I have something, not sure what

View previous topic View next topic Go down

I have something, not sure what

Post by Whirly on 25th July 2009, 3:08 am

Lately my google searches have been redirecting and many ads on websites have been for some penis enlargement, so I figured something was up.

Also every so often I get a message asking to allow something, which tells be my browser is unsafe. One time I hit allow, and it installed winifighter, I used malwarebytes to remove that, but the other problems are still there. Malwarebytes did not pick anything up from this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:51 PM, on 7/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\iMicro\NT-USB54M\Installer\WINXP\NT-USB54M Wireless Client Utility.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Slacker\Software Player\slacker.tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Family\My Documents\Downloads\spamzilla.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Tunebite] C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-1801674531-115176313-725345543-1005\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Family_2')
O4 - HKUS\S-1-5-21-1801674531-115176313-725345543-1005\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Family_2')
O4 - HKUS\S-1-5-21-1801674531-115176313-725345543-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Family_2')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - S-1-5-21-1801674531-115176313-725345543-1005 Startup: PowerReg Scheduler V3.exe (User 'Family_2')
O4 - S-1-5-21-1801674531-115176313-725345543-1005 User Startup: PowerReg Scheduler V3.exe (User 'Family_2')
O4 - Startup: Slacker Tray App.lnk = C:\Program Files\Slacker\Software Player\slacker.tray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NT-USB54M Wireless Client Utility.lnk = C:\Program Files\iMicro\NT-USB54M\Installer\WINXP\NT-USB54M Wireless Client Utility.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 12141 bytes

Thanks!

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Belahzur on 25th July 2009, 6:32 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Ask Toolbar

Next,

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 25th July 2009, 9:04 pm

Quick question, I had a friend look at my log and he said that I would need to remove these

O4 - S-1-5-21-1801674531-115176313-725345543-1005 Startup: PowerReg Scheduler V3.exe (User 'Family_2')
O4 - S-1-5-21-1801674531-115176313-725345543-1005 User Startup: PowerReg Scheduler V3.exe (User 'Family_2')

Is he wrong, or are these irrelevant?

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Belahzur on 25th July 2009, 10:30 pm

Info for them two:
[You must be registered and logged in to see this link.]

You can remove them as well.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 26th July 2009, 1:24 am

Malwarebytes' Anti-Malware 1.39
Database version: 2498
Windows 5.1.2600 Service Pack 3

7/25/2009 8:20:19 PM
mbam-log-2009-07-25 (20-20-19).txt

Scan type: Quick Scan
Objects scanned: 106778
Time elapsed: 9 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I am still getting redirects and bad ads

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 26th July 2009, 2:02 am

[You must be registered and logged in to see this link.] wrote:Info for them two:
[You must be registered and logged in to see this link.]

You can remove them as well.

That website doesnt really help in removing it.

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Belahzur on 26th July 2009, 8:56 pm

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 26th July 2009, 8:57 pm

Is it just firefox that should be closed, or are all browsers supposed to be closed?

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Belahzur on 26th July 2009, 9:06 pm

Both.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 27th July 2009, 3:18 am

GooredFix by jpshortstuff (12.07.09)
Log created at 22:14 on 26/07/2009 (Family)
Firefox version 3.0.11 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
[You must be registered and logged in to see this link.] [16:25 26/11/2009]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:55 19/01/2008]
{B13721C7-F507-4982-B2E5-502A71474FED} [00:32 10/11/2008]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [18:02 21/01/2008]
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} [01:30 23/05/2008]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [03:00 25/07/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{22119944-ED35-4ab1-910B-E619EA06A115}"="C:\Program Files\Siber Systems\AI RoboForm\Firefox" [01:28 14/05/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:59 24/11/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:00 25/07/2009]

-=E.O.F=-

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 27th July 2009, 3:18 am

I believe I got the virus/malware/spyware/whatever while using google chrome, although I used firefox alot until recently.

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Belahzur on 27th July 2009, 9:28 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 28th July 2009, 5:20 am


DDS (Ver_09-06-26.01) - NTFSx86
Run by Family at 0:15:23.43 on Tue 07/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.162 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Razer\Habu\razerhid.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iMicro\NT-USB54M\Installer\WINXP\NT-USB54M Wireless Client Utility.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Slacker\Software Player\slacker.tray.exe
C:\Documents and Settings\Family\My Documents\Downloads\helperApp.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Family\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Tunebite] c:\program files\rapidsolution\tunebite\Tunebite.exe -tray
uRun: [Google Update] "c:\documents and settings\family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
mRun: [USS] "c:\program files\uss\USS.exe"
mRun: [Habu] c:\program files\razer\habu\razerhid.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
StartupFolder: c:\docume~1\family\startm~1\programs\startup\slacke~1.lnk - c:\program files\slacker\software player\slacker.tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nt-usb~1.lnk - c:\program files\imicro\nt-usb54m\installer\winxp\NT-USB54M Wireless Client Utility.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: clubbing.com
Trusted Zone: live.com\login
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll


Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 28th July 2009, 5:21 am

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\family\applic~1\mozilla\firefox\profiles\qdru5n14.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - swagbucks.com
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\family\application data\mozilla\firefox\profiles\qdru5n14.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\family\application data\mozilla\firefox\profiles\qdru5n14.default\extensions\{c713321b-c24b-4538-80eb-bc6bff259c2d}\components\FFAlert.dll
FF - component: c:\documents and settings\family\application data\mozilla\firefox\profiles\qdru5n14.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\family\application data\mozilla\firefox\profiles\qdru5n14.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\family\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-22 130936]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-22 11608]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-22 55640]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-5-28 108032]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [2008-5-13 508544]
S3 DrmCVideo32;DrmCVideo32;c:\windows\system32\drivers\DrmCVideo32.sys [2008-5-13 3768]

=============== Created Last 30 ================

2009-07-26 19:03 17,765 a------- c:\windows\system32\5z49w9rm575.ocx
2009-07-26 13:18 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-07-26 13:18 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-07-26 13:16 87,040 ac------ c:\windows\system32\dllcache\wiafbdrv.dll
2009-07-26 13:15 24,576 ac------ c:\windows\system32\dllcache\viairda.sys
2009-07-26 13:14 26,624 ac------ c:\windows\system32\dllcache\umaxu22.dll
2009-07-26 13:14 69,632 ac------ c:\windows\system32\dllcache\umaxu12.dll
2009-07-26 13:14 50,688 ac------ c:\windows\system32\dllcache\umaxscan.dll
2009-07-26 13:14 22,912 ac------ c:\windows\system32\dllcache\umaxpcls.sys
2009-07-26 13:14 50,176 ac------ c:\windows\system32\dllcache\umaxp60.dll
2009-07-26 13:14 47,616 ac------ c:\windows\system32\dllcache\umaxcam.dll
2009-07-26 13:14 211,968 ac------ c:\windows\system32\dllcache\um54scan.dll
2009-07-26 13:14 216,064 ac------ c:\windows\system32\dllcache\um34scan.dll
2009-07-26 13:14 36,736 ac------ c:\windows\system32\dllcache\ultra.sys
2009-07-26 13:14 11,520 ac------ c:\windows\system32\dllcache\twotrack.sys
2009-07-26 13:14 166,784 ac------ c:\windows\system32\dllcache\tridxpm.sys
2009-07-26 13:14 525,568 ac------ c:\windows\system32\dllcache\tridxp.dll
2009-07-26 13:14 159,232 ac------ c:\windows\system32\dllcache\tridkbm.sys
2009-07-26 13:12 81,408 ac------ c:\windows\system32\dllcache\tgiul50.dll
2009-07-26 13:12 149,376 ac------ c:\windows\system32\dllcache\tffsport.sys
2009-07-26 13:12 17,129 ac------ c:\windows\system32\dllcache\tdkcd31.sys
2009-07-26 13:12 37,961 ac------ c:\windows\system32\dllcache\tdk100b.sys
2009-07-26 13:12 30,464 ac------ c:\windows\system32\dllcache\tbatm155.sys
2009-07-26 13:12 7,040 ac------ c:\windows\system32\dllcache\tandqic.sys
2009-07-26 13:12 36,640 ac------ c:\windows\system32\dllcache\t2r4mini.sys
2009-07-26 13:12 172,768 ac------ c:\windows\system32\dllcache\t2r4disp.dll
2009-07-26 13:12 32,640 ac------ c:\windows\system32\dllcache\symc8xx.sys
2009-07-26 13:12 16,256 ac------ c:\windows\system32\dllcache\symc810.sys
2009-07-26 13:12 30,688 ac------ c:\windows\system32\dllcache\sym_u3.sys
2009-07-26 13:12 28,384 ac------ c:\windows\system32\dllcache\sym_hi.sys
2009-07-26 13:10 24,660 ac------ c:\windows\system32\dllcache\spxupchk.dll
2009-07-26 13:09 35,913 ac------ c:\windows\system32\dllcache\smcirda.sys
2009-07-26 13:08 252,032 ac------ c:\windows\system32\dllcache\sis300iv.dll
2009-07-26 13:07 495,616 ac------ c:\windows\system32\dllcache\sblfx.dll
2009-07-26 13:06 30,720 ac------ c:\windows\system32\dllcache\rthwcls.sys
2009-07-26 13:06 9,216 ac------ c:\windows\system32\dllcache\rsmgrstr.dll
2009-07-26 13:06 3,840 ac------ c:\windows\system32\dllcache\rpfun.sys
2009-07-26 13:06 79,104 ac------ c:\windows\system32\dllcache\rocket.sys
2009-07-26 13:06 37,563 ac------ c:\windows\system32\dllcache\rlnet5.sys
2009-07-26 13:06 86,097 ac------ c:\windows\system32\dllcache\reslog32.dll
2009-07-26 13:06 19,584 ac------ c:\windows\system32\dllcache\rasirda.sys
2009-07-26 13:06 714,762 ac------ c:\windows\system32\dllcache\r2mdmkxx.sys
2009-07-26 13:06 899,146 ac------ c:\windows\system32\dllcache\r2mdkxga.sys
2009-07-26 13:06 41,472 ac------ c:\windows\system32\dllcache\qvusd.dll
2009-07-26 13:06 3,328 ac------ c:\windows\system32\dllcache\qv2kux.sys
2009-07-26 13:04 121,344 ac------ c:\windows\system32\dllcache\phvfwext.dll
2009-07-26 13:03 30,282 ac------ c:\windows\system32\dllcache\pcntn5hl.sys
2009-07-26 13:02 54,186 ac------ c:\windows\system32\dllcache\otcsercb.sys
2009-07-26 13:01 39,264 ac------ c:\windows\system32\dllcache\neo20xx.sys
2009-07-26 13:00 103,296 ac------ c:\windows\system32\dllcache\mtxvideo.sys
2009-07-26 13:00 5,504 ac------ c:\windows\system32\dllcache\mstee.sys
2009-07-26 13:00 49,024 ac------ c:\windows\system32\dllcache\mstape.sys
2009-07-26 13:00 12,416 ac------ c:\windows\system32\dllcache\msriffwv.sys
2009-07-26 13:00 2,944 ac------ c:\windows\system32\dllcache\msmpu401.sys
2009-07-26 13:00 22,016 ac------ c:\windows\system32\dllcache\msircomm.sys
2009-07-26 13:00 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-07-26 13:00 6,016 ac------ c:\windows\system32\dllcache\msfsio.sys
2009-07-26 13:00 56,832 ac------ c:\windows\system32\dllcache\msdvbnp.ax
2009-07-26 13:00 51,200 ac------ c:\windows\system32\dllcache\msdv.sys
2009-07-26 13:00 17,280 ac------ c:\windows\system32\dllcache\mraid35x.sys
2009-07-26 13:00 15,232 ac------ c:\windows\system32\dllcache\mpe.sys
2009-07-26 12:58 727,786 ac------ c:\windows\system32\dllcache\ltck000c.sys
2009-07-26 12:57 26,624 ac------ c:\windows\system32\dllcache\irstusb.sys
2009-07-26 12:56 154,496 ac------ c:\windows\system32\dllcache\icam4usb.sys
2009-07-26 12:55 57,471 ac------ c:\windows\system32\dllcache\hsf_samp.sys
2009-07-26 12:54 2,688 ac------ c:\windows\system32\dllcache\hidswvd.sys
2009-07-26 12:53 16,074 ac------ c:\windows\system32\dllcache\fa312nd5.sys
2009-07-26 12:52 6,400 ac------ c:\windows\system32\dllcache\enum1394.sys
2009-07-26 12:51 29,696 ac------ c:\windows\system32\dllcache\dm9pci5.sys
2009-07-26 12:50 14,720 ac------ c:\windows\system32\dllcache\dac960nt.sys
2009-07-26 12:49 272,640 ac------ c:\windows\system32\dllcache\cinemclc.sys
2009-07-26 12:48 13,824 ac------ c:\windows\system32\dllcache\bulltlp3.sys
2009-07-26 12:47 6,272 ac------ c:\windows\system32\dllcache\apmbatt.sys
2009-07-26 12:47 36,224 ac------ c:\windows\system32\dllcache\an983.sys
2009-07-26 12:47 12,032 ac------ c:\windows\system32\dllcache\amsint.sys
2009-07-26 12:47 16,969 ac------ c:\windows\system32\dllcache\amb8002.sys
2009-07-26 12:47 5,248 ac------ c:\windows\system32\dllcache\aliide.sys
2009-07-26 12:47 27,678 ac------ c:\windows\system32\dllcache\ali5261.sys
2009-07-26 12:47 26,624 ac------ c:\windows\system32\dllcache\alifir.sys
2009-07-26 12:47 56,960 ac------ c:\windows\system32\dllcache\aic78xx.sys
2009-07-26 12:47 55,168 ac------ c:\windows\system32\dllcache\aic78u2.sys
2009-07-26 12:47 12,800 ac------ c:\windows\system32\dllcache\aha154x.sys
2009-07-26 12:47 24,576 ac------ c:\windows\system32\dllcache\agcgauge.ax
2009-07-26 12:40 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2009-07-25 20:45 --d----- c:\docume~1\family\applic~1\Uniblue
2009-07-25 20:44 --d----- c:\program files\Uniblue
2009-07-25 20:43 -cd-h--- c:\docume~1\alluse~1\applic~1\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-07-24 22:00 --d----- c:\program files\Sun
2009-07-24 22:00 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-24 21:38 --d----- c:\documents and settings\family\.SunDownloadManager
2009-07-24 17:08 --d----- c:\documents and settings\family\DoctorWeb
2009-07-24 16:40 --d----- c:\program files\Enigma Software Group
2009-07-23 16:58 4,034 a------- c:\windows\15905ot-a-virus9z1.cpl
2009-07-22 15:08 --d----- c:\docume~1\family\applic~1\Malwarebytes
2009-07-22 12:33 --d----- c:\program files\zztoy
2009-07-22 12:13 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-22 12:13 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-22 12:13 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-22 12:13 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 12:12 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-22 12:12 --d----- c:\program files\Avira
2009-07-22 12:12 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-22 11:29 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-22 11:29 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-22 11:29 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-22 11:29 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-22 11:29 --d----- c:\program files\common files\PC Tools
2009-07-22 11:29 --d----- c:\program files\Spyware Doctor
2009-07-22 11:29 --d----- c:\docume~1\family\applic~1\PC Tools
2009-07-22 11:29 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-21 14:43 7,492 a------- c:\windows\23554hacktz9l1e6.cpl
2009-07-21 05:11 11,360 a------- c:\windows\af6b9ckzoor16535.cpl
2009-07-20 23:22 14,614 a------- c:\windows\2625spam9ot45z.dll
2009-07-19 12:12 6,193 a------- c:\windows\system32\16911vzrus9c5.bin
2009-07-18 04:21 8,257 a------- c:\windows\5459zdware385.dll
2009-07-09 00:27 13,438 a------- c:\windows\2d27sp9zar5290.cpl
2009-07-08 22:19 --d----- c:\program files\AutoHotkey
2009-07-07 06:11 17,930 a------- c:\windows\204z2v9rus5c8.bin
2009-07-06 13:02 --d----- c:\docume~1\family\applic~1\Slacker
2009-07-05 07:21 17,220 a------- c:\windows\system32\29956z5ru9259.cpl
2009-07-05 03:43 3,509 a------- c:\windows\1559zparse331.dll
2009-07-03 12:42 7,936 a------- c:\windows\9613hacktoolz599.bin
2009-07-03 04:17 5,934 a------- c:\windows\system32\9d7ethze5t32573.exe
2009-07-01 15:57 12,250 a------- c:\windows\system32\7ez8backd9or1958.exe
2009-06-30 18:37 --d----- c:\docume~1\family\applic~1\TeamViewer
2009-06-30 18:37 --d----- c:\program files\TeamViewer
2009-06-30 18:36 --d----- c:\documents and settings\family\temp
2009-06-28 10:34 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-06-28 10:34 21,504 a------- c:\windows\system32\hidserv.dll
2009-06-28 10:34 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-06-28 10:34 14,592 a------- c:\windows\system32\drivers\kbdhid.sys

==================== Find3M ====================

2009-07-24 22:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-27 17:06 5,341 a------- c:\windows\53eetzie59328.dll
2009-06-22 05:12 17,296 a------- c:\windows\5b80virz9985.exe
2009-06-21 18:46 17,700 a------- c:\windows\system32\30029sz9185.bin
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-15 22:48 17,061 a------- c:\windows\system32\z359vi5us5ae9.bin
2009-06-15 04:35 4,911 a------- c:\windows\279z9wo5m58e.dll
2009-06-14 08:59 6,711 a------- c:\windows\15z89teal540.bin
2009-06-11 10:28 3,502 a------- c:\windows\1e81sza5se2059.dll
2009-06-10 02:15 3,132 a------- c:\windows\z454viru95c75.dll
2009-06-09 18:55 2,895 a------- c:\windows\system32\591tzief15855.dll
2009-06-08 15:46 8,648 a------- c:\windows\51b5ste9l5749z.dll
2009-06-07 23:29 3,977 a------- c:\windows\95553spyz29.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 10:04 12,934 a------- c:\windows\system32\2bz7th5eat11799.dll
2009-06-01 03:24 3,683 a------- c:\windows\system32\19z10w9r57e.exe
2009-05-19 12:03 8,406 a------- c:\windows\system32\92725viruszca.dll
2009-05-17 00:17 15,186 a------- c:\windows\z5459troj5ce.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 14:24 16,896 a------- c:\windows\10853z9oj524.bin
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 15:51 14,252 a------- c:\windows\system32\73z9not-a9virus6c5.exe
2009-05-05 02:21 9,853 a------- c:\windows\842s5yz9re900.bin
2009-05-05 00:01 14,816 a------- c:\windows\system32\68ac9teal592z.exe
2009-05-03 17:10 5,078 a------- c:\windows\1530wz5m9f5.bin
2009-05-03 01:50 6,525 a------- c:\windows\27733vzr5s5659.exe
2009-05-02 17:29 14,903 a------- c:\windows\system32\20597not-a-9irus178z.bin
2009-04-11 10:06 34 a------- c:\documents and settings\family\jagex_runescape_preferences.dat
2008-12-30 22:06 61,224 a------- c:\documents and settings\family\GoToAssistDownloadHelper.exe

============= FINISH: 0:16:37.82 ===============

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Belahzur on 28th July 2009, 4:49 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Avira)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 30th July 2009, 3:29 am

Ok, I ran the thing, it told me there was some rootkit problem, listed 3 files which I wrote down, and restarted. When it re-started, i'm guessing my avira got re-enabled and therefore every so often a virus thing would pop up, I hit delte for a couple, deny access for most, and ignore for the ones which had combofix as the location.

Then it deleted tons of files, and restarted again. Upon restart I waited about 10 minutes for a log, when nothing showed up I closed it and came here after searching in the location specified.

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Belahzur on 30th July 2009, 6:30 pm

Hello.
Do you have the Combofix report?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Whirly on 30th July 2009, 9:53 pm

Like i said, I waited about 10 minutes for a combofix report, but nothing came up so I closed it.

The problems seem to be gone though

Whirly
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-25
OS OS : XP SP3
Points Points : 26953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by boudreaux79 on 30th July 2009, 10:32 pm

hello

boudreaux79
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-07-30
OS OS : vista
Points Points : 26893
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I have something, not sure what

Post by Origin on 31st July 2009, 3:37 pm

Please download [You must be registered and logged in to see this link.]

  • Next run the file; *Note: If running vista right click and select run as administrator
  • Once opened, navigate to the log tab and select all the areas including the hidden objects only box and click on the create log button
  • A scan will start and then a window will pop up with two options, select scan all drives
  • Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum