Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

DirectX problem and some other .dlls

Started by Orre , Nov 10 2008 12:42 PM

  • This topic is locked This topic is locked

#16
Orre
Posted 12 December 2008 - 09:12 AM

Orre

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Okey, it took 10 hours, but it's finally done :)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 12, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 64-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 11, 2008 16:38:22
Records in database: 1452655
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 467488
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 10:02:41


File name / Threat name / Threats count
C:\Program1\FlashMute\uninstall.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ih 1
C:\Program1\VOIPlay\BsSndRpt.exe Infected: Trojan-Downloader.Win32.Banload.szf 1
C:\Users\Oscar\AppData\Roaming\Thunderbird\Profiles\nooz476p.default\Mail\Local Folders\Trash Infected: Trojan-Downloader.JS.Agent.cxx 1
C:\Users\Oscar\Desktop\OTMoveIt3.exe Infected: Backdoor.Win32.SubSeven.asu 1
C:\Windows.old.000\Users\Orre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\4ea529eb-2620a8af Infected: Trojan.Win32.VB.hcw 1
C:\Windows.old.000\Users\Orre\java_plugin.exe Infected: Trojan.Win32.VB.hcw 1

The selected area was scanned.


And the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:12 PM, on 12/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe
C:\Program Files (x86)\anysee\anysee-E30Series\anysee_TR.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program1\Winamp\winampa.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\mIRC\mirc.exe
C:\Windows.old.000\Program Files (x86)\Vuze\Azureus.exe
C:\hijackthis\Thattherehijackingprogram.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files (x86)\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [anysee_TR] "C:\Program Files (x86)\anysee\anysee-E30Series\anysee_TR.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [StartTSL] C:\Windows\system32\StartTSL.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program1\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files (x86)\AirPort\APAgent.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files (x86)\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00906282-69AF-48F6-89F9-8D5083826D3D}: NameServer = 192.168.0.102
O17 - HKLM\System\CS1\Services\Tcpip\..\{00906282-69AF-48F6-89F9-8D5083826D3D}: NameServer = 192.168.0.102
O17 - HKLM\System\CS2\Services\Tcpip\..\{00906282-69AF-48F6-89F9-8D5083826D3D}: NameServer = 192.168.0.102
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~2\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Transparent Screen Lock PRO Service (TSL PRO Lock Server) - e-motional.com a division of Esm Software - C:\Windows\SysWOW64\TSLLkSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11278 bytes

:)
  • 0

Advertisements

#17
emeraldnzl
Posted 12 December 2008 - 01:40 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

Okey, it took 10 hours, but it's finally done


Well done that man.

Now

Kaspersky shows infection here:

C:\Users\Oscar\AppData\Roaming\Thunderbird\Profiles\nooz476p.default\Mail\Local Folders\Trash

I think this is a Thunderbird mail folder and you will need to delete the contents to remove the infection.

Next

Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
explorer.exe

:files
C:\Program1\VOIPlay\BsSndRpt.exe
C:\Windows.old.000\Users\Orre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\4ea529eb-2620a8af
C:\Windows.old.000\Users\Orre\java_plugin.exe
:commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Finally in this post

Download GMER from here:

http://www.gmer.net/files.php

Unzip it to the desktop.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

So when you return please post
  • OTMoveIt3 log
  • GMER Rootkit revealer report
  • 0

#18
Orre
Posted 12 December 2008 - 02:35 PM

Orre

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Okey, for some reason, when i open OtMoveIt3.exe the only thing starting is a log in notepad... :)
  • 0

#19
emeraldnzl
Posted 12 December 2008 - 02:57 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hmm... lets try downloading it again.

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Then go on and follow the instructions at post 17.
  • 0

#20
Orre
Posted 12 December 2008 - 04:11 PM

Orre

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
When I'm starting GMER it says: System\CurrentControlSet\Services\gmer: The handle is invalid.
Then it starts up but i can only tick/untick Services, Registry, Files and C:\ and ADS

Edited by Orre, 12 December 2008 - 04:39 PM.

  • 0

#21
emeraldnzl
Posted 12 December 2008 - 04:19 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

Then it starts up but except for Show All i can only tick Services, Registry, Files and C:\


Okay, lets run what you can and post the results back here.
  • 0

#22
Orre
Posted 12 December 2008 - 04:40 PM

Orre

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
========== PROCESSES ==========
Unable to kill process: explorer.exe
========== FILES ==========
C:\Program1\VOIPlay\BsSndRpt.exe moved successfully.
C:\Windows.old.000\Users\Orre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\4ea529eb-2620a8af moved successfully.
C:\Windows.old.000\Users\Orre\java_plugin.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\Users\Oscar\AppData\Local\Temp\hsperfdata_Oscar\2456 scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\e4jDD72.tmp_dir26967\exe4jlib.jar scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\etilqs_sUNeooRcYMLDBV0hZNca scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\fla9E3A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\swt-gdip-win32-3448.dll scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\swt-win32-3448.dll scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\~DF71AF.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12122008_220755


This is the GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-12 23:39:53
Windows 6.0.6001 Service Pack 1


---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0xCB 0x9F 0x9B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8D 0x75 0x8C 0x4C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7E 0x2C 0x9A 0xEC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x1C 0x14 0x01 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0xCB 0x9F 0x9B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8D 0x75 0x8C 0x4C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7E 0x2C 0x9A 0xEC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x1C 0x14 0x01 0x11 ...

---- EOF - GMER 1.0.14 ----
  • 0

#23
emeraldnzl
Posted 12 December 2008 - 04:51 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
My feeling is that we have got most of what was on your computer.

Just wanted to see with the Gmer scan whether you had any hidden rootkit there. Unfortunately I can't be certain as I don't think it ran fully.

Lets use this tool:

Please download Runscanner to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file after your forum name and save it to your desktop. You will see the .run file on your desktop. Upload that file here.

  • 0

#24
Orre
Posted 12 December 2008 - 06:50 PM

Orre

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
It's been "Analyzing loaded process and libraries" for about 1½ hours now and it's only at one bar in the loading thingey...
I'll let it run overnight and see if anything happens...
  • 0

#25
emeraldnzl
Posted 12 December 2008 - 06:56 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Strange, it should only take a few minutes.

I think we have disabled your anti-virus etc. so I don't think it's that.

Could be some other conflict or maybe some corrupt files.

Lets leave it running meantime though and see if it can complete.

Catch you tomorrow.

Look forward to hearing how you got on. :)
  • 0

Advertisements

#26
Orre
Posted 13 December 2008 - 08:26 AM

Orre

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
It doesn't work, it's still at 1 bar. I've tried it several times and downloaded it again, but it's still at one bar. Task manager says however that it takes between 10 and 15 % of the cpu...
  • 0

#27
emeraldnzl
Posted 13 December 2008 - 01:27 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Okay. It was another way to have a look at some things in your machines registry.

Not working though so we will leave it.

I am not sure now whether these persisting problems on your machine are because of residual malware still there or a result of corruption caused along the way.

We have got rid of a lot and I think files were corrupted before we got to it.

Hmm... lets see.

Perhaps the first thing might be to ask you how is your computer performing now?
  • 0

#28
Orre
Posted 13 December 2008 - 02:40 PM

Orre

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
well, i reinstalled directx, gpu drivers and firefox when i woke up about 6 hours ago which i always do when the files are deleted (might have been deleted overnight though).
I guess we'll see if anything happens later tonight (tonight for me that is). :)
  • 0

#29
emeraldnzl
Posted 13 December 2008 - 03:06 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Have you got your Windows installation CD?
  • 0

#30
Orre
Posted 13 December 2008 - 03:18 PM

Orre

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Yes, i do.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP