Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

IRC BOT, HELP i need to remove it

Started by zerox505 , Jan 18 2011 02:24 PM

  • Please log in to reply

#1
zerox505
Posted 18 January 2011 - 02:24 PM

zerox505

    New Member

  • Member
  • Pip
  • 3 posts
hi, i currently use rogers hi-speed internet, and i recieved the following message from them today

Dear Mr xxxxxxxxxxxxxx

Rogers is concerned about your personal security. We're writing you today to advise you that one or more of the computers in your home connected to the Rogers Internet service appears to be infected with an "IRC Bot/Virus"

A computer infected with an "IRC Bot/Virus" poses a security threat for both you and other customers connected to the Rogers Yahoo! Hi-Speed Internet service. This type of virus can run behind the scenes on your computer and send out large amounts of SPAM, attack Internet Websites, infect other computers and even access personal files on your computer which could lead to identity theft.

For both your security and others using our Internet service, it is critical that you remove this virus within the next 48 hours. If you are unable to do so, your Internet connection will be temporarily disabled to protect your computer and others connected to the service.



rogers customer support told me to use logfile and see if there any programs needed to be fixed, so here it is, i'm going to check my brothers computer (he uses windows 7), i'll post his logfile as well soon, the time is ticking, HELP ME YOU GUYS :D

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:03:08 PM, on 1/18/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\ServicepointService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Rogers Backup Manager\VaultClientSRV.exe
C:\Program Files\Rogers Backup Manager\VaultClientUpgrade.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgentComHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\AVG\Identity Protection\agent\Bin\AVGIDSMonitor.exe
C:\Documents and Settings\chuppiah\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI1933~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RogersServicepointAgent.exe] "C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" /AUTORUN
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Rogers Online Protection (Radialpoint Security Services) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
O23 - Service: RadialpointIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\Rogers Online Protection\Rogers Online Protection\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
O23 - Service: Rogers Online Protection Firewall (RP_FWS) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\ServicepointService.exe
O23 - Service: Rogers Backup Manager Service (VaultClientSRV) - Radialpoint SafeCare Inc. - C:\Program Files\Rogers Backup Manager\VaultClientSRV.exe
O23 - Service: Rogers Backup Manager Upgrade Service (VaultClientUpgrade) - Radialpoint SafeCare Inc. - C:\Program Files\Rogers Backup Manager\VaultClientUpgrade.exe

--
End of file - 7480 bytes

Edited by zerox505, 18 January 2011 - 06:26 PM.

  • 0

Advertisements

#2
fenzodahl512
Posted 18 January 2011 - 09:24 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Download DDS by sUBs and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your Desktop and post them in your next reply


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

  • 0

#3
zerox505
Posted 19 January 2011 - 02:45 PM

zerox505

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
ok sir, here you go

attach.txt log file


DDS (Ver_10-12-12.02)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 06/01/2011 1:00:59 AM
System Uptime: 19/01/2011 1:25:17 PM (2 hours ago)

Motherboard: ASUSTek Computer INC. | | NARRA2
Processor: AMD Athlon™ 64 X2 Dual Core Processor 3800+ | Socket AM2 | 2000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 289 GiB total, 252.116 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.004 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 06/01/2011 12:47:26 AM - Windows Update
RP2: 06/01/2011 8:07:22 PM - Windows Update
RP3: 06/01/2011 11:22:17 PM - Windows Update
RP4: 07/01/2011 6:23:08 AM - Windows Update
RP5: 07/01/2011 5:19:41 PM - Windows Update
RP6: 12/01/2011 6:56:26 AM - Windows Update
RP7: 12/01/2011 7:30:10 AM - Windows Update
RP8: 15/01/2011 8:05:48 AM - Windows Update
RP9: 18/01/2011 3:29:58 PM - Windows Update

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 9 ActiveX
Adobe Reader 8
AIO_Scan
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AV
Bonjour
BufferChm
ccCommon
Copy
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
Enhanced Multimedia Keyboard Solution
eSupportQFolder
FrostWire 4.21.3
Google Chrome
Hardware Diagnostic Tools
HP Customer Experience Enhancements
HP Customer Feedback
HP Customer Participation Program 8.0
HP Easy Setup - Frontend
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart All-In-One Software 8.0
HP Photosmart Essential
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Picasso Media Center Add-In
HP Solution Center 8.0
HP Total Care Advisor
HP Update
HPProductAssistant
HPSSupply
iTunes
Java Auto Updater
Java™ 6 Update 23
LightScribe 1.4.142.1
LiveUpdate 3.2 (Symantec Corporation)
MarketResearch
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSRedist
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
PS_AIO_ProductContext
PS_AIO_Software
PS_AIO_Software_min
PSSWCORE
Python 2.4.3
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Scan
Snapfish Media Detector
Soft Data Fax Modem with SmartCP
SolutionCenter
SPBBC 32bit
Status
SUPERAntiSpyware
Symantec Real Time Storage Protection Component
SymNet
Toolbox
TrayApp
UnloadSupport
WebReg
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer

==== Event Viewer Messages From Past Week ========

19/01/2011 3:32:52 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer IBM-KPDIFL0DX2Y that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B1B514D8-278E-44EE-8F4C-0B. The master browser is stopping or an election is being forced.
19/01/2011 1:27:43 PM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
18/01/2011 9:45:01 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer BALDWIN-1860034 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B1B514D8-278E-44EE-8F4C-0B. The master browser is stopping or an election is being forced.
17/01/2011 6:55:42 AM, Error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
16/01/2011 10:58:31 PM, Error: Service Control Manager [7024] - The Symantec Settings Manager service terminated with service-specific error %%-1.
12/01/2011 5:34:25 PM, Error: Service Control Manager [7023] -

==== End Of File ===========================



dds log file


DDS (Ver_10-12-12.02) - NTFSx86
Run by Janahan at 15:39:07.96 on 19/01/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.1919.1187 [GMT -5:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Users\Janahan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Janahan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Users\Janahan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Janahan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Janahan\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SnapfishMediaDetector] c:\program files\snapfish media detector\SnapfishMediaDetector.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\janahan\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish media detector\SnapfishMediaDetector.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-5-18 1174664]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2010-12-12 645120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\programdata\symantec\definitions\symcdata\idsdefs\20070108.003\IDSvix86.sys [2007-5-18 212280]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-7 1343400]

=============== Created Last 30 ================

2011-01-19 19:29:11 -------- d-----w- c:\users\janahan\appdata\roaming\SUPERAntiSpyware.com
2011-01-19 19:29:11 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-01-19 19:29:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-19 18:45:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-19 18:45:35 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-01-18 20:30:21 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{78d91432-756f-4ef6-be42-36923766b157}\mpengine.dll
2011-01-12 11:57:01 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-01-12 11:57:01 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-12 11:57:01 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-01-12 11:57:00 801792 ----a-w- c:\windows\system32\FntCache.dll
2011-01-12 11:57:00 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-12 11:57:00 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-12 11:57:00 3181568 ----a-w- c:\windows\system32\mf.dll
2011-01-10 03:27:11 -------- d-----w- c:\progra~2\WEBREG
2011-01-08 17:41:47 -------- d-----w- c:\users\janahan\appdata\local\Diagnostics
2011-01-08 17:41:11 -------- d-----w- c:\windows\pss
2011-01-07 22:20:09 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-01-07 11:16:33 -------- d-----w- c:\windows\system32\Wat
2011-01-07 04:32:06 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-01-07 04:30:52 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-01-07 04:30:51 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-01-07 04:30:51 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-01-07 04:30:51 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-01-07 04:30:51 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-01-07 04:23:17 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-01-07 01:17:27 4247040 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2011-01-07 01:17:27 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-01-07 01:17:26 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-01-07 01:17:15 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2011-01-07 01:17:13 316928 ----a-w- c:\windows\system32\spoolsv.exe
2011-01-07 01:15:59 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-01-06 06:48:37 -------- d-----w- c:\windows\Panther
2011-01-06 06:33:28 -------- d--h--w- C:\$WINDOWS.~Q
2011-01-06 06:23:12 -------- d--h--w- C:\$INPLACE.~TR
2011-01-06 05:59:57 -------- d-sh--w- C:\Recovery
2011-01-06 05:35:00 -------- d-----w- c:\windows\system32\wbem\Performance
2011-01-06 05:34:16 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-01-06 05:34:16 132608 ----a-w- c:\windows\system32\cabview.dll
2011-01-06 03:52:56 -------- d-----w- c:\windows\system32\RTCOM
2011-01-06 00:29:00 -------- d-----w- C:\6b45479726da58ba82cf98d7
2011-01-02 19:17:15 -------- d-----w- c:\users\janahan\appdata\roaming\FrostWire
2011-01-02 19:00:18 -------- d-----w- c:\program files\FrostWire
2011-01-02 18:38:16 -------- d-----w- c:\users\janahan\appdata\local\Apple Computer
2011-01-02 18:37:34 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-01-02 18:37:34 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-01-02 18:36:08 -------- d-----w- c:\program files\iPod
2011-01-02 18:36:06 -------- d-----w- c:\program files\iTunes
2011-01-02 18:36:06 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-01-02 18:34:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-01-02 18:34:45 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-01-02 18:34:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-01-02 18:34:41 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-01-02 18:34:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-01-02 18:34:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-01-02 18:34:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-01-02 18:33:01 -------- d-----w- c:\users\janahan\appdata\local\Apple
2011-01-02 18:28:10 -------- d-----w- c:\program files\Bonjour
2010-12-25 14:31:01 -------- d-----w- C:\glassfishv3
2010-12-23 14:45:55 -------- d-----w- c:\users\janahan\.jagex_cache_32

==================== Find3M ====================

2010-12-18 14:00:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41:36 283648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-11-02 04:41:36 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:35:34 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-11-02 04:35:34 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-11-02 04:23:44 107520 ----a-w- c:\windows\system32\cdd.dll
2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll

============= FINISH: 15:40:07.46 ===============
  • 0

#4
zerox505
Posted 19 January 2011 - 03:11 PM

zerox505

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
GMER keeps on crashing my windows 7, can you suggest any alternatives?
  • 0

#5
fenzodahl512
Posted 19 January 2011 - 05:17 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.




Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP