 2009-01-28 14:17 812,344 --a------ c:\program files\HJTInstall.exe
2009-01-27 12:34 . 2009-01-27 21:02 <DIR> d--hs---- c:\windows\WFBfdXNlcg
2009-01-26 07:49 . 2009-01-26 07:49 50,688 --a------ c:\program files\ATF-Cleaner.exe
2009-01-26 07:02 . 2009-01-29 10:40 <DIR> d-------- c:\documents and settings\Mike\Application Data\Twain
2009-01-26 06:58 . 2009-01-26 06:58 <DIR> d-------- c:\program files\WebShow
2009-01-25 17:17 . 2009-01-29 10:59 93,420 --a------ c:\windows\system32\drivers\454b11d.sys
2009-01-25 16:23 . 2009-01-25 14:28 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-25 15:39 . 2009-01-29 10:59 93,420 --a------ c:\windows\system32\drivers\94b22313.sys
2009-01-25 14:29 . 2009-01-25 14:27 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-25 14:18 . 2009-01-25 14:19 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 14:17 . 2009-01-25 14:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-25 13:37 . 2009-01-25 13:37 34,543,112 --a------ c:\program files\Ad-AwareAE.exe
2009-01-24 21:12 . 2009-01-25 17:15 <DIR> d-------- c:\documents and settings\Mike\Application Data\cogad
2009-01-07 14:01 . 2009-01-07 14:34 <DIR> d-------- c:\documents and settings\Mike\Application Data\gtk-2.0
2009-01-07 13:19 . 2009-01-07 13:19 <DIR> d-------- c:\documents and settings\Mike\Application Data\Inkscape
2009-01-07 13:06 . 2009-01-07 13:14 <DIR> d-------- c:\program files\Inkscape
2009-01-07 11:28 . 2009-01-07 11:28 35,074,836 --a------ c:\program files\Inkscape-0.46.win32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 19:21 --------- d-----w c:\program files\Common Files\Poker Now
2009-01-25 20:17 --------- d-----w c:\program files\Lavasoft
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"cogad"="c:\documents and settings\Mike\Application Data\cogad\cogad.exe" [2009-01-25 56832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2005-09-22 143360]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 196608]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-25 507224]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-26 811008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 11:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-01-13 11:53 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-01-13 12:07 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlexiBASIC 6.6\\Program\\App.exe"=
"c:\\Program Files\\FlexiBASIC 6.6\\Program\\App2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-25 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-25 942416]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2002-09-20 23888]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - cdudf_xp
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - dvd_2K
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - Hardlock
*Deregistered* - Haspnt
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IntelIde
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LmHosts
*Deregistered* - McDetect.exe
*Deregistered* - McShield
*Deregistered* - McTskshd.exe
*Deregistered* - MCVSRte
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NaiFiltr
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NwlnkIpx
*Deregistered* - NwlnkNb
*Deregistered* - NwlnkSpx
*Deregistered* - OMCI
*Deregistered* - Par1284
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - Sentinel
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UdfReadr_xp
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-25 14:27]
.
- - - - ORPHANS REMOVED - - - -

BHO-{991c032e-60ef-42ca-b8e0-7e11646be16a} - c:\windows\system32\wvUoNHbY.dll
HKCU-Run-GetModule35 - c:\program files\GetModule\GetModule35.exe
HKCU-Run-GetPack28 - c:\program files\GetPack\GetPack28.exe
Notify-qomdcuvt - qoMdCuvt.dll
MSConfigStartUp-Bart Station - c:\program files\PeoplePC\ISP6230\BIN\PPCOLink.exe
MSConfigStartUp-Propel Accelerator - c:\progra~1\PEOPLE~1\PropelAC.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Download all with Free Download Manager - file://c:\program files\dvd\DVD Shrink\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\dvd\DVD Shrink\Free Download Manager\dlselected.htm
IE: Download web site with Free Download Manager - file://c:\program files\dvd\DVD Shrink\Free Download Manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\dvd\DVD Shrink\Free Download Manager\dllink.htm
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: {{81A821B9-34D0-41E7-AE23-84256B96C427} - http://www.oddsmaker.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {33331111-1111-1111-1111-615111193427}
DPF: {33331111-1131-1111-1111-611111193428}
DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 10:54:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\454b11d]
"ImagePath"="\SystemRoot\System32\drivers\454b11d.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94b22313]
"ImagePath"="\SystemRoot\System32\drivers\94b22313.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\VSO\mcvsrte.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-29 11:11:42 - machine was rebooted [Mike]
ComboFix-quarantined-files.txt 2009-01-29 17:11:31

Pre-Run: 28,344,655,872 bytes free
Post-Run: 28,478,787,584 bytes free

346 --- E O F --- 2009-01-14 18:37:42
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.


Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...re-t226851.html

Collect::
c:\windows\system32\drivers\454b11d.sys
c:\windows\system32\drivers\94b22313.sys

folder::
c:\windows\WFBfdXNlcg
c:\documents and settings\Mike\Application Data\Twain
c:\program files\WebShow

Driver::
454b11d
94b22313

KillAll::
Suspect::


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

  • 0

#6
iowakingpin

iowakingpin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I have followed all the steps, started up in safe mode, and ran RunThis.bat

A blue screen comes up titled SDFix. It states:

Starting Repairs
Checking Running Processes and Services



I let it sit on this screen for about 5 hours and it didnt do anything. Any suggestions?


Thank again
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
do the next step
  • 0

#8
iowakingpin

iowakingpin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.



Im not sure what the next step is. This is the step that I am at. The cleanup process begins, but never prompts me to press any key to
reboot. Do I restart the PC myself and run the fixtool?

Thanks
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
restart your pc and do the combofix step
  • 0

#10
iowakingpin

iowakingpin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is my latest ComboFix log after dragging CFScript.txt into it. I had to change the date on my PC to 1-29-2009 (today is 2-1-2009) because
it said that Combofix had expired.




ComboFix 09-01-21.04 - Mike 2009-01-29 14:35:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.69 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mike\Application Data\GetModule
c:\documents and settings\Mike\Application Data\GetModule\dicik.gz
c:\documents and settings\Mike\Application Data\GetModule\kwdik.gz
c:\documents and settings\Mike\Application Data\GetModule\ofadik.gz
c:\documents and settings\Mike\Application Data\Twain
c:\documents and settings\Mike\Application Data\Twain\Twain.exe
c:\documents and settings\Mike\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Mike\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Mike\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\GetModule\GetModule36.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\VnrPack
c:\program files\VnrPack\dicts.gz
c:\program files\VnrPack\trgts.gz
c:\program files\VnrPack\VnrPack23.exe
c:\program files\WebShow
c:\program files\WebShow\WebShow.dll
c:\windows\system32\drivers\454b11d.sys
c:\windows\system32\drivers\94b22313.sys
c:\windows\WFBfdXNlcg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_454b11d
-------\Service_94b22313


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-31 15:19 . 2009-01-31 15:29 <DIR> d-------- C:\SDFix
2009-01-29 14:28 . 2009-01-29 14:28 <DIR> d-------- c:\windows\ERUNT
2009-01-28 14:18 . 2009-01-28 14:18 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 14:17 . 2009-01-28 14:17 812,344 --a------ c:\program files\HJTInstall.exe
2009-01-26 07:49 . 2009-01-26 07:49 50,688 --a------ c:\program files\ATF-Cleaner.exe
2009-01-25 16:23 . 2009-01-25 14:28 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-25 14:29 . 2009-01-25 14:27 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-25 14:18 . 2009-01-25 14:19 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 14:17 . 2009-01-25 14:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-25 13:37 . 2009-01-25 13:37 34,543,112 --a------ c:\program files\Ad-AwareAE.exe
2009-01-24 21:12 . 2009-01-25 17:15 <DIR> d-------- c:\documents and settings\Mike\Application Data\cogad
2009-01-07 14:01 . 2009-01-07 14:34 <DIR> d-------- c:\documents and settings\Mike\Application Data\gtk-2.0
2009-01-07 13:19 . 2009-01-07 13:19 <DIR> d-------- c:\documents and settings\Mike\Application Data\Inkscape
2009-01-07 13:06 . 2009-01-07 13:14 <DIR> d-------- c:\program files\Inkscape
2009-01-07 11:28 . 2009-01-07 11:28 35,074,836 --a------ c:\program files\Inkscape-0.46.win32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 19:21 --------- d-----w c:\program files\Common Files\Poker Now
2009-01-25 20:17 --------- d-----w c:\program files\Lavasoft
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-29_11.09.10.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 21:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-01-31 21:29:40 3,547,136 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-01-31 21:29:41 212,992 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 21:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-01-29 20:29:08 3,547,136 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-01-29 20:29:08 212,992 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2004-08-04 05:56:48 214,528 -c--a-w c:\windows\system32\dllcache\wbemcomn.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"cogad"="c:\documents and settings\Mike\Application Data\cogad\cogad.exe" [2009-01-25 56832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2005-09-22 143360]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 196608]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-25 507224]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-26 811008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 11:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-01-13 11:53 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-01-13 12:07 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlexiBASIC 6.6\\Program\\App.exe"=
"c:\\Program Files\\FlexiBASIC 6.6\\Program\\App2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-25 64160]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-06-08 23888]

--- Other Services/Drivers In Memory ---

*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - LmHosts
*Deregistered* - McDetect.exe
*Deregistered* - McShield
*Deregistered* - McTskshd.exe
*Deregistered* - MCVSRte
*Deregistered* - MDM
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-25 14:27]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VnrPack23 - c:\program files\VnrPack\VnrPack23.exe
HKCU-Run-GetModule36 - c:\program files\GetModule\GetModule36.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Download all with Free Download Manager - file://c:\program files\dvd\DVD Shrink\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\dvd\DVD Shrink\Free Download Manager\dlselected.htm
IE: Download web site with Free Download Manager - file://c:\program files\dvd\DVD Shrink\Free Download Manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\dvd\DVD Shrink\Free Download Manager\dllink.htm
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: {{81A821B9-34D0-41E7-AE23-84256B96C427} - http://www.oddsmaker.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {33331111-1111-1111-1111-615111193427}
DPF: {33331111-1131-1111-1111-611111193428}
DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 14:49:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\WgaTray.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-29 14:56:51 - machine was rebooted [Mike]
ComboFix-quarantined-files.txt 2009-01-29 20:56:31
ComboFix2.txt 2009-01-29 17:11:47

Pre-Run: 28,313,628,672 bytes free
Post-Run: 28,304,678,912 bytes free

238 --- E O F --- 2009-01-14 18:37:42
  • 0

Advertisements


#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#12
iowakingpin

iowakingpin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
You are a lifesaver, there is no way I could have even come close to doing this without you.





GMER.txt





GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-30 14:56:44
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF92D187E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF92D1C10]

INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F013416D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F0133FC2

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\WgaTray.exe[188] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[972] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text c:\program files\mcafee.com\agent\mcagent.exe[1256] WS2_32.dll!connect 71AB406A 5 Bytes JMP 013C5C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\BCMSMMSG.exe[1604] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\iTunes\iTunesHelper.exe[2120] WS2_32.dll!connect 71AB406A 5 Bytes JMP 09225C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text ...

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs NaiFiltr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat NaiFiltr.sys

---- EOF - GMER 1.0.14 ----
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
nearly done

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#14
iowakingpin

iowakingpin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here are the two logs. Im not sure if you are aware of one of the problems im having. I cant see any images on the internet. All I see
are image boxes with the colored square, circle and triangle in them.


Malwarebytes' Anti-Malware 1.33
Database version: 1721
Windows 5.1.2600 Service Pack 2

31/01/2009 1:04:55 PM
mbam-log-2009-01-31 (13-04-55).txt

Scan type: Quick Scan
Objects scanned: 58273
Time elapsed: 7 minute(s), 56 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 2
Registry Keys Infected: 23
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 13

Memory Processes Infected:
C:\Documents and Settings\Mike\Application Data\cogad\cogad.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Mike\Application Data\Twain\Twain.exe (Adware.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Mike\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SurfAccuracy) -> Unloaded process successfully.
C:\Documents and Settings\Mike\Application Data\Microsoft\Windows\xdcwkf.exe (Trojan.Vundo) -> Unloaded process successfully.
C:\Program Files\VnrPack\VnrPack23.exe (Adware.ISM) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\WebShow\WebShow.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33331111-1111-1111-1111-615111193427} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33331111-1131-1111-1111-611111193428} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{64311111-1111-1121-1111-111191113457} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VnrPack (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cogad (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twain (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfkg6wip (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnrpack23 (Adware.ISM) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrPack (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\Mike\Application Data\cogad (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Mike\Application Data\cogad\cogad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Twain\Twain.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Microsoft\Windows\xdcwkf.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\VnrPack\VnrPack23.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\WebShow\WebShow.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrPack\dicts.gz (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrPack\trgts.gz (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\cogad\cogad.exe3el (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\speedrunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.











--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 03, 2009 23:33:38
Records in database: 1741683
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 59675
Threat name: 13
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 02:04:07


File name / Threat name / Threats count
C:\Documents and Settings\Mike\Shared\beautiful day saving abel (hot remix).mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\Mike\Shared\jimmy buffett blame it on rum.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Mike\Shared\something in your mouth nickle.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Qoobox\Quarantine\C\Program Files\GetPack\GetPack28.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.kea 1
C:\Qoobox\Quarantine\C\Program Files\Mjcore\Mjcore.dll.vir Infected: Trojan.Win32.BHO.kdf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\asbmebqc.dll.vir Infected: Trojan.Win32.Monder.asrf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\byXQKeEW.dll.vir Infected: Trojan.Win32.Agent.bknt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dfrgsrv.exe.vir Infected: Trojan-Downloader.Win32.Zlob.lz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\digeste.dll.vir Infected: Trojan.Win32.Pakes.muy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dkcshrku.dll.vir Infected: Trojan.Win32.Monder.asrf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\454b11d.sys.vir Infected: Rootkit.Win32.Agent.gtd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\94b22313.sys.vir Infected: Rootkit.Win32.Agent.gtd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_454b11d_.sys.zip Infected: Rootkit.Win32.Agent.gtd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_94b22313_.sys.zip Infected: Rootkit.Win32.Agent.gtd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iifeeEvw.dll.vir Infected: Trojan.Win32.Monder.aswk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\khfDTlKC.dll.vir Infected: Trojan.Win32.Monder.aswk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vbsys2.dll.vir Infected: Trojan-Clicker.Win32.Agent.ac 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyxWOFu.dll.vir Infected: Trojan.Win32.Monder.aswk 1
C:\Qoobox\Quarantine\[4][email protected] Infected: Rootkit.Win32.Agent.gtd 2
C:\WINDOWS\system32\mshlpa.exe Infected: Trojan-Downloader.Win32.Mediket.br 1
C:\WINDOWS\system32\mstmp.html Infected: Trojan-Downloader.JS.Agent.afa 1

The selected area was scanned.
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
let me know if it is still happening later

Please download OTMoveIt3 by OldTimer
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    explorer.exe
    
    :Services
    
    :Reg
    
    :Files
    C:\Documents and Settings\Mike\Shared\beautiful day saving abel (hot remix).mp3
    C:\Documents and Settings\Mike\Shared\jimmy buffett blame it on rum.mp3
    C:\Documents and Settings\Mike\Shared\something in your mouth nickle.mp3
    C:\WINDOWS\system32\mshlpa.exe
    C:\WINDOWS\system32\mstmp.html
    
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Also post a new HJT Log
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP