Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Audio Virus 2

Started by bukowski , Jul 17 2010 11:39 AM

  • Please log in to reply

#1
bukowski
Posted 17 July 2010 - 11:39 AM

bukowski

    Member

  • Member
  • PipPip
  • 12 posts
I have some kind of audio virus on my computer giving me trouble. It consists of pop up adds overwriting the audio on my computer when I want to watch a film or listen to music. I've run the temporary file cleaner and the MBAM scan. However, when I try to run the GMER scan the computer reboots. So that's as far as I've gotten with the Malware and Spyware Cleaning Guide.
Here's the results from the MBAM scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4314

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

14-07-2010 22:09:44
mbam-log-2010-07-14 (22-09-44).txt

Scan type: Quick scan
Objects scanned: 126288
Time elapsed: 10 minute(s), 37 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
C:\Documents and Settings\Marie Aalborg\Application Data\SystemProc\lsass.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Marie Aalborg\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Programmer\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Programmer\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Programmer\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Marie Aalborg\Application Data\SystemProc\lsass.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Programmer\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Programmer\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Programmer\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.
  • 0

Advertisements

#2
kahdah
Posted 17 July 2010 - 01:45 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello bukowski

Welcome to G2Go. :)
=====================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt and attach.txt will open.
  • Save both reports to your desktop.
---------------------------------------------------

Please Post the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED

  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)

  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.

  • 0

#3
bukowski
Posted 18 July 2010 - 03:40 PM

bukowski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here you go....

DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Marie Aalborg at 14:05:28,42 on 18-07-2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.45.1030.18.1012.473 [GMT 2:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

svchost.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Programmer\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe 4
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\Fælles filer\InterVideo\RegMgr\iviRegMgr.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Programmer\Google\Google Desktop Search\GoogleDesktop.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmer\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\MARIEA~1\LOKALE~1\Temp\RtkBtMnt.exe
C:\Programmer\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Skype\Toolbars\Shared\SkypeNames2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Marie Aalborg\Skrivebord\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.dk/
mDefault_Page_URL = hxxp://global.acer.com
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0406&s=0&o=xph&d=1208&m=aoa150
uInternet Settings,ProxyOverride = *.local
mWinlogon: Taskman=c:\documents and settings\marie aalborg\ctfmon.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programmer\fælles filer\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmer\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\programmer\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmer\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmer\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmer\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmer\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\programmer\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\programmer\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\programmer\skype\phone\Skype.exe" /nosplash /minimized
uRun: [{6D46A0D8-0FF6-3E87-E721-8F457C31B89A}] "c:\documents and settings\marie aalborg\application data\carulo\ihqaa.exe"
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\programmer\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\programmer\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\programmer\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [Google Desktop Search] "c:\programmer\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe /normal-run1
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [SunJavaUpdateSched] "c:\programmer\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\programmer\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmer\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\programmer\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\interv~1.lnk - c:\programmer\intervideo\common\bin\WinCinemaMgr.exe
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki ... - c:\programmer\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmer\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\programmer\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1236164662974&h=14e396bf076c565f33242163b51ffa8a/&filename=jinstall-6u12-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\programmer\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fllesf~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mariea~1\applic~1\mozilla\firefox\profiles\n7wky35g.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\programmer\google\update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\programmer\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programmer\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programmer\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programmer\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmer\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\programmer\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\programmer\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmer\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programmer\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programmer\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programmer\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programmer\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programmer\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programmer\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programmer\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programmer\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\programmer\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\programmer\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\programmer\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmer\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmer\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmer\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\programmer\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programmer\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programmer\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programmer\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".dk");
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programmer\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
S2 gupdate;Tjenesten Google Update (gupdate);c:\programmer\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 GoogleDesktopManager-080708-050100;Google Desktop-administrator 5.7.808.7150;c:\programmer\google\google desktop search\GoogleDesktop.exe [2008-12-25 24064]
S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [2009-1-27 40448]

=============== Created Last 30 ================

2010-07-12 12:59:09 0 d-----w- c:\docume~1\mariea~1\applic~1\Malwarebytes
2010-07-12 12:58:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 12:58:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 12:58:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-12 12:58:50 0 d-----w- c:\programmer\Malwarebytes' Anti-Malware
2010-07-09 18:32:12 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-09 18:32:12 215920 ----a-w- c:\windows\system32\muweb.dll
2010-07-09 18:32:12 17264 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-07-08 18:16:24 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-08 18:07:05 0 d-----w- c:\programmer\Microsoft Security Essentials
2010-07-02 14:53:46 0 d-----w- c:\docume~1\mariea~1\applic~1\Carulo

==================== Find3M ====================

2010-06-23 18:20:39 83414 ----a-w- c:\windows\system32\perfc006.dat
2010-06-23 18:20:39 457902 ----a-w- c:\windows\system32\perfh006.dat
2010-05-04 17:17:07 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:17:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:17:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 08:09:40 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:31:39 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-08-21 23:29:28 32768 --sha-w- c:\windows\system32\config\systemprofile\lokale indstillinger\application data\microsoft\feeds cache\index.dat
2008-12-25 18:53:30 32768 --sha-w- c:\windows\system32\config\systemprofile\lokale indstillinger\oversigt\history.ie5\mshist012008122520081226\index.dat

============= FINISH: 14:07:01,66 ===============


Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 25-12-2008 19:55:48
System Uptime: 18-07-2010 13:47:03 (1 hours ago)

Motherboard: Acer | |
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | CPU | 1596/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 130,126 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP184: 19-04-2010 21:17:28 - Systemkontrolpunkt
RP185: 20-04-2010 21:47:09 - Systemkontrolpunkt
RP186: 22-04-2010 12:28:35 - Systemkontrolpunkt
RP187: 23-04-2010 19:49:52 - Systemkontrolpunkt
RP188: 26-04-2010 00:46:52 - Systemkontrolpunkt
RP189: 27-04-2010 10:24:02 - Systemkontrolpunkt
RP190: 28-04-2010 14:30:50 - Systemkontrolpunkt
RP191: 04-05-2010 00:09:10 - Systemkontrolpunkt
RP192: 09-05-2010 15:16:16 - Systemkontrolpunkt
RP193: 10-05-2010 18:57:45 - Systemkontrolpunkt
RP194: 11-05-2010 21:30:28 - Systemkontrolpunkt
RP195: 12-05-2010 12:37:34 - Software Distribution Service 3.0
RP196: 15-05-2010 15:19:35 - Systemkontrolpunkt
RP197: 17-05-2010 20:10:30 - Systemkontrolpunkt
RP198: 18-05-2010 21:08:30 - Systemkontrolpunkt
RP199: 21-05-2010 21:29:36 - Systemkontrolpunkt
RP200: 24-05-2010 12:42:33 - Systemkontrolpunkt
RP201: 26-05-2010 14:18:26 - Systemkontrolpunkt
RP202: 26-05-2010 14:57:48 - Software Distribution Service 3.0
RP203: 30-05-2010 16:49:49 - Systemkontrolpunkt
RP204: 01-06-2010 14:08:30 - Systemkontrolpunkt
RP205: 02-06-2010 18:20:55 - Systemkontrolpunkt
RP206: 05-06-2010 18:39:42 - Systemkontrolpunkt
RP207: 06-06-2010 18:53:35 - Systemkontrolpunkt
RP208: 07-06-2010 19:58:58 - Systemkontrolpunkt
RP209: 09-06-2010 14:07:16 - Systemkontrolpunkt
RP210: 12-06-2010 23:56:34 - Software Distribution Service 3.0
RP211: 13-06-2010 01:08:17 - Software Distribution Service 3.0
RP212: 13-06-2010 03:00:21 - Software Distribution Service 3.0
RP213: 20-06-2010 14:23:35 - Systemkontrolpunkt
RP214: 22-06-2010 16:51:44 - Avg8 Update
RP215: 23-06-2010 20:16:54 - Software Distribution Service 3.0
RP216: 29-06-2010 14:36:49 - Systemkontrolpunkt
RP217: 01-07-2010 11:46:37 - Systemkontrolpunkt
RP218: 03-07-2010 11:19:10 - Systemkontrolpunkt
RP219: 06-07-2010 11:05:46 - Systemkontrolpunkt
RP220: 08-07-2010 18:25:14 - Removed AVG Free 8.5
RP221: 08-07-2010 18:26:31 - Installed AVG Free 8.5
RP222: 08-07-2010 18:31:35 - Installed AVG Free 8.0
RP223: 08-07-2010 19:58:49 - Removed AVG Free 8.0
RP224: 08-07-2010 19:59:36 - Installed AVG Free 8.0
RP225: 08-07-2010 20:16:23 - Software Distribution Service 3.0
RP226: 09-07-2010 20:47:37 - Software Distribution Service 3.0
RP227: 10-07-2010 15:31:50 - Software Distribution Service 3.0
RP228: 11-07-2010 17:10:26 - Software Distribution Service 3.0
RP229: 12-07-2010 14:33:01 - Software Distribution Service 3.0
RP230: 12-07-2010 18:46:58 - Software Distribution Service 3.0
RP231: 13-07-2010 23:03:54 - Software Distribution Service 3.0
RP232: 14-07-2010 15:09:48 - Software Distribution Service 3.0
RP233: 16-07-2010 19:52:10 - Software Distribution Service 3.0
RP234: 17-07-2010 18:53:07 - OTL Restore Point
RP235: 17-07-2010 19:03:19 - OTL Restore Point
RP236: 18-07-2010 13:58:58 - Software Distribution Service 3.0

==== Installed Programs ======================


Acer Crystal Eye webcam
Acer ScreenSaver
Acrobat.com
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros for Acer Driver v7.6.0.224_Foxconn Installation Program
AutoUpdate
Bonjour
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
H.264 Decoder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
Hotfix til Windows XP (KB952287)
Hotfix til Windows XP (KB961118)
Hotfix til Windows XP (KB970653-v3)
Hotfix til Windows XP (KB976098-v2)
Hotfix til Windows XP (KB979306)
Hotfix til Windows XP (KB981793)
Huawei modem
Intel® Graphics Media Accelerator Driver
InterVideo Register Manager
InterVideo WinDVD
iTunes
Java™ 6 Update 12
JMicron JMB38X Flash Media Controller
K-Lite Codec Pack 2.54 Full
Launch Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Danish Language Pack
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Antimalware Service DA-DK Language Pack
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MKV Splitter
Mozilla Firefox (3.6.6)
Opdatering til Windows Internet Explorer 7 (KB976749)
Opdatering til Windows Internet Explorer 7 (KB980182)
Opdatering til Windows XP (KB898461)
Opdatering til Windows XP (KB942763)
Opdatering til Windows XP (KB951978)
Opdatering til Windows XP (KB955759)
Opdatering til Windows XP (KB955839)
Opdatering til Windows XP (KB967715)
Opdatering til Windows XP (KB968389)
Opdatering til Windows XP (KB971737)
Opdatering til Windows XP (KB973687)
Opdatering til Windows XP (KB973815)
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB938127-v2)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB958215)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB960714)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB961260)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB963027)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB969897)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB972260)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB974455)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB976325)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB978207)
Sikkerhedsopdatering til Windows Internet Explorer 7 (KB982381)
Sikkerhedsopdatering til Windows Media Player (KB952069)
Sikkerhedsopdatering til Windows Media Player (KB954155)
Sikkerhedsopdatering til Windows Media Player (KB968816)
Sikkerhedsopdatering til Windows Media Player (KB973540)
Sikkerhedsopdatering til Windows Media Player (KB978695)
Sikkerhedsopdatering til Windows Media Player (KB979402)
Sikkerhedsopdatering til Windows XP (KB2229593)
Sikkerhedsopdatering til Windows XP (KB923561)
Sikkerhedsopdatering til Windows XP (KB938464)
Sikkerhedsopdatering til Windows XP (KB946648)
Sikkerhedsopdatering til Windows XP (KB950762)
Sikkerhedsopdatering til Windows XP (KB950974)
Sikkerhedsopdatering til Windows XP (KB951066)
Sikkerhedsopdatering til Windows XP (KB951376-v2)
Sikkerhedsopdatering til Windows XP (KB951698)
Sikkerhedsopdatering til Windows XP (KB951748)
Sikkerhedsopdatering til Windows XP (KB952004)
Sikkerhedsopdatering til Windows XP (KB952954)
Sikkerhedsopdatering til Windows XP (KB954211)
Sikkerhedsopdatering til Windows XP (KB954459)
Sikkerhedsopdatering til Windows XP (KB954600)
Sikkerhedsopdatering til Windows XP (KB955069)
Sikkerhedsopdatering til Windows XP (KB956391)
Sikkerhedsopdatering til Windows XP (KB956572)
Sikkerhedsopdatering til Windows XP (KB956744)
Sikkerhedsopdatering til Windows XP (KB956802)
Sikkerhedsopdatering til Windows XP (KB956803)
Sikkerhedsopdatering til Windows XP (KB956841)
Sikkerhedsopdatering til Windows XP (KB956844)
Sikkerhedsopdatering til Windows XP (KB957097)
Sikkerhedsopdatering til Windows XP (KB958644)
Sikkerhedsopdatering til Windows XP (KB958687)
Sikkerhedsopdatering til Windows XP (KB958690)
Sikkerhedsopdatering til Windows XP (KB958869)
Sikkerhedsopdatering til Windows XP (KB959426)
Sikkerhedsopdatering til Windows XP (KB960225)
Sikkerhedsopdatering til Windows XP (KB960715)
Sikkerhedsopdatering til Windows XP (KB960803)
Sikkerhedsopdatering til Windows XP (KB960859)
Sikkerhedsopdatering til Windows XP (KB961371)
Sikkerhedsopdatering til Windows XP (KB961373)
Sikkerhedsopdatering til Windows XP (KB961501)
Sikkerhedsopdatering til Windows XP (KB968537)
Sikkerhedsopdatering til Windows XP (KB969059)
Sikkerhedsopdatering til Windows XP (KB969898)
Sikkerhedsopdatering til Windows XP (KB969947)
Sikkerhedsopdatering til Windows XP (KB970238)
Sikkerhedsopdatering til Windows XP (KB970430)
Sikkerhedsopdatering til Windows XP (KB971468)
Sikkerhedsopdatering til Windows XP (KB971486)
Sikkerhedsopdatering til Windows XP (KB971557)
Sikkerhedsopdatering til Windows XP (KB971633)
Sikkerhedsopdatering til Windows XP (KB971657)
Sikkerhedsopdatering til Windows XP (KB971961)
Sikkerhedsopdatering til Windows XP (KB972270)
Sikkerhedsopdatering til Windows XP (KB973346)
Sikkerhedsopdatering til Windows XP (KB973354)
Sikkerhedsopdatering til Windows XP (KB973507)
Sikkerhedsopdatering til Windows XP (KB973525)
Sikkerhedsopdatering til Windows XP (KB973869)
Sikkerhedsopdatering til Windows XP (KB973904)
Sikkerhedsopdatering til Windows XP (KB974112)
Sikkerhedsopdatering til Windows XP (KB974318)
Sikkerhedsopdatering til Windows XP (KB974392)
Sikkerhedsopdatering til Windows XP (KB974571)
Sikkerhedsopdatering til Windows XP (KB975025)
Sikkerhedsopdatering til Windows XP (KB975467)
Sikkerhedsopdatering til Windows XP (KB975560)
Sikkerhedsopdatering til Windows XP (KB975561)
Sikkerhedsopdatering til Windows XP (KB975562)
Sikkerhedsopdatering til Windows XP (KB975713)
Sikkerhedsopdatering til Windows XP (KB977165)
Sikkerhedsopdatering til Windows XP (KB977816)
Sikkerhedsopdatering til Windows XP (KB977914)
Sikkerhedsopdatering til Windows XP (KB978037)
Sikkerhedsopdatering til Windows XP (KB978251)
Sikkerhedsopdatering til Windows XP (KB978262)
Sikkerhedsopdatering til Windows XP (KB978338)
Sikkerhedsopdatering til Windows XP (KB978542)
Sikkerhedsopdatering til Windows XP (KB978601)
Sikkerhedsopdatering til Windows XP (KB978706)
Sikkerhedsopdatering til Windows XP (KB979309)
Sikkerhedsopdatering til Windows XP (KB979482)
Sikkerhedsopdatering til Windows XP (KB979559)
Sikkerhedsopdatering til Windows XP (KB979683)
Sikkerhedsopdatering til Windows XP (KB980195)
Sikkerhedsopdatering til Windows XP (KB980218)
Sikkerhedsopdatering til Windows XP (KB980232)
Sikkerhedsopdatering til Windows XP (KB981349)
Skype Toolbars
Skype™ 4.2
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.762
VobSub v2.23 (Remove Only)
WebFldrs XP
Windows Internet Explorer 7
AAC Decoder

==== End Of File ===========================


GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-18 23:37:20
Windows 5.1.2600 Service Pack 3
Running: 7v21rd24.exe; Driver: C:\DOCUME~1\MARIEA~1\LOKALE~1\Temp\kgldypod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt 0 bytes
File C:\Documents and Settings\NetworkService\Lokale indstillinger\Temporary Internet Files\Content.IE5\3V5PI6BZ\st[6] 0 bytes

---- EOF - GMER 1.0.15 ----
  • 0

#4
kahdah
Posted 19 July 2010 - 11:53 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok please do the following:
Download Bootkit remover to your desktop
This is a rar file if you do not have a programme to open it then download and install Peazip

Extract Remover.exe to your desktop
Double click on Remover.exe
It will show a Black screen with some data on it
Right click on the screen and select Mark
Then take your mouse and select the info in the black screen then hit the enter key to copy it to the clipboard.
Open a notepad and press Control+V to paste in the contents.

Post the resultant log here please.
  • 0

#5
bukowski
Posted 19 July 2010 - 01:49 PM

bukowski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Bootkit remover:

Bootkit Remover version 1.0.0.1
© 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 454f8f8f464d74f8b4b6306cbff41597

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...
  • 0

#6
kahdah
Posted 19 July 2010 - 06:32 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Do you have your Xp disk handy we will need it to do the repair?
  • 0

#7
bukowski
Posted 20 July 2010 - 06:02 AM

bukowski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I'm afraid not. The computer came with XP installed on it
  • 0

#8
kahdah
Posted 20 July 2010 - 06:06 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok we can attempt to repair it but you may or may not have problems with the repair.
I suggest that you back up your important documents\files before proceeding.

Let me know when that is done and also run this tool below as well.
  • Please download mbrcheck from Here
  • Save that file to your desktop and double click on it to run it.
  • It will show a Black screen with some data on it
  • Right click on the screen and select Mark
  • Then take your mouse and select the info in the black screen then hit the enter key to copy it to the clipboard.
  • Open a notepad and press Control+V to paste in the contents.

Post the resultant text here please.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP