Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please please help


  • Please log in to reply

#16
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That is fine:

Since you appear to have a file infecter on board we need to make this fast.
Do not use your computer if it is not absolutely necessary.

Please remove one of the 2 antivirus programs that you have running.
PCguard or AVg.
This has to be done first as it will interfere with our efforts.

Please uninstall Spybot for now until we are done.
===================================
Run OTList2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTLI
    PRC - C:\WINDOWS\services.exe ()
    DRV - (ethyiwuf [System | Stopped]) -- C:\WINDOWS\system32\drivers\ethyiwuf.sys ()
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Key error. File not found
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
    O2 - BHO: (no name) - {A3C55EC7-0E53-40CA-87D0-90B91AFD5B99} - Reg Error: Key error. File not found
    O2 - BHO: (no name) - {E03911BD-43E2-48CC-BAAF-5A207018CCC1} - Reg Error: Key error. File not found
    O4 - HKLM..\Run: [Framework Windows] frmwrk32.exe File not found
    O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
    O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
    O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
    O4 - HKCU\..\Run: [comidle] "C:\Documents and Settings\Martin\Application Data\comidle\comidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
    O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Martin\reader_s.exe
    O4 - HKCU\..\Run: [services] C:\WINDOWS\services.exe
    O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
    O4 - HKCU\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
    O4 - HKUS\S-1-5-18\..\Run: [comidle] "C:\Documents and Settings\Martin\Application Data\comidle\comidle.exe" 61A847B5BBF728103B9D3B466188719AB689201522886B092CBD44BD8689220221DD3257 (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [zztprhfo.exe] C:\WINDOWS\zztprhfo.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Martin\reader_s.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ntqgfzhj.exe] C:\WINDOWS\ntqgfzhj.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [zzjqxfof.exe] C:\WINDOWS\zzjqxfof.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [bndfyciv.exe] C:\WINDOWS\bndfyciv.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [zzjvvzxb.exe] C:\WINDOWS\zzjvvzxb.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [phnxbqlm.exe] C:\WINDOWS\phnxbqlm.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [tjbrzfzt.exe] C:\WINDOWS\tjbrzfzt.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [phnxyzaq.exe] C:\WINDOWS\phnxyzaq.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [dbxpmurp.exe] C:\WINDOWS\dbxpmurp.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [zzjpcdeq.exe] C:\WINDOWS\zzjpcdeq.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [nttngskv.exe] C:\WINDOWS\nttngskv.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [tjbscbwb.exe] C:\WINDOWS\tjbscbwb.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [fprzmjlv.exe] C:\WINDOWS\fprzmjlv.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [zzjpmbay.exe] C:\WINDOWS\zzjpmbay.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [lfzxtdhc.exe] C:\WINDOWS\lfzxtdhc.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
    O8 - Extra context menu item: &Search - ?p=ZJfox000
    O20 - Winlogon Notify: ddcBRhhI - C:\WINDOWS\
    O20 - Winlogon Notify: nnnlmnnk - nnnlmnnk.dll (file missing)
    
    :Files
    C:\WINDOWS\services.exe
    C:\WINDOWS\System32\reader_s.exe
    C:\WINDOWS\System32\frmwrk32.exe
    C:\Documents and Settings\Martin\Application Data\comidle
    C:\WINDOWS\ntqgfzhj.exe 
    C:\WINDOWS\zzjqxfof.exe
    C:\WINDOWS\bndfyciv.exe 
    C:\WINDOWS\zzjvvzxb.exe 
    C:\WINDOWS\phnxbqlm.exe 
    C:\WINDOWS\tjbrzfzt.exe 
    C:\WINDOWS\phnxyzaq.exe 
    C:\WINDOWS\dbxpmurp.exe 
    C:\WINDOWS\zzjpcdeq.exe
    C:\WINDOWS\nttngskv.exe
    C:\WINDOWS\tjbscbwb.exe 
    C:\WINDOWS\fprzmjlv.exe 
    C:\WINDOWS\zzjpmbay.exe 
    C:\WINDOWS\lfzxtdhc.exe
    c:\windows\system32\vokowena.dll
    C:\WINDOWS\vxvwwayv.exe
    C:\WINDOWS\System32\win32hlp.cnf
    C:\WINDOWS\System32\1000.exe
    C:\WINDOWS\System32\998.exe
    C:\WINDOWS\services.ex_
    C:\WINDOWS\System32\9.tm_
    C:\Documents and Settings\Martin\Local Settings\Application Data\.#
    C:\WINDOWS\System32\elupekaw.ini
    C:\WINDOWS\System32\prunnet.ex_
    C:\WINDOWS\Tasks\kyskskci.job
    
    
    
    :Commands
    [emptytemp]
    [resethosts]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.
===============
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

Advertisements


#17
teeniebop

teeniebop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi

I tried pasting the first code into the OTList2.exe but when i click run fix a message appears saying that my computer is restarting and a timer comes up and sure enough after 30 seconds or so it restarts itself, this happens everytime i try to do this, is this meant to happen? it has also happened before this a few times, also when i run the Combo fix a message appears from something called a bleeping computer and my computer beeps twice, it asked me if i wanted to proceed but i wasn't sure what this was so i clicked no and closed it.

Edited by teeniebop, 05 March 2009 - 03:02 PM.

  • 0

#18
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No problem please go ahead with Combofix.

You have to click Yes and install the Recovery Console after that.
Please read my instructions carefully.
  • 0

#19
teeniebop

teeniebop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ok heres the log


ComboFix 09-03-04.01 - Martin 2009-03-06 0:35:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1612 [GMT 0:00]
Running from: c:\documents and settings\Martin\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated)
FW: PCguard Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Martin\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Martin\reader_s.exe
c:\documents and settings\Martin\Start Menu\Programs\Download programs.url
c:\documents and settings\Martin\Start Menu\Programs\Games.url
c:\program files\Helper
c:\windows\IE4 Error Log.txt
c:\windows\system32\1000.exe
c:\windows\system32\9.tmp
c:\windows\system32\998.exe
c:\windows\system32\bb1.dat
c:\windows\system32\cmds.txt
c:\windows\system32\cookie1.dat
c:\windows\system32\cs.dat
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekatdxklerd.sys
c:\windows\system32\elupekaw.ini
c:\windows\system32\GAE3E.tmp.exe
c:\windows\system32\init32.exe
c:\windows\system32\kybayyri.ini
c:\windows\system32\ps1.dat
c:\windows\system32\pXHQBJlm.ini
c:\windows\system32\pXHQBJlm.ini2
c:\windows\system32\rc.dat
c:\windows\system32\reader_s.exe
c:\windows\system32\senekahkltoqxr.dll
c:\windows\system32\senekamrwsxwot.dat
c:\windows\system32\senekanoxujvrt.dat
c:\windows\system32\senekaqgmorifr.dll
c:\windows\system32\senekarxodmtai.dll
c:\windows\system32\Svvwyyxx.ini
c:\windows\system32\Svvwyyxx.ini2
c:\windows\system32\tb.dr
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\twain32\user.ds.lll
c:\windows\system32\twex.exe
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wjhegbks.ini
c:\windows\Tasks\kyskskci.job

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Service_SENEKA
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-06 00:52 . 2009-03-06 00:53 <DIR> d--hs---- c:\windows\system32\twain32
2009-03-06 00:52 . 2009-03-06 00:52 91,136 --a------ c:\windows\system32\47.tmp
2009-03-06 00:52 . 2009-03-06 00:52 84 --a------ c:\windows\system32\46.tmp
2009-03-06 00:52 . 2009-03-06 00:52 1 --a------ c:\windows\system32\48.tmp
2009-03-06 00:46 . 2009-03-06 00:46 91,136 --a------ c:\windows\system32\44.tmp
2009-03-06 00:46 . 2009-03-06 00:46 1 --a------ c:\windows\system32\45.tmp
2009-03-06 00:35 . 2009-03-06 00:35 91,136 --a------ c:\windows\system32\42.tmp
2009-03-06 00:35 . 2009-03-06 00:35 84 --a------ c:\windows\system32\41.tmp
2009-03-06 00:35 . 2009-03-06 00:35 1 --a------ c:\windows\system32\43.tmp
2009-03-06 00:22 . 2009-03-06 00:22 91,136 --a------ c:\windows\system32\3F.tmp
2009-03-06 00:22 . 2009-03-06 00:22 1 --a------ c:\windows\system32\40.tmp
2009-03-06 00:21 . 2009-03-06 00:22 84 --a------ c:\windows\system32\3E.tmp
2009-03-05 22:22 . 2009-03-05 22:22 <DIR> d-------- C:\SYSTEM.SAV
2009-03-05 22:21 . 2009-03-05 22:21 44,032 --a------ c:\windows\system32\kmsvc32.dll
2009-03-05 22:07 . 2009-03-05 22:07 91,136 --a------ c:\windows\system32\3C.tmp
2009-03-05 22:07 . 2009-03-05 22:07 1 --a------ c:\windows\system32\3D.tmp
2009-03-05 22:06 . 2009-03-05 22:07 84 --a------ c:\windows\system32\39.tmp
2009-03-05 22:05 . 2009-03-06 00:52 6,656 --a------ c:\windows\system32\drivers\restore.sys
2009-03-05 20:23 . 2009-03-05 20:23 91,136 --a------ c:\windows\system32\3A.tmp
2009-03-05 20:23 . 2009-03-05 20:23 84 --a------ c:\windows\system32\38.tmp
2009-03-05 20:23 . 2009-03-05 20:23 1 --a------ c:\windows\system32\3B.tmp
2009-03-05 18:16 . 2009-03-05 18:16 91,136 --a------ c:\windows\system32\36.tmp
2009-03-05 18:16 . 2009-03-05 18:16 84 --a------ c:\windows\system32\35.tmp
2009-03-05 18:16 . 2009-03-05 18:16 1 --a------ c:\windows\system32\37.tmp
2009-03-05 18:14 . 2009-03-05 18:14 91,136 --a------ c:\windows\system32\34.tmp
2009-03-05 18:14 . 2009-03-05 18:14 84 --a------ c:\windows\system32\8.tmp
2009-03-05 18:12 . 2009-03-05 18:12 91,136 --a------ c:\windows\system32\31.tmp
2009-03-05 18:12 . 2009-03-05 18:12 84 --a------ c:\windows\system32\2F.tmp
2009-03-05 18:12 . 2009-03-05 18:12 1 --a------ c:\windows\system32\32.tmp
2009-03-05 18:06 . 2009-03-05 18:06 91,136 --a------ c:\windows\system32\30.tmp
2009-03-05 18:06 . 2009-03-05 18:06 1 --a------ c:\windows\system32\33.tmp
2009-03-05 18:05 . 2009-03-05 18:06 84 --a------ c:\windows\system32\2E.tmp
2009-03-05 18:03 . 2009-03-05 18:03 <DIR> d-------- C:\_OTListIt
2009-03-05 17:58 . 2009-03-05 17:58 91,136 --a------ c:\windows\system32\2B.tmp
2009-03-05 17:58 . 2009-03-05 17:58 84 --a------ c:\windows\system32\E.tmp
2009-03-05 17:58 . 2009-03-05 17:58 1 --a------ c:\windows\system32\2D.tmp
2009-03-05 17:57 . 2009-03-05 17:57 262,144 --a------ c:\documents and settings\JACKIE~4.MAR
2009-03-05 17:55 . 2009-03-05 17:55 262,144 --a------ c:\documents and settings\JACKIE~3.MAR
2009-03-05 17:50 . 2009-03-05 17:50 91,136 --a------ c:\windows\system32\F.tmp
2009-03-05 17:50 . 2009-03-05 17:50 84 --a------ c:\windows\system32\D.tmp
2009-03-05 17:50 . 2009-03-05 17:50 1 --a------ c:\windows\system32\2A.tmp
2009-03-05 17:48 . 2009-03-05 17:48 91,136 --a------ c:\windows\system32\6.tmp
2009-03-05 17:48 . 2009-03-05 17:48 84 --a------ c:\windows\system32\5.tmp
2009-03-05 17:43 . 2009-03-05 17:43 11,264 --a------ c:\windows\system32\imdds.dll
2009-03-05 17:42 . 2009-03-05 22:21 100 --a------ c:\windows\system32\wh
2009-03-05 17:28 . 2009-03-05 17:28 91,136 --a------ c:\windows\system32\B.tmp
2009-03-05 17:28 . 2009-03-05 17:28 84 --a------ c:\windows\system32\A.tmp
2009-03-05 17:28 . 2009-03-05 17:28 1 --a------ c:\windows\system32\C.tmp
2009-03-05 04:58 . 2009-03-05 04:58 41,985 --a------ c:\windows\services.ex_
2009-03-05 04:58 . 2009-03-05 04:58 84 --a------ c:\windows\system32\7.tmp
2009-03-05 01:26 . 2009-03-05 01:31 250 --a------ c:\windows\gmer.ini
2009-03-05 01:14 . 2009-03-05 01:17 162,304 --a------ c:\windows\system32\2C.tmp
2009-03-05 01:14 . 2009-03-05 01:14 84 --a------ c:\windows\system32\29.tmp
2009-03-05 01:09 . 2009-03-05 01:09 244 --ah----- C:\sqmnoopt18.sqm
2009-03-05 01:09 . 2009-03-05 01:09 232 --ah----- C:\sqmdata18.sqm
2009-03-04 20:32 . 2009-03-04 20:32 25,601 --a------ c:\windows\system32\27.tmp
2009-03-04 20:32 . 2009-03-04 20:32 84 --a------ c:\windows\system32\25.tmp
2009-03-04 20:32 . 2009-03-04 20:32 0 --a------ c:\windows\system32\28.tmp
2009-03-04 20:30 . 2009-03-04 20:30 64,573 --a------ c:\windows\system32\26.tmp
2009-03-04 20:30 . 2009-03-04 20:30 84 --a------ c:\windows\system32\23.tmp
2009-03-04 20:16 . 2009-03-04 20:16 297,984 --a--c--- c:\windows\system32\dllcache\userinit.exe
2009-03-04 20:16 . 2009-03-04 20:16 109,056 --a------ c:\windows\system32\QoS.dll
2009-03-04 20:01 . 2009-03-04 20:03 162,304 --a------ c:\windows\system32\24.tmp
2009-03-04 20:01 . 2009-03-04 20:01 84 --a------ c:\windows\system32\1F.tmp
2009-03-04 19:54 . 2009-03-04 19:57 162,816 --a------ c:\windows\system32\21.tmp
2009-03-04 19:54 . 2009-03-04 19:54 84 --a------ c:\windows\system32\1C.tmp
2009-03-04 18:37 . 2009-03-04 18:40 162,816 --a------ c:\windows\system32\22.tmp
2009-03-04 18:37 . 2009-03-04 18:37 124 --a------ c:\windows\system32\1B.tmp
2009-03-04 18:33 . 2009-03-04 18:33 155,293 --a------ c:\windows\system32\1D.tmp
2009-03-04 18:33 . 2009-03-04 18:33 124 --a------ c:\windows\system32\19.tmp
2009-03-03 21:14 . 2009-03-03 21:14 84 --a------ c:\windows\system32\17.tmp
2009-03-03 21:14 . 2009-03-03 21:14 0 --a------ c:\windows\system32\1A.tmp
2009-03-03 21:12 . 2009-03-03 21:12 161,792 --a------ c:\windows\system32\18.tmp
2009-03-03 21:12 . 2009-03-03 21:12 84 --a------ c:\windows\system32\15.tmp
2009-03-03 21:10 . 2009-03-03 21:10 161,792 --a------ c:\windows\system32\16.tmp
2009-03-03 21:10 . 2009-03-03 21:10 84 --a------ c:\windows\system32\13.tmp
2009-03-03 21:08 . 2009-03-03 21:08 161,792 --a------ c:\windows\system32\14.tmp
2009-03-03 21:08 . 2009-03-03 21:08 84 --a------ c:\windows\system32\11.tmp
2009-03-03 21:04 . 2009-03-03 21:07 161,792 --a------ c:\windows\system32\12.tmp
2009-03-03 21:03 . 2009-03-03 21:03 162,304 --a------ c:\windows\system32\10.tmp
2009-03-03 20:56 . 2009-03-03 20:56 162,304 --a------ c:\windows\system32\9.tm_
2009-03-03 19:19 . 2009-03-03 19:19 244 --ah----- C:\sqmnoopt16.sqm
2009-03-03 19:19 . 2009-03-03 19:19 244 --ah----- C:\sqmnoopt15.sqm
2009-03-03 19:19 . 2009-03-03 19:19 232 --ah----- C:\sqmdata16.sqm
2009-03-03 19:19 . 2009-03-03 19:19 232 --ah----- C:\sqmdata15.sqm
2009-03-03 19:19 . 2009-03-03 19:19 172 --ah----- C:\sqmnoopt17.sqm
2009-03-03 19:19 . 2009-03-03 19:19 172 --ah----- C:\sqmdata17.sqm
2009-03-03 19:13 . 2009-03-03 19:13 244 --ah----- C:\sqmnoopt14.sqm
2009-03-03 19:13 . 2009-03-03 19:13 244 --ah----- C:\sqmnoopt13.sqm
2009-03-03 19:13 . 2009-03-03 19:13 232 --ah----- C:\sqmdata14.sqm
2009-03-03 19:13 . 2009-03-03 19:13 232 --ah----- C:\sqmdata13.sqm
2009-03-03 19:06 . 2009-03-03 19:06 244 --ah----- C:\sqmnoopt12.sqm
2009-03-03 19:06 . 2009-03-03 19:06 232 --ah----- C:\sqmdata12.sqm
2009-03-03 19:05 . 2009-03-03 19:05 244 --ah----- C:\sqmnoopt11.sqm
2009-03-03 19:05 . 2009-03-03 19:05 232 --ah----- C:\sqmdata11.sqm
2009-03-03 19:01 . 2009-03-03 19:01 244 --ah----- C:\sqmnoopt09.sqm
2009-03-03 19:01 . 2009-03-03 19:01 244 --ah----- C:\sqmnoopt08.sqm
2009-03-03 19:01 . 2009-03-03 19:01 244 --ah----- C:\sqmnoopt06.sqm
2009-03-03 19:01 . 2009-03-03 19:01 232 --ah----- C:\sqmdata09.sqm
2009-03-03 19:01 . 2009-03-03 19:01 232 --ah----- C:\sqmdata08.sqm
2009-03-03 19:01 . 2009-03-03 19:01 232 --ah----- C:\sqmdata06.sqm
2009-03-03 19:01 . 2009-03-03 19:01 172 --ah----- C:\sqmnoopt10.sqm
2009-03-03 19:01 . 2009-03-03 19:01 172 --ah----- C:\sqmnoopt07.sqm
2009-03-03 19:01 . 2009-03-03 19:01 172 --ah----- C:\sqmdata10.sqm
2009-03-03 19:01 . 2009-03-03 19:01 172 --ah----- C:\sqmdata07.sqm
2009-03-03 18:58 . 2009-03-03 19:01 162,816 --a------ c:\windows\system32\20.tmp
2009-03-03 18:58 . 2009-03-03 18:58 88 --a------ c:\windows\system32\1E.tmp
2009-03-03 17:11 . 2009-03-03 17:11 0 --a------ c:\windows\system32\7B.tmp
2009-03-03 16:13 . 2009-03-03 16:13 0 --a------ c:\windows\system32\76.tmp
2009-03-03 16:10 . 2009-03-03 18:50 <DIR> d-------- c:\documents and settings\Martin\Application Data\comidle
2009-03-03 16:10 . 2009-03-03 16:13 162,304 --a------ c:\windows\system32\70.tmp
2009-03-03 16:10 . 2009-03-05 17:27 130 --a------ c:\windows\adobe.bat
2009-03-03 16:10 . 2009-03-03 16:10 124 --a------ c:\windows\system32\67.tmp
2009-03-03 16:10 . 2009-03-03 16:10 6 --a------ c:\windows\_id.dat
2009-03-03 15:55 . 2009-03-03 15:55 44,824 --a------ c:\windows\system32\prunnet.ex_
2009-02-23 00:11 . 2009-02-23 00:11 24 --a------ c:\windows\cdplayer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 18:12 90,112 ----a-w c:\windows\DUMP4f87.tmp
2009-03-05 17:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-05 17:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-05 17:49 90,112 ----a-w c:\windows\DUMP5a93.tmp
2009-03-03 21:43 --------- d-----w c:\program files\QuickTime
2009-03-03 21:42 --------- d-----w c:\program files\OpenOffice.org 2.0
2009-03-03 21:42 --------- d-----w c:\program files\Microsoft Works
2009-03-03 21:41 --------- d-----w c:\program files\GameSpy Arcade
2009-03-03 21:41 --------- d-----w c:\program files\Design Manager
2009-03-03 19:32 10,604 -c--a-w c:\documents and settings\Martin\Application Data\wklnhst.dat
2009-03-03 17:10 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-03 16:21 --------- d-----w c:\program files\7-Zip
2009-03-02 01:35 --------- d-----w c:\documents and settings\Martin\Application Data\LimeWire
2009-03-01 21:16 --------- d-----w c:\documents and settings\Martin\Application Data\gtk-2.0
2009-02-19 19:12 --------- d-----w c:\program files\Common Files\Adobe
2009-02-13 01:29 --------- d-----w c:\program files\Messenger Plus! Live
2009-02-09 22:44 --------- d-----w c:\program files\Google
2009-01-25 14:34 --------- d-----w c:\program files\Adobe Media Player
2009-01-25 14:16 --------- d-----w c:\documents and settings\Martin\Application Data\Download Manager
2009-01-20 13:25 --------- d-----w c:\program files\Paint.NET
2009-01-20 13:23 --------- d-----w c:\program files\Inkscape
2009-01-20 13:22 --------- d-----w c:\documents and settings\Martin\Application Data\Inkscape
2009-01-20 13:21 --------- d-----w c:\program files\DivX
2009-01-12 06:07 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-12 06:07 --------- d-----w c:\documents and settings\Martin\Application Data\Malwarebytes
2009-01-12 06:07 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-11 05:50 --------- d-----w c:\program files\Trend Micro
2009-01-11 04:19 --------- d-----w c:\program files\Lavasoft
2009-01-11 04:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-11 04:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-06 02:15 --------- d-----w c:\documents and settings\andy.MARTY\Application Data\gtk-2.0
2007-12-24 00:42 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2003-08-27 22:19 36,963 -c--a-r c:\program files\Common Files\SM1updtr.dll
.

------- Sigcheck -------

2004-08-10 19:00 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-03-03 17:10 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-14 00:12 1050624 87a6228f3583ed60915643d525fa42f2 c:\windows\explorer.exe
2007-06-13 11:26 1050624 45ab2cb1d52549ee54fef8533c24b2e9 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 10:23 1050112 17e5f358b18be49f88b3125ad86a2fbf c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-10 19:00 1049600 61022ee4e5d8fc20af4e25e6b61d1482 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 00:12 1051136 17b9ca47c66b3c36429b0dedea5f5752 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-10 19:00 32768 850ba65d16fce50891608df2e657eeeb c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 00:12 32256 d4867b19585819fb7f8820d455a0d938 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 00:12 32256 9e33fe0fd0de56e7aa3858251fae5890 c:\windows\system32\ctfmon.exe

2005-06-11 00:17 75264 e7cce1261149be9f392228e68466b794 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 23:53 74752 eeb915600c8a925caf6860d2f3fe2917 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 00:12 74752 9920675c66b4b9163268ad85487bed9b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 00:12 74752 eae7d59ab0b1067f3c2ccf1715675af6 c:\windows\system32\spoolsv.exe

2004-08-10 19:00 41472 b4b84f7faec5c7919f8fa2b4bf769874 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 00:12 43520 a8515a986c4da8f1ee947de2e41f0048 c:\windows\ServicePackFiles\i386\userinit.exe
2009-03-04 20:16 297984 4ee09f777655d0b535ade22444ff1f91 c:\windows\system32\userinit.exe
2009-03-04 20:16 297984 4ee09f777655d0b535ade22444ff1f91 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-19 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 221696]
"comidle"="c:\documents and settings\Martin\Application Data\comidle\comidle.exe" [2009-03-03 77312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 84480]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 233472]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-29 398848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 163840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 2061552]
"-FreedomNeedsReboot"="c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-15 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7573504]
"nwiz"="nwiz.exe" [2006-04-27 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 32256]
"comidle"="c:\documents and settings\Martin\Application Data\comidle\comidle.exe" [2009-03-03 77312]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 94208]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,c:\windows\system32\twex.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Ahead\\Nero MediaHome\\NeroMediaHome.exe"=
"c:\\Program Files\\NetMeeting\\Conf.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2006-07-10 882688]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2006-07-10 1287296]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2006-07-10 7040]
S1 ethyiwuf;ethyiwuf;c:\windows\system32\drivers\ethyiwuf.sys --> c:\windows\system32\drivers\ethyiwuf.sys [?]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [2007-11-29 88960]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2006-07-07 22016]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA} - kmsvc32.dll
HKCU-Run-reader_s - c:\documents and settings\Martin\reader_s.exe
HKCU-Run-services - c:\windows\services.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-CCUTRAYICON - c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
HKLM-Run-reader_s - c:\windows\System32\reader_s.exe
HKLM-Run-High Definition Audio Property Page Shortcut - HDAudPropShortcut.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
HKU-Default-Run-zztprhfo.exe - c:\windows\zztprhfo.exe
HKU-Default-Run-reader_s - c:\documents and settings\Martin\reader_s.exe
HKU-Default-Run-ntqgfzhj.exe - c:\windows\ntqgfzhj.exe
HKU-Default-Run-zzjqxfof.exe - c:\windows\zzjqxfof.exe
HKU-Default-Run-bndfyciv.exe - c:\windows\bndfyciv.exe
HKU-Default-Run-zzjvvzxb.exe - c:\windows\zzjvvzxb.exe
HKU-Default-Run-phnxbqlm.exe - c:\windows\phnxbqlm.exe
HKU-Default-Run-tjbrzfzt.exe - c:\windows\tjbrzfzt.exe
HKU-Default-Run-phnxyzaq.exe - c:\windows\phnxyzaq.exe
HKU-Default-Run-dbxpmurp.exe - c:\windows\dbxpmurp.exe
HKU-Default-Run-zzjpcdeq.exe - c:\windows\zzjpcdeq.exe
HKU-Default-Run-nttngskv.exe - c:\windows\nttngskv.exe
HKU-Default-Run-tjbscbwb.exe - c:\windows\tjbscbwb.exe
HKU-Default-Run-fprzmjlv.exe - c:\windows\fprzmjlv.exe
HKU-Default-Run-zzjpmbay.exe - c:\windows\zzjpmbay.exe
HKU-Default-Run-lfzxtdhc.exe - c:\windows\lfzxtdhc.exe
HKU-Default-Run-vxvwwayv.exe - c:\windows\vxvwwayv.exe
HKU-Default-Run-services - c:\windows\services.exe
HKU-Default-Run-bndzzuux.exe - c:\windows\bndzzuux.exe
HKLM-Explorer_Run-services - c:\windows\services.exe
HKCU-Explorer_Run-services - c:\windows\services.exe
HKU-Default-Explorer_Run-services - c:\windows\services.exe
Notify-ddcBRhhI - (no file)
Notify-nnnlmnnk - nnnlmnnk.dll


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Search - ?p=ZJfox000
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7dd6ce261bfe417b83165f7fea21767f
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7dd6ce261bfe417b83165f7fea21767f
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Martin\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: imdds.dll
LSP: c:\windows\system32\QoS.dll
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\5jsrqx7d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient-ff&ie=UTF-8&rlz=1B3GGGL_enGB244GB244
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=en-gb&FORM=MIMUAA&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 00:52:45
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\twain32

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\imdds.dll

- - - - - - - > 'lsass.exe'(1036)
c:\windows\system32\imdds.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Broadband\PCguard\Fws.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\COMMON~1\X10\Common\X10nets.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\Temp\BN4.tmp
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-03-06 0:55:28 - machine was rebooted [Martin]
ComboFix-quarantined-files.txt 2009-03-06 00:55:23

Pre-Run: 462,011,473,920 bytes free
Post-Run: 462,458,658,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

440 --- E O F --- 2008-12-18 15:24:57
  • 0

#20
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP