Nasty Virus. Help Appreciated.

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Nasty Virus. Help Appreciated.

Post by robosheikh on 15th August 2009, 12:06 am

hello,

i'm new Smile and it seems my laptop has been infected with a really bad virus. i read the 'before you post' post and tried to follow your instructions to the best of my ability, but i can't uninstall my P2P because remove programs won't run Sad tearing instead i get this: application not found.

i found your site from a previous post that had the same problem as i did. following your directions to them, i deleted the 'desot.exe' file and now whenever i click something i get the 'open with' window. i feel really dumb. because of this, hijackthis won't run and that's why i don't have a log to show you Sad tearing

please help me get rid of this thing!

thank you,

Chelsea.

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 15th August 2009, 12:28 am

also, i was wondering if the microsoft recovery console would help me?

or am i getting ahead of myself?

tee hee Smile

thanks again.

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 15th August 2009, 1:57 am

Hello.
I want to check something.

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    scecli.dll
    netlogon.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 15th August 2009, 4:13 am

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 21:06 on 14/08/2009 by Chelsea (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\i386\scecli.dll --a--- 180224 bytes [04:56 07/11/2007] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll --a--- 181248 bytes [05:03 14/09/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 180224 bytes [17:51 10/08/2004] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\i386\netlogon.dll --a--- 407040 bytes [04:55 07/11/2007] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll --a--- 407040 bytes [05:02 14/09/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [17:51 10/08/2004] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A

-=End Of File=-

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 15th August 2009, 3:26 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 15th August 2009, 4:29 pm

ComboFix 09-08-10.06 - Chelsea 08/15/2009 8:51.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.219 [GMT -7:00]
Running from: c:\documents and settings\Chelsea\Desktop\Combo-Fix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\windows\Installer\12d1b9.msi
c:\windows\svchast.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\dddesot.dll


.
((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-14 23:37 . 2009-08-14 23:37 -------- d-----w- c:\documents and settings\Chelsea\Local Settings\Application Data\WinZip
2009-08-14 23:37 . 2009-08-14 23:37 -------- d-----w- c:\docume~1\Chelsea\LOCALS~1\APPLIC~1\WinZip
2009-08-14 23:26 . 2009-08-14 23:28 39647808 ----a-w- C:\kav8.0.0.506en.exe
2009-08-14 23:17 . 2009-08-14 23:17 408064 ----a-w- C:\otm.com.exe
2009-08-14 22:47 . 2009-08-14 22:52 1885088 ----a-w- C:\SmitfraudFix.exe
2009-08-14 22:30 . 2009-08-14 23:00 64 ----a-w- c:\windows\ppp4.dat
2009-08-14 22:30 . 2009-08-14 23:00 2 ----a-w- c:\windows\ppp3.dat
2009-08-14 22:30 . 2009-08-14 22:30 36 ----a-w- c:\windows\system32\sysnet.dat
2009-08-14 22:30 . 2009-08-14 22:32 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-13 22:05 . 2009-08-13 22:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-13 16:17 . 2009-08-13 16:17 -------- d-----w- C:\ee71a3cb2316055eb437dc31100bb3
2009-08-13 16:15 . 2009-08-13 16:15 -------- d-----w- c:\windows\ServicePackFiles
2009-08-12 19:14 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-05 21:13 . 2009-08-14 23:37 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\WinZip
2009-08-05 09:11 . 2009-08-05 09:11 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 19:08 . 2009-08-03 19:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Ableton
2009-08-03 19:08 . 2009-08-03 19:08 -------- d-----w- c:\documents and settings\Chelsea\Application Data\Ableton
2009-08-03 19:08 . 2009-08-03 19:08 -------- d-----w- c:\docume~1\Chelsea\APPLIC~1\Ableton
2009-08-03 19:06 . 2009-04-27 16:26 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-08-03 19:06 . 2009-04-27 16:26 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-08-03 19:04 . 2009-08-03 19:04 -------- d-----w- c:\program files\Ableton
2009-08-02 21:47 . 2009-08-02 21:47 -------- d-----w- c:\program files\EA GAMES
2009-07-26 05:59 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 05:59 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-26 05:59 . 2009-07-26 05:59 -------- d-----w- c:\program files\g
2009-07-23 22:16 . 2009-07-23 22:16 -------- d-----w- c:\documents and settings\Chelsea\Application Data\Exent Technologies
2009-07-23 22:16 . 2009-07-23 22:16 -------- d-----w- c:\docume~1\Chelsea\APPLIC~1\Exent Technologies
2009-07-23 22:10 . 2009-07-23 22:10 64 ----a-w- c:\windows\GPlrLanc.dat
2009-07-23 22:09 . 2009-07-23 22:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Free Ride Games
2009-07-22 05:31 . 2009-07-22 05:36 -------- d-----w- c:\program files\AIM6
2009-07-21 05:22 . 2009-07-21 05:54 -------- d-----w- c:\documents and settings\Chelsea\Local Settings\Application Data\DFH
2009-07-21 05:22 . 2009-07-21 05:54 -------- d-----w- c:\docume~1\Chelsea\LOCALS~1\APPLIC~1\DFH
2009-07-17 20:41 . 2009-07-17 20:41 -------- d-----w- c:\documents and settings\Chelsea\Local Settings\Application Data\Temp
2009-07-17 20:41 . 2009-07-17 20:41 -------- d-----w- c:\docume~1\Chelsea\LOCALS~1\APPLIC~1\Temp
2009-07-17 18:55 . 2009-07-17 18:55 58880 ------w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 17:33 . 2009-04-08 22:02 -------- d-----w- c:\program files\a-squared Free
2009-08-08 06:12 . 2007-11-22 17:04 -------- d-----w- c:\documents and settings\Chelsea\Application Data\LimeWire
2009-08-08 06:12 . 2007-11-22 17:04 -------- d-----w- c:\docume~1\Chelsea\APPLIC~1\LimeWire
2009-08-05 09:11 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 21:41 . 2008-02-11 02:03 -------- d-----w- c:\program files\LimeWire
2009-07-25 17:19 . 2009-04-25 17:19 84992 --sha-w- c:\windows\system32\dadumuja.dll
2009-07-23 22:09 . 2007-10-26 08:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 05:35 . 2007-10-26 08:51 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-07-21 05:54 . 2008-04-03 02:54 -------- d-----w- c:\documents and settings\Chelsea\Application Data\PlayFirst
2009-07-21 05:54 . 2008-04-03 02:54 -------- d-----w- c:\docume~1\Chelsea\APPLIC~1\PlayFirst
2009-07-21 05:54 . 2009-05-25 20:57 -------- d-----w- c:\program files\Yahoo! Games
2009-07-17 18:55 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 18:39 . 2009-07-05 18:39 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-10 18:01 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-10 17:51 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 01:14 . 2007-12-16 18:48 43544 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-06-14 21:44 . 2008-06-14 21:44 0 ----a-w- c:\program files\temp01
2009-04-25 17:13 . 2009-04-25 17:13 50176 --sha-w- c:\windows\system32\gugojamu.dll.tmp
2009-04-25 17:13 . 2009-04-25 17:13 50176 --sha-w- c:\windows\system32\hoganova.dll.tmp
2009-04-25 17:13 . 2009-04-25 17:13 50176 --sha-w- c:\windows\system32\kigafoke.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-12 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-15 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-09-22 282624]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-26 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Works\\MSWorks.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/22/2007 12:33 AM 24652]
S1 msgpcc;msgpcc;c:\windows\system32\drivers\msgpcc.sys --> c:\windows\system32\drivers\msgpcc.sys [?]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [9/14/2006 5:45 PM 92160]
.
- - - - ORPHANS REMOVED - - - -

BHO-{76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - c:\windows\system32\dddesot.dll
HKCU-Run-Aim - c:\program files\AIM6\aim.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\Chelsea\APPLIC~1\Mozilla\Firefox\Profiles\ljlifddr.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-15 09:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4036)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\a-squared Free\a2service.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-08-15 9:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-15 16:13
ComboFix2.txt 2009-04-13 20:47

Pre-Run: 19,248,209,920 bytes free
Post-Run: 19,337,883,648 bytes free

192 --- E O F --- 2009-08-15 15:41

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Origin on 15th August 2009, 5:46 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\ppp4.dat
c:\windows\ppp3.dat
c:\windows\system32\sysnet.dat
c:\windows\system32\dadumuja.dll
c:\program files\temp01
c:\windows\system32\gugojamu.dll.tmp
c:\windows\system32\hoganova.dll.tmp
c:\windows\system32\kigafoke.dll.tmp

Folder::
c:\program files\Windows Antivirus Pro
C:\ee71a3cb2316055eb437dc31100bb3
c:\documents and settings\Chelsea\Application Data\LimeWire
c:\program files\LimeWire
c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
c:\docume~1\Chelsea\APPLIC~1\PlayFirst

DirLook::
c:\program files\g

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Driver::
Viewpoint Manager Service
AntipPro2009_100


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 16th August 2009, 1:43 am

ComboFix 09-08-10.06 - Chelsea 08/15/2009 17:59.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.212 [GMT -7:00]
Running from: c:\documents and settings\Chelsea\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Chelsea\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\program files\temp01"
"c:\windows\ppp3.dat"
"c:\windows\ppp4.dat"
"c:\windows\system32\dadumuja.dll"
"c:\windows\system32\gugojamu.dll.tmp"
"c:\windows\system32\hoganova.dll.tmp"
"c:\windows\system32\kigafoke.dll.tmp"
"c:\windows\system32\sysnet.dat"
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
c:\docume~1\Chelsea\APPLIC~1\PlayFirst
c:\documents and settings\Chelsea\Application Data\LimeWire
c:\documents and settings\Chelsea\Application Data\LimeWire\responses.cache
c:\documents and settings\Chelsea\Application Data\LimeWire\simpp.xml
c:\documents and settings\Chelsea\Application Data\LimeWire\spam.dat
c:\documents and settings\Chelsea\Application Data\LimeWire\tables.props
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\splash.png
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\splashpro.png
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Chelsea\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\ttdata.cache
c:\documents and settings\Chelsea\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Chelsea\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Chelsea\Application Data\LimeWire\version.xml
c:\documents and settings\Chelsea\Application Data\LimeWire\versions.props
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\data\delete_me
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\data\video.sxml3
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\misc\application.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\misc\audio.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\misc\document.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\misc\image.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\misc\video.gif
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\schemas\application.xsd
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\schemas\audio.xsd
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\schemas\document.xsd
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\schemas\image.xsd
c:\documents and settings\Chelsea\Application Data\LimeWire\xml\schemas\video.xsd
C:\ee71a3cb2316055eb437dc31100bb3
c:\ee71a3cb2316055eb437dc31100bb3\$shtdwn$.req
c:\ee71a3cb2316055eb437dc31100bb3\mrt.exe
c:\ee71a3cb2316055eb437dc31100bb3\mrtstub.exe
c:\program files\LimeWire
c:\program files\LimeWire\.NetworkShare\LimeWireWin5.1.2.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin5.2.13.exe
c:\program files\LimeWire\Buy LimeWire PRO.url
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\Incomplete\downloads.bak
c:\program files\LimeWire\Incomplete\downloads.dat
c:\program files\LimeWire\Incomplete\Preview-T-10842295-Erykah Badu - New Amerykah - 10 - Telephone.mp3
c:\program files\LimeWire\Incomplete\Preview-T-2165511-Justin Timberlake - I Think That She Knows.mp3
c:\program files\LimeWire\Incomplete\Preview-T-2165521-Justin Timberlake - I Think That She Knows Interlude.mp3
c:\program files\LimeWire\Incomplete\Preview-T-2968190-Jackson 5 - Stop! The Love You Save (May Be Your Own).mp3
c:\program files\LimeWire\Incomplete\Preview-T-3342872-tecno DANCE - Beethoven - Fur Elise (Trance Remix).mp3
c:\program files\LimeWire\Incomplete\Preview-T-3402752-Justin Timberlake- Lovestoned interlude.mp3
c:\program files\LimeWire\Incomplete\Preview-T-3466887-DMX - Stop, Drop, Roll.mp3
c:\program files\LimeWire\Incomplete\Preview-T-3674997-Next feat. Koffee Brown - Problems (1).mp3
c:\program files\LimeWire\Incomplete\Preview-T-3689464-Aaliyah - Loose Rap.mp3
c:\program files\LimeWire\Incomplete\Preview-T-3897472-A Tribe Called Quest - Oh My God (Remix).mp3
c:\program files\LimeWire\Incomplete\Preview-T-4036167-A Tribe Called Quest - We've Got The Jazz.mp3
c:\program files\LimeWire\Incomplete\Preview-T-4049818-Justin Timberlake - I Think That She Knows.MP3
c:\program files\LimeWire\Incomplete\Preview-T-4116646-Lou Donaldson - Pot Belly.mp3
c:\program files\LimeWire\Incomplete\Preview-T-4285575-A Tribe Called Quest - Electric Relaxation (instrumental).mp3
c:\program files\LimeWire\Incomplete\Preview-T-4425502-The Bravery - Honest Mistake.mp3
c:\program files\LimeWire\Incomplete\Preview-T-4572710-Tom Scott & the California Dreamers - Today.mp3
c:\program files\LimeWire\Incomplete\Preview-T-4574987-Pete Rock & CL Smooth - They Reminisce Over You (TROY).mp3
c:\program files\LimeWire\Incomplete\Preview-T-4805051-Sister Nancy - Bam Bam.mp3
c:\program files\LimeWire\Incomplete\Preview-T-4933310-Surface - Happy.mp3
c:\program files\LimeWire\Incomplete\Preview-T-5186911-Kanye West - Celebration.mp3
c:\program files\LimeWire\Incomplete\Preview-T-5234460-Tragedy Khadafi aka Intelligent Hoodlum - Grand Groove.mp3
c:\program files\LimeWire\Incomplete\Preview-T-5882234-Latoya Williams- Everytime.mp3
c:\program files\LimeWire\Incomplete\Preview-T-5898368-Wiz Khalifa - Say Yeah (Dirty).mp3
c:\program files\LimeWire\Incomplete\Preview-T-6175085-Erykah Badu - Next Lifetime.mp3
c:\program files\LimeWire\Incomplete\Preview-T-6438005-The Bravery - Believe.mp3
c:\program files\LimeWire\Incomplete\Preview-T-6594688-The B-52's - Rock Lobster.mp3
c:\program files\LimeWire\Incomplete\Preview-T-6616502-Omarion ft. Pharrell - Obsession.mp3
c:\program files\LimeWire\Incomplete\Preview-T-7012352-Faze-O - Riding High.mp3
c:\program files\LimeWire\Incomplete\Preview-T-7446745-Pitbull ft. Trina & Young Boss - Go Girl(clean).mp3
c:\program files\LimeWire\Incomplete\Preview-T-8740468-Beethoven - Moonlight Sonata.mp3
c:\program files\LimeWire\Incomplete\Preview-T-8886196-Justin Timberlake - LoveStoned - I Think She Knows Interlude.mp3
c:\program files\LimeWire\Incomplete\Preview-T-9060352-Liszt, Franz - Hungarian Rhapsody No. 2 From Piano.mp3
c:\program files\LimeWire\Incomplete\T-3535516-Dirty Vegas - Days Go By.MP3
c:\program files\LimeWire\Incomplete\T-3536896-Dirty Vegas - Days Go By.MP3
c:\program files\LimeWire\Incomplete\T-4387197-Boot Camp Click - BlackMoon - Crooklyn Dodgers - Crooklyn.mp3
c:\program files\LimeWire\Incomplete\T-4845400-Dirty Vegas - Days go by.mp3
c:\program files\LimeWire\Incomplete\T-4847682-Dirty Vegas - Days go by.mp3
c:\program files\LimeWire\Incomplete\T-4850136-Dirty Vegas - Days go by.mp3
c:\program files\LimeWire\Incomplete\T-5345476-Dirty Vegas - Days Go By.mp3
c:\program files\LimeWire\Incomplete\T-5349572-Techno - Dirty Vegas - Days Go By (New Mitsubishi Commercial).mp3
c:\program files\LimeWire\Incomplete\T-5367685-Dirty Vegas - Days Go By-original.mp3
c:\program files\LimeWire\Incomplete\T-7229985-Dirty Vegas - Days Go By.mp3
c:\program files\LimeWire\Incomplete\T-7234081-Dirty Vegas - Days Go By.mp3
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\install.log
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib\activation-1.1.jar
c:\program files\LimeWire\lib\additional_resources.jar
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\AppFramework.jar
c:\program files\LimeWire\lib\base64-2.2.2.jar
c:\program files\LimeWire\lib\boost_date_time-vc90-mt-1_39.dll
c:\program files\LimeWire\lib\boost_filesystem-vc90-mt-1_39.dll
c:\program files\LimeWire\lib\boost_system-vc90-mt-1_39.dll
c:\program files\LimeWire\lib\boost_thread-vc90-mt-1_39.dll
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-lang-2.2.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-math-1.2.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava-2.0.6.jar
c:\program files\LimeWire\lib\EventBus-1.2b.jar
c:\program files\LimeWire\lib\fb-java-api-2.1.1.jar
c:\program files\LimeWire\lib\fb-java-api-schema-2.1.1.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\glazedlists-snapshot20090628_java15.jar
c:\program files\LimeWire\lib\google-collect-1.0-rc2.jar
c:\program files\LimeWire\lib\guice-2.0-snapshot-20090610.jar
c:\program files\LimeWire\lib\guice-assistedinject-snapshot20090512.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\hsqldb-1.8.0.10.jar
c:\program files\LimeWire\lib\httpclient-4.0-alpha2-HTTPCLIENT-730.jar
c:\program files\LimeWire\lib\httpclient-4.0-beta2.jar
c:\program files\LimeWire\lib\httpcore-4.0-alpha6.jar
c:\program files\LimeWire\lib\httpcore-4.0.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-alpha6.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0.jar
c:\program files\LimeWire\lib\httpcore-niossl-4.0-alpha6.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\iTunes-0.0.1.jar
c:\program files\LimeWire\lib\jacob-1.14.3-x64.dll
c:\program files\LimeWire\lib\jacob-1.14.3-x86.dll
c:\program files\LimeWire\lib\jacob-1.14.3.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jaxb-api-2.1.jar
c:\program files\LimeWire\lib\jaxb-impl-2.1.9.jar
c:\program files\LimeWire\lib\jcip-annotations.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jna-3.1.0.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\json-20070829.jar
c:\program files\LimeWire\lib\jxlayer-4.0.jar
c:\program files\LimeWire\lib\libeay32.dll
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\Microsoft.VC90.CRT.manifest
c:\program files\LimeWire\lib\miglayout-3.7-swing.jar
c:\program files\LimeWire\lib\mime-util.jar
c:\program files\LimeWire\lib\mozdom4java.jar
c:\program files\LimeWire\lib\MozillaGlue-1.9.jar
c:\program files\LimeWire\lib\MozillaInterfaces-1.9.jar
c:\program files\LimeWire\lib\mozswing.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\msvcm90.dll
c:\program files\LimeWire\lib\msvcp90.dll
c:\program files\LimeWire\lib\msvcr90.dll
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\runtime-0.4.1.3.jar
c:\program files\LimeWire\lib\smack.jar
c:\program files\LimeWire\lib\smackx-debug.jar
c:\program files\LimeWire\lib\smackx.jar
c:\program files\LimeWire\lib\ssleay32.dll
c:\program files\LimeWire\lib\stax-api-1.0-2.jar
c:\program files\LimeWire\lib\swing-worker-1.2.jar
c:\program files\LimeWire\lib\swingx-1.0.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\torrent-wrapper.dll
c:\program files\LimeWire\lib\torrent.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 16th August 2009, 1:44 am

c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\LimeWire\unpack.log
c:\program files\temp01
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe
c:\program files\Windows Antivirus Pro\tmp\images\i1.gif
c:\program files\Windows Antivirus Pro\tmp\images\i2.gif
c:\program files\Windows Antivirus Pro\tmp\images\i3.gif
c:\program files\Windows Antivirus Pro\tmp\images\j1.gif
c:\program files\Windows Antivirus Pro\tmp\images\j2.gif
c:\program files\Windows Antivirus Pro\tmp\images\j3.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif
c:\program files\Windows Antivirus Pro\tmp\images\l1.gif
c:\program files\Windows Antivirus Pro\tmp\images\l2.gif
c:\program files\Windows Antivirus Pro\tmp\images\l3.gif
c:\program files\Windows Antivirus Pro\tmp\images\pix.gif
c:\program files\Windows Antivirus Pro\tmp\images\t1.gif
c:\program files\Windows Antivirus Pro\tmp\images\t2.gif
c:\program files\Windows Antivirus Pro\tmp\images\up1.gif
c:\program files\Windows Antivirus Pro\tmp\images\up2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w1.gif
c:\program files\Windows Antivirus Pro\tmp\images\w11.gif
c:\program files\Windows Antivirus Pro\tmp\images\w2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg
c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif
c:\program files\Windows Antivirus Pro\tmp\wispex.html
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\dadumuja.dll
c:\windows\system32\gugojamu.dll.tmp
c:\windows\system32\hoganova.dll.tmp
c:\windows\system32\kigafoke.dll.tmp
c:\windows\system32\sysnet.dat


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPPRO2009_100
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_AntipPro2009_100
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.

2009-08-05 09:11 . 2009-08-05 09:11 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 19:08 . 2009-08-03 19:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Ableton
2009-08-03 19:08 . 2009-08-03 19:08 -------- d-----w- c:\documents and settings\Chelsea\Application Data\Ableton
2009-08-03 19:06 . 2009-04-27 16:26 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-08-03 19:06 . 2009-04-27 16:26 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-08-03 19:04 . 2009-08-03 19:04 -------- d-----w- c:\program files\Ableton
2009-08-02 21:47 . 2009-08-02 21:47 -------- d-----w- c:\program files\EA GAMES
2009-07-26 05:59 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 05:59 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-26 05:59 . 2009-07-26 05:59 -------- d-----w- c:\program files\g
2009-07-23 22:16 . 2009-07-23 22:16 -------- d-----w- c:\documents and settings\Chelsea\Application Data\Exent Technologies
2009-07-23 22:10 . 2009-07-23 22:10 64 ----a-w- c:\windows\GPlrLanc.dat
2009-07-23 22:09 . 2009-07-23 22:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Free Ride Games
2009-07-22 05:31 . 2009-07-22 05:36 -------- d-----w- c:\program files\AIM6
2009-07-21 05:22 . 2009-07-21 05:54 -------- d-----w- c:\documents and settings\Chelsea\Local Settings\Application Data\DFH
2009-07-17 20:41 . 2009-07-17 20:41 -------- d-----w- c:\documents and settings\Chelsea\Local Settings\Application Data\Temp
2009-07-17 18:55 . 2009-07-17 18:55 58880 ------w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 23:37 . 2009-08-05 21:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\WinZip
2009-08-14 23:28 . 2009-08-14 23:26 39647808 ----a-w- C:\kav8.0.0.506en.exe
2009-08-14 23:17 . 2009-08-14 23:17 408064 ----a-w- C:\otm.com.exe
2009-08-14 22:52 . 2009-08-14 22:47 1885088 ----a-w- C:\SmitfraudFix.exe
2009-08-13 22:05 . 2009-08-13 22:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-13 17:33 . 2009-04-08 22:02 -------- d-----w- c:\program files\a-squared Free
2009-08-05 09:11 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-23 22:09 . 2007-10-26 08:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-21 05:54 . 2009-05-25 20:57 -------- d-----w- c:\program files\Yahoo! Games
2009-07-17 18:55 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 18:39 . 2009-07-05 18:39 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-10 18:01 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-10 17:51 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 01:14 . 2007-12-16 18:48 43544 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\g ----

2009-07-26 05:59 . 2009-07-26 05:59 10498 ----a-w- c:\program files\g\unins000.msg
2009-07-26 05:59 . 2009-07-13 20:36 211216 ----a-w- c:\program files\g\mbamservice.exe
2009-07-26 05:59 . 2009-07-13 20:36 414992 ----a-w- c:\program files\g\mbamgui.exe
2009-07-26 05:59 . 2009-07-13 20:36 496912 ----a-w- c:\program files\g\vbalsgrid6.ocx
2009-07-26 05:59 . 2009-07-13 20:36 46352 ----a-w- c:\program files\g\ssubtmr6.dll
2009-07-26 05:59 . 2009-07-13 20:36 70928 ----a-w- c:\program files\g\mbamext.dll
2009-07-26 05:59 . 2009-07-13 20:36 79632 ----a-w- c:\program files\g\zlib.dll
2009-07-26 05:59 . 2009-07-13 20:36 1287440 ----a-w- c:\program files\g\mbam.exe
2009-07-26 05:59 . 2008-07-11 21:26 12876 ----a-w- c:\program files\g\Languages\spanish.lng
2009-07-26 05:59 . 2008-11-10 00:19 12175 ----a-w- c:\program files\g\Languages\swedish.lng
2009-07-26 05:59 . 2009-04-15 12:00 13808 ----a-w- c:\program files\g\Languages\turkish.lng
2009-07-26 05:59 . 2008-11-01 00:54 13097 ----a-w- c:\program files\g\Languages\ukrainian.lng
2009-07-26 05:59 . 2008-03-04 06:28 11205 ----a-w- c:\program files\g\Languages\slovenian.lng
2009-07-26 05:59 . 2008-07-26 16:58 11599 ----a-w- c:\program files\g\Languages\slovak.lng
2009-07-26 05:59 . 2008-07-04 07:58 11779 ----a-w- c:\program files\g\Languages\russian.lng
2009-07-26 05:59 . 2008-03-03 13:03 12114 ----a-w- c:\program files\g\Languages\serbian.lng
2009-07-26 05:59 . 2008-06-15 20:04 12345 ----a-w- c:\program files\g\Languages\portuguesePT.lng
2009-07-26 05:59 . 2008-03-14 02:09 12672 ----a-w- c:\program files\g\Languages\romanian.lng
2009-07-26 05:59 . 2008-09-11 05:29 13314 ----a-w- c:\program files\g\Languages\macedonian.lng
2009-07-26 05:59 . 2009-06-10 20:39 11593 ----a-w- c:\program files\g\Languages\norwegian.lng
2009-07-26 05:59 . 2009-01-11 07:56 11623 ----a-w- c:\program files\g\Languages\polish.lng
2009-07-26 05:59 . 2008-03-05 02:56 12245 ----a-w- c:\program files\g\Languages\portugueseBR.lng
2009-07-26 05:59 . 2008-12-19 23:30 11457 ----a-w- c:\program files\g\Languages\latvian.lng
2009-07-26 05:59 . 2008-03-04 00:39 12048 ----a-w- c:\program files\g\Languages\hungarian.lng
2009-07-26 05:59 . 2008-03-05 03:03 13019 ----a-w- c:\program files\g\Languages\italian.lng
2009-07-26 05:59 . 2008-10-07 22:15 13234 ----a-w- c:\program files\g\Languages\greek.lng
2009-07-26 05:59 . 2008-10-06 05:25 13557 ----a-w- c:\program files\g\Languages\german.lng
2009-07-26 05:59 . 2008-05-17 17:09 11624 ----a-w- c:\program files\g\Languages\finnish.lng
2009-07-26 05:59 . 2008-03-05 02:57 13353 ----a-w- c:\program files\g\Languages\french.lng
2009-07-26 05:59 . 2008-03-03 02:33 11232 ----a-w- c:\program files\g\Languages\english.lng
2009-07-26 05:59 . 2009-04-23 01:40 11039 ----a-w- c:\program files\g\Languages\estonian.lng
2009-07-26 05:59 . 2009-02-18 03:27 11893 ----a-w- c:\program files\g\Languages\danish.lng
2009-07-26 05:59 . 2008-03-05 02:56 12255 ----a-w- c:\program files\g\Languages\dutch.lng
2009-07-26 05:59 . 2008-06-25 06:49 11551 ----a-w- c:\program files\g\Languages\czech.lng
2009-07-26 05:59 . 2008-08-01 16:03 8045 ----a-w- c:\program files\g\Languages\chineseSI.lng
2009-07-26 05:59 . 2008-08-04 19:58 8141 ----a-w- c:\program files\g\Languages\chineseTR.lng
2009-07-26 05:59 . 2008-12-27 23:41 11977 ----a-w- c:\program files\g\Languages\croatian.lng
2009-07-26 05:59 . 2009-01-17 03:08 12533 ----a-w- c:\program files\g\Languages\bulgarian.lng
2009-07-26 05:59 . 2008-03-05 03:05 12595 ----a-w- c:\program files\g\Languages\catalan.lng
2009-07-26 05:59 . 2009-04-10 07:53 10331 ----a-w- c:\program files\g\Languages\arabic.lng
2009-07-26 05:59 . 2008-07-03 17:10 13924 ----a-w- c:\program files\g\Languages\albanian.lng
2009-07-26 05:59 . 2009-07-13 20:36 381712 ----a-w- c:\program files\g\mbam-dor.exe
2009-07-26 05:59 . 2009-07-13 20:36 120592 ----a-w- c:\program files\g\mbam.dll
2009-07-26 05:59 . 2009-07-13 19:20 15455 ----a-w- c:\program files\g\changes.rtf
2009-07-26 05:59 . 2009-01-05 02:31 4124 ----a-w- c:\program files\g\license.txt
2009-07-26 05:59 . 2009-06-30 21:28 58889 ----a-w- c:\program files\g\mbam.chm
2009-07-26 05:59 . 2009-07-26 05:58 692496 ----a-w- c:\program files\g\unins000.exe
2009-07-26 05:59 . 2009-07-26 05:59 10086 ----a-w- c:\program files\g\unins000.dat


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-16 01:27 . 2009-08-16 01:27 16384 c:\windows\temp\Perflib_Perfdata_f8.dat
+ 2007-11-06 22:16 . 2009-08-16 00:39 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-06 22:16 . 2009-08-15 03:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-06 22:16 . 2009-08-16 00:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-06 22:16 . 2009-08-15 03:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-06 22:16 . 2009-08-16 00:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-11-06 22:16 . 2009-08-15 03:51 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 16th August 2009, 1:44 am

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-12 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-15 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-09-22 282624]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-26 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Works\\MSWorks.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 msgpcc;msgpcc;c:\windows\system32\drivers\msgpcc.sys --> c:\windows\system32\drivers\msgpcc.sys [?]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [9/14/2006 5:45 PM 92160]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\Chelsea\APPLIC~1\Mozilla\Firefox\Profiles\ljlifddr.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-15 18:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\a-squared Free\a2service.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-08-16 18:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-16 01:36
ComboFix2.txt 2009-08-15 16:13
ComboFix3.txt 2009-04-13 20:47

Pre-Run: 19,339,427,840 bytes free
Post-Run: 19,372,457,984 bytes free

488 --- E O F --- 2009-08-15 15:41

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 16th August 2009, 7:23 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 16th August 2009, 11:45 pm

everything is running well,

only blackle/google are redirecting me whenever i click stuff.

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 17th August 2009, 1:33 pm

Hello.
Lets clean up a bit more and single out what we can.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    msgpcc

    :files
    C:\*.exe


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 17th August 2009, 8:58 pm

========== SERVICES/DRIVERS ==========

Service\Driver msgpcc deleted successfully.
========== FILES ==========
C:\kav8.0.0.506en.exe moved successfully.
C:\otm.com.exe moved successfully.
C:\SmitfraudFix.exe moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 08172009_135731

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 17th August 2009, 9:58 pm

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 19th August 2009, 2:51 am

GooredFix by jpshortstuff (12.07.09)
Log created at 19:50 on 18/08/2009 (Chelsea)
Firefox version 3.0.13 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:32 11/04/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [20:22 12/04/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:22 12/04/2009]

-=E.O.F=-

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 19th August 2009, 7:36 pm

Hello.
Still having problems now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 19th August 2009, 8:13 pm

hi,

yes Sad tearing

i'm still getting redirected to random sites from google.

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 19th August 2009, 8:47 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 19th August 2009, 11:13 pm

GMER 1.0.15.15077 [ntt823bx.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-19 16:12:05
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

INT 0x62 ? 84B8DBF8
INT 0x63 ? 849E9BF8
INT 0x63 ? 849E9BF8
INT 0x83 ? 84B8DBF8
INT 0x84 ? 849E9BF8
INT 0xA4 ? 849E9BF8
INT 0xB4 ? 849E9BF8
INT 0xB4 ? 849E9BF8

Code 8441DE88 ZwEnumerateKey
Code 8444E280 ZwFlushInstructionCache
Code 844415C6 ZwSaveKey
Code 8441DEBE ZwSaveKeyEx
Code 844415FE IofCallDriver
Code 84400296 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE136 5 Bytes JMP 84441603
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C6 5 Bytes JMP 8440029B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABA9C 5 Bytes JMP 8444E284
PAGE ntkrnlpa.exe!ZwSaveKey 80618320 5 Bytes JMP 844415CA
PAGE ntkrnlpa.exe!ZwSaveKeyEx 806183B0 5 Bytes JMP 8441DEC2
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061A6B6 5 Bytes JMP 8441DE8C
? spgw.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F667E68E 5 Bytes JMP 849E91D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1404] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00A1000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72C3040] spgw.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72C313C] spgw.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72C30BE] spgw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72C37FC] spgw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72C36D2] spgw.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72D3048] spgw.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW]

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 19th August 2009, 11:13 pm

[6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2244] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 19th August 2009, 11:14 pm

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84B8B1F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbohci \Device\USBPDO-0 849E81F8
Device \Driver\usbohci \Device\USBPDO-1 849E81F8
Device \Driver\usbohci \Device\USBPDO-2 849E81F8
Device \Driver\usbohci \Device\USBPDO-3 849E81F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{10855D63-1B7D-49F0-AB6E-CD3270B6BFDB} 844331F8
Device \Driver\usbohci \Device\USBPDO-4 849E81F8
Device \Driver\usbehci \Device\USBPDO-5 849B01F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 84B8E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 84B8E1F8
Device \Driver\Cdrom \Device\CdRom0 849A41F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 84B8D1F8
Device \Driver\atapi \Device\Ide\IdePort0 84B8D1F8
Device \Driver\atapi \Device\Ide\IdePort1 84B8D1F8
Device \Driver\atapi \Device\Ide\IdePort2 84B8D1F8
Device \Driver\atapi \Device\Ide\IdePort3 84B8D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 84B8D1F8

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2E13166-1034-33A3-B6D8-36EF6E2DAE57}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2E13166-1034-33A3-B6D8-36EF6E2DAE57}@iapfgohkfafpjlceco 0x69 0x61 0x6E 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2E13166-1034-33A3-B6D8-36EF6E2DAE57}@hafgaplccoilflco 0x69 0x61 0x6E 0x6F ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 20th August 2009, 12:31 am

Please download [You must be registered and logged in to see this link.] to your desktop.
Double click on the MBR.exe to run it. A log will be produced, named MBR.log.
Please open this log in Notepad and post it's contents in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 20th August 2009, 12:48 am

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 20th August 2009, 7:32 pm

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 20th August 2009, 10:52 pm

xxx.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Administrator\Desktop\xxx.exe;Tool.Prockill;;
xxx.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Administrator\Desktop\xxx.exe;Tool.ShutDown.14;;
xxx.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;;
sprtsync.dll;C:\Program Files\Dell Support Center\bin;Probably DLOADER.Trojan;;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\_OTM\MovedFiles\08172009_135731\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\_OTM\MovedFiles\08172009_135731\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\_OTM\MovedFiles\08172009_135731;Archive contains infected objects;;

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Belahzur on 21st August 2009, 2:22 pm

Hello.
Still having problems now? the re-direct issue doesn't appear to be malware.

Dr.web is quiet aggressive and if something was causing it, it would of found it.
We can try using some Firefox add-ons to stop it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 3:22 pm

yes, STILL getting redirected! to places like chinawow.com

it's frustrating.

firefox add-ons?

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Origin on 21st August 2009, 3:39 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTListIt2.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTListIt2.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 4:53 pm

OTL logfile created on: 8/21/2009 9:46:41 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Chelsea\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

445.98 Mb Total Physical Memory | 193.38 Mb Available Physical Memory | 43.36% Memory free
1.03 Gb Paging File | 0.74 Gb Available in Paging File | 71.76% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.82 Gb Total Space | 16.85 Gb Free Space | 31.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHELSEA
Current User Name: Chelsea
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/10/11 10:37:24 | 00,430,080 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2006/10/11 10:37:24 | 00,430,080 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2005/12/19 13:08:42 | 00,018,944 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
PRC - [2005/12/19 13:08:40 | 01,200,128 | ---- | M] (Dell Inc.) -- C:\WINDOWS\System32\bcmwltry.exe
PRC - [2009/02/25 19:18:14 | 00,425,080 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2009/07/09 12:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2007/06/13 03:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
PRC - [2006/09/22 09:47:54 | 00,761,947 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/02/20 10:29:08 | 01,191,936 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2005/12/19 13:08:42 | 01,347,584 | ---- | M] (Dell Inc.) -- C:\WINDOWS\System32\WLTRAY.exe
PRC - [2006/09/22 09:06:26 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/12/09 18:29:52 | 00,049,152 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
PRC - [2006/01/02 14:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
PRC - [2009/04/12 13:22:12 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/04/14 19:52:55 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/07/13 14:03:10 | 00,292,128 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007/03/15 10:09:36 | 00,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2006/11/13 13:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2009/07/09 13:07:14 | 00,049,968 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe
PRC - [2003/10/29 00:06:00 | 00,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2009/04/12 13:22:12 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2005/03/14 12:05:02 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe
PRC - [2006/11/13 13:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2008/11/06 10:33:00 | 00,041,264 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe
PRC - [2009/07/13 14:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2004/08/04 03:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2009/02/06 02:41:05 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2006/01/02 14:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
PRC - [2009/08/21 09:46:24 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chelsea\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/02/25 19:18:14 | 00,425,080 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe -- (a2free [Auto | Running])
SRV - [2009/07/09 12:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/10/11 10:37:24 | 00,430,080 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [Auto | Running])
SRV - [2007/03/19 10:44:44 | 00,070,656 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/31 15:16:28 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2004/08/04 03:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/07/13 14:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/04/12 13:22:12 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2005/03/14 12:05:02 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2005/12/19 13:08:42 | 00,018,944 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 4:53 pm

DRV - [2001/08/17 11:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2004/08/03 21:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2006/07/01 20:39:40 | 00,036,864 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\System32\DRIVERS\AmdK8.sys -- (AmdK8 [System | Running])
DRV - [2005/08/12 14:50:46 | 00,016,128 | ---- | M] (Dell Inc) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV [System | Running])
DRV - [2001/08/17 11:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 11:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2006/10/11 10:43:56 | 01,777,152 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2005/11/02 17:24:34 | 00,424,320 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcmwl5.sys -- (BCM43XX [On_Demand | Running])
DRV - [2006/08/17 11:55:16 | 00,044,544 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
DRV - [2001/08/17 11:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 11:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2006/10/05 15:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct [On_Demand | Running])
DRV - [2007/02/25 10:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\System32\DRIVERS\dsunidrv.sys -- (dsunidrv [Auto | Running])
DRV - [2001/08/17 10:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])
DRV - [2007/11/14 15:11:46 | 00,395,312 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2004/08/12 15:45:54 | 00,137,728 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/12/01 05:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSX_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2005/12/01 05:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSXHWAZL.sys -- (HSXHWAZL [On_Demand | Running])
DRV - [2005/10/05 02:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2001/08/17 11:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2004/08/03 20:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2006/09/26 14:29:08 | 00,166,400 | ---- | M] (Novatel Wireless Inc) -- C:\WINDOWS\System32\DRIVERS\NWADIenum.sys -- (NWADI [On_Demand | Stopped])
DRV - [2006/09/14 17:45:32 | 00,092,160 | ---- | M] (Novatel Wireless Inc.) -- C:\WINDOWS\System32\DRIVERS\nwusbmdm.sys -- (NWUSBModem [On_Demand | Stopped])
DRV - [2006/09/14 17:45:32 | 00,092,160 | ---- | M] (Novatel Wireless Inc.) -- C:\WINDOWS\System32\DRIVERS\nwusbser.sys -- (NWUSBPort [On_Demand | Stopped])
DRV - [2006/09/14 17:45:32 | 00,092,160 | ---- | M] (Novatel Wireless Inc.) -- C:\WINDOWS\System32\DRIVERS\nwusbser2.sys -- (NWUSBPort2 [On_Demand | Stopped])
DRV - [2004/08/04 03:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/07/31 15:17:04 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/08/17 11:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 11:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 11:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2005/07/14 21:58:14 | 00,028,544 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rimmptsk.sys -- (rimmptsk [On_Demand | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/08/03 21:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2001/08/17 12:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2008/03/20 07:31:58 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2006/09/22 09:06:26 | 01,171,464 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\System32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
DRV - [2001/08/17 12:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 12:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 12:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 12:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2006/09/22 09:47:52 | 00,191,872 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2007/12/24 17:37:00 | 00,138,384 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
DRV - [2001/08/17 11:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2005/10/20 18:47:05 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])
DRV - [2005/12/01 05:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSX_CNXT.sys -- (winachsf [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 4:54 pm

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.blackle.com/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.3.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {dd68c513-9296-4b63-8d8b-8f1c991c8a48}:0.1.7.3
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20090414
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.4
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/04/12 13:22:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/21 08:46:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/20 13:32:52 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/19 09:57:15 | 00,000,000 | ---D | M]

[2009/03/20 17:53:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chelsea\Application Data\mozilla\Extensions
[2008/06/18 13:40:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chelsea\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/20 17:53:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chelsea\Application Data\mozilla\Extensions\mozswing@mozswing.org
[2009/08/21 09:40:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chelsea\Application Data\mozilla\Firefox\Profiles\ljlifddr.default\extensions
[2009/07/25 22:44:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chelsea\Application Data\mozilla\Firefox\Profiles\ljlifddr.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2009/04/10 07:52:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chelsea\Application Data\mozilla\Firefox\Profiles\ljlifddr.default\extensions\{dd68c513-9296-4b63-8d8b-8f1c991c8a48}
[2009/02/04 08:12:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chelsea\Application Data\mozilla\Firefox\Profiles\ljlifddr.default\extensions\anycolor.pavlos256@gmail(2).com
[2009/07/23 19:02:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chelsea\Application Data\mozilla\Firefox\Profiles\ljlifddr.default\extensions\anycolor.pavlos256@gmail.com
[2009/07/23 19:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chelsea\Application Data\mozilla\Firefox\Profiles\ljlifddr.default\extensions\youtube2mp3@mondayx.de
[2009/08/21 08:12:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/18 20:07:16 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/12 13:22:45 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/07/30 04:26:53 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/30 04:26:54 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007/04/10 18:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2008/08/06 16:22:02 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/04/12 13:22:13 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2005/12/05 23:31:00 | 00,114,688 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2009/07/30 04:26:55 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/05/10 22:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/08/19 09:57:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/08/19 09:57:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/08/19 09:57:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/08/19 09:57:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/08/19 09:57:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/08/19 09:57:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/08/19 09:57:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2007/04/16 10:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2009/07/30 00:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/30 00:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/30 00:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 00:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/30 00:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/30 00:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/30 00:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Microsoft Online Helper!) - {85B91C6B-1ECA-4EE2-962D-857516C30730} - C:\WINDOWS\System32\klypnzjnedd.dll ()
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [dscactivate] c:\dell\dsca.exe ( )
O4 - HKLM..\Run: [DVDLauncher] C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
O4 - HKLM..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe ()
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 11:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 4:54 pm

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\Documents and Settings\Chelsea\My Documents\*.tmp files]
[2009/08/21 09:46:23 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chelsea\Desktop\OTL.exe
[2009/08/21 09:17:38 | 00,042,496 | ---- | C] () -- C:\WINDOWS\System32\sys.dat
[2009/08/21 08:39:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/08/21 08:38:43 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/08/21 08:38:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2009/08/21 08:38:25 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/08/21 08:37:00 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/08/21 08:37:00 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/08/21 08:36:59 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/08/21 08:36:59 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/08/21 08:36:59 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/08/21 08:36:59 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/08/21 08:36:59 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/08/21 08:36:58 | 00,000,000 | ---D | C] -- C:\de300158e11208430eaf92334ea806
[2009/08/20 15:49:52 | 00,000,703 | ---- | C] () -- C:\Documents and Settings\Chelsea\My Documents\DrWeb.csv
[2009/08/20 14:39:10 | 06,785,366 | ---- | C] () -- C:\Documents and Settings\Chelsea\Desktop\01 Memories f. KiD CuDi.mp3
[2009/08/20 12:52:07 | 15,676,824 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Chelsea\Desktop\cureit.exe
[2009/08/20 11:56:53 | 00,014,061 | ---- | C] () -- C:\Documents and Settings\Chelsea\Desktop\left.jpg
[2009/08/19 17:41:59 | 00,071,680 | ---- | C] () -- C:\Documents and Settings\Chelsea\Desktop\mbr.exe
[2009/08/19 15:58:17 | 46,770,9952 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/19 12:37:52 | 01,896,972 | ---- | C] () -- C:\Documents and Settings\Chelsea\Desktop\the way you do it-little brother.mp3
[2009/08/19 12:26:05 | 01,267,735 | ---- | C] () -- C:\Documents and Settings\Chelsea\Desktop\Sa-Ra-And If.mp3
[2009/08/19 12:23:31 | 01,608,789 | ---- | C] () -- C:\Documents and Settings\Chelsea\Desktop\count bass d-neon soul.mp3
[2009/08/19 10:06:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chelsea\Application Data\Apple Computer
[2009/08/19 10:05:41 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/08/19 10:05:35 | 00,107,368 | ---- | C] (GEAR Software Inc.) -- C:\WINDOWS\System32\GEARAspi.dll
[2009/08/19 10:05:35 | 00,023,400 | ---- | C] (GEAR Software Inc.) -- C:\WINDOWS\System32\drivers\GEARAspiWDM.sys
[2009/08/19 10:05:10 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/08/19 10:04:58 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/08/19 10:04:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/08/19 10:04:22 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/08/19 10:03:38 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2009/08/19 09:56:32 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/08/19 09:56:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/08/18 20:18:23 | 00,014,426 | ---- | C] () -- C:\Documents and Settings\Chelsea\Desktop\SUNP0546-11.jpg
[2009/08/17 13:57:31 | 00,000,000 | ---D | C] -- C:\_OTM
[2009/08/17 10:48:40 | 00,099,356 | ---- | C] () -- C:\Documents and Settings\Chelsea\Desktop\blahblahblah.jpg
[2009/08/16 19:13:09 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/08/16 15:52:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chelsea\Application Data\LimeWire
[2009/08/16 15:50:51 | 00,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2009/08/16 14:43:22 | 00,000,000 | --SD | C] -- C:\Combo-Fix
[2009/08/15 09:11:16 | 03,067,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mshtml.dll
[2009/08/15 09:11:16 | 02,186,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntoskrnl.exe
[2009/08/15 09:11:16 | 02,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntkrnlpa.exe
[2009/08/15 09:11:16 | 01,580,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfcfiles.dll
[2009/08/15 09:11:16 | 01,033,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\explorer.exe
[2009/08/15 09:11:16 | 00,986,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kernel32.dll
[2009/08/15 09:11:16 | 00,927,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mfc40u.dll
[2009/08/15 09:11:16 | 00,792,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comres.dll
[2009/08/15 09:11:16 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comctl32.dll
[2009/08/15 09:11:16 | 00,574,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntfs.sys
[2009/08/15 09:11:16 | 00,502,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\winlogon.exe
[2009/08/15 09:11:16 | 00,435,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntmssvc.dll
[2009/08/15 09:11:16 | 00,407,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\netlogon.dll
[2009/08/15 09:11:16 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rpcss.dll
[2009/08/15 09:11:16 | 00,382,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\qmgr.dll
[2009/08/15 09:11:16 | 00,360,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tcpip.sys
[2009/08/15 09:11:16 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\termsrv.dll
[2009/08/15 09:11:16 | 00,182,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ndis.sys
[2009/08/15 09:11:16 | 00,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\scecli.dll
[2009/08/15 09:11:16 | 00,170,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\srsvc.dll
[2009/08/15 09:11:16 | 00,142,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\aec.sys
[2009/08/15 09:11:16 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\services.exe
[2009/08/15 09:11:16 | 00,110,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\imm32.dll
[2009/08/15 09:11:16 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rasauto.dll
[2009/08/15 09:11:16 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\spoolsv.exe
[2009/08/15 09:11:16 | 00,051,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wuauclt.exe
[2009/08/15 09:11:16 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\msgsvc.dll
[2009/08/15 09:11:16 | 00,029,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ip6fw.sys
[2009/08/15 09:11:16 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\userinit.exe
[2009/08/15 09:11:16 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kbdclass.sys
[2009/08/15 09:11:16 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lpk.dll
[2009/08/15 09:11:16 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\powrprof.dll
[2009/08/15 09:11:16 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ctfmon.exe
[2009/08/15 09:11:16 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\asyncmac.sys
[2009/08/15 09:11:16 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wscntfy.exe
[2009/08/15 09:11:16 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lsass.exe
[2009/08/15 09:11:16 | 00,011,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\acpiec.sys
[2009/08/15 09:11:16 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfc.dll
[2009/08/15 09:11:16 | 00,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\beep.sys
[2009/08/15 09:11:16 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\null.sys
[2009/08/15 09:11:15 | 00,667,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wininet.dll
[2009/08/15 09:11:15 | 00,577,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\user32.dll
[2009/08/15 09:11:15 | 00,082,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ws2_32.dll
[2009/08/15 09:11:15 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\svchost.exe
[2009/08/15 09:11:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/08/14 16:37:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chelsea\Local Settings\Application Data\WinZip
[2009/08/14 15:30:56 | 00,000,009 | ---- | C] () -- C:\WINDOWS\System32\bennuar.old
[2009/08/14 15:30:55 | 00,000,089 | ---- | C] () -- C:\WINDOWS\System32\sonhelp.htm
[2009/08/13 11:14:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chelsea\Desktop\clutter
[2009/08/13 09:17:11 | 24,281,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/08/13 09:15:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2009/08/12 12:15:09 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/08/12 12:14:04 | 00,655,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstscax.dll
[2009/08/08 17:41:30 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Chelsea\My Documents\documentunoo.doc
[2009/08/05 14:13:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/08/05 02:11:47 | 00,204,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/03 12:08:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chelsea\My Documents\Ableton
[2009/08/03 12:08:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ableton
[2009/08/03 12:08:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chelsea\Application Data\Ableton
[2009/08/03 12:06:53 | 00,233,472 | ---- | C] (Propellerhead Software AB) -- C:\WINDOWS\System32\REX Shared Library.dll
[2009/08/03 12:06:52 | 00,368,640 | ---- | C] (Propellerhead Software AB) -- C:\WINDOWS\System32\ReWire.dll
[2009/08/03 12:04:45 | 00,000,000 | ---D | C] -- C:\Program Files\Ableton
[2009/08/02 15:10:20 | 00,001,994 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 2 Double Deluxe.lnk
[2009/08/02 14:47:59 | 00,000,000 | ---D | C] -- C:\Program Files\EA GAMES
[2009/08/01 12:42:25 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Chelsea\My Documents\thetourist.doc
[2009/07/27 15:51:13 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Chelsea\My Documents\document1.doc
[2009/07/25 22:59:17 | 00,000,563 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\mbam.lnk
[2009/07/25 22:59:13 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/25 22:59:10 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/25 22:59:09 | 00,000,000 | ---D | C] -- C:\Program Files\g
[2009/07/23 15:16:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chelsea\Application Data\Exent Technologies
[2009/07/23 15:16:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chelsea\My Documents\LDW
[2009/07/23 15:10:04 | 00,037,033 | ---- | C] () -- C:\WINDOWS\FRGT.ico
[2009/07/23 15:10:04 | 00,000,064 | ---- | C] () -- C:\WINDOWS\GPlrLanc.dat
[2009/07/23 15:09:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Free Ride Games
[2009/07/23 12:01:44 | 00,118,047 | ---- | C] () -- C:\Documents and Settings\Chelsea\Desktop\Image0011.jpg
[2009/04/30 20:18:23 | 00,001,205 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2009/04/05 19:09:55 | 00,000,082 | ---- | C] () -- C:\WINDOWS\mp3spt.ini
[2009/04/05 16:12:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SMMVSplitter.INI
[2009/02/11 20:37:03 | 00,000,272 | -H-- | C] () -- C:\WINDOWS\Picasa.ini
[2009/02/11 08:21:19 | 00,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/02/07 11:54:48 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/08/27 15:24:06 | 00,000,628 | ---- | C] () -- C:\WINDOWS\HEGAMES.INI
[2008/08/02 17:58:54 | 00,058,904 | ---- | C] () -- C:\WINDOWS\System32\sysfolderazipcnt.dll
[2008/08/02 17:58:54 | 00,058,904 | ---- | C] () -- C:\WINDOWS\System32\azipcontmn.dll
[2008/05/07 20:55:29 | 00,000,609 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/05 20:10:25 | 00,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2008/03/20 07:31:56 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/11/12 18:55:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Game.INI
[2007/11/06 15:30:36 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/10/26 02:04:07 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/10/26 01:14:08 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/10/26 01:14:02 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/10/26 01:13:38 | 00,001,120 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 11:12:05 | 00,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 11:01:18 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 10:51:28 | 00,000,707 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/10 10:51:26 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/10 10:51:10 | 00,308,768 | ---- | C] () -- C:\WINDOWS\System32\klypnzjnedd.dll
[2004/08/10 10:51:09 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2002/03/13 16:46:46 | 00,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll
[2001/07/06 16:30:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Files - Modified Within 30 Days ==========

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 4:54 pm

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\Documents and Settings\Chelsea\My Documents\*.tmp files]
[2009/08/21 09:46:24 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chelsea\Desktop\OTL.exe
[2009/08/21 09:38:22 | 00,043,544 | ---- | M] () -- C:\Documents and Settings\Chelsea\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/21 09:38:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/21 09:38:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/21 09:37:51 | 46,770,9952 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/21 09:37:51 | 00,189,000 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/21 09:17:38 | 00,042,496 | ---- | M] () -- C:\WINDOWS\System32\sys.dat
[2009/08/21 09:00:22 | 00,504,314 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/08/21 09:00:22 | 00,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/08/21 09:00:22 | 00,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/08/20 15:49:52 | 00,000,703 | ---- | M] () -- C:\Documents and Settings\Chelsea\My Documents\DrWeb.csv
[2009/08/20 14:39:32 | 06,785,366 | ---- | M] () -- C:\Documents and Settings\Chelsea\Desktop\01 Memories f. KiD CuDi.mp3
[2009/08/20 12:53:25 | 15,676,824 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Chelsea\Desktop\cureit.exe
[2009/08/20 11:56:53 | 00,014,061 | ---- | M] () -- C:\Documents and Settings\Chelsea\Desktop\left.jpg
[2009/08/20 08:46:40 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/08/19 17:42:01 | 00,071,680 | ---- | M] () -- C:\Documents and Settings\Chelsea\Desktop\mbr.exe
[2009/08/19 15:01:26 | 04,303,686 | -H-- | M] () -- C:\Documents and Settings\Chelsea\Local Settings\Application Data\IconCache.db
[2009/08/19 12:38:35 | 01,896,972 | ---- | M] () -- C:\Documents and Settings\Chelsea\Desktop\the way you do it-little brother.mp3
[2009/08/19 12:26:58 | 01,608,789 | ---- | M] () -- C:\Documents and Settings\Chelsea\Desktop\count bass d-neon soul.mp3
[2009/08/19 12:26:29 | 01,267,735 | ---- | M] () -- C:\Documents and Settings\Chelsea\Desktop\Sa-Ra-And If.mp3
[2009/08/19 09:44:29 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/08/19 08:21:59 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/18 20:18:27 | 00,014,426 | ---- | M] () -- C:\Documents and Settings\Chelsea\Desktop\SUNP0546-11.jpg
[2009/08/18 20:07:21 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/08/17 10:48:44 | 00,099,356 | ---- | M] () -- C:\Documents and Settings\Chelsea\Desktop\blahblahblah.jpg
[2009/08/15 18:30:25 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/15 18:29:43 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/08/14 15:43:28 | 00,000,563 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\mbam.lnk
[2009/08/14 15:30:56 | 00,000,009 | ---- | M] () -- C:\WINDOWS\System32\bennuar.old
[2009/08/14 15:30:55 | 00,000,089 | ---- | M] () -- C:\WINDOWS\System32\sonhelp.htm
[2009/08/08 17:41:31 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Chelsea\My Documents\documentunoo.doc
[2009/08/05 02:11:47 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mswebdvd.dll
[2009/08/05 02:11:47 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/02 15:10:20 | 00,001,994 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 2 Double Deluxe.lnk
[2009/08/02 14:39:21 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Chelsea\My Documents\document1.doc
[2009/08/01 12:42:26 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Chelsea\My Documents\thetourist.doc
[2009/07/29 17:49:16 | 24,281,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/07/27 15:40:13 | 00,128,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/07/25 23:25:02 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\ruvirolu
[2009/07/24 09:33:39 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/23 15:10:04 | 00,000,064 | ---- | M] () -- C:\WINDOWS\GPlrLanc.dat
[2009/07/23 12:07:04 | 00,118,047 | ---- | M] () -- C:\Documents and Settings\Chelsea\Desktop\Image0011.jpg
< End of report >

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 4:55 pm

OTL Extras logfile created on: 8/21/2009 9:46:41 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Chelsea\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

445.98 Mb Total Physical Memory | 193.38 Mb Available Physical Memory | 43.36% Memory free
1.03 Gb Paging File | 0.74 Gb Available in Paging File | 71.76% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.82 Gb Total Space | 16.85 Gb Free Space | 31.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHELSEA
Current User Name: Chelsea
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"8097:TCP" = 8097:TCP:*:Enabled:EarthLink UHP Modem Support
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 4:56 pm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Microsoft Works\MSWorks.exe" = C:\Program Files\Microsoft Works\MSWorks.exe:*:Disabled:Microsoft Works Task Launcher -- (Microsoft® Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox -- (Mozilla Corporation)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
"{2C6C74C2-042F-4D36-B7B0-0C538FCF01AB}" = Dell DataSafe Online
"{2D37F6AE-D201-4580-B91A-6BF9BB93ED2D}" = The Sims™ 2 Double Deluxe
"{32A3A4F4-B792-11D6-A78A-00B0D0150180}" = J2SE Development Kit 5.0 Update 18
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{90120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B8C54AB1-7E1A-40E8-B794-EDB6E8921F3A}" = Dell Support Center
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E6963450-7577-4049-8793-2B66B85237C1}" = ATI Catalyst Control Center
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AIM_6" = AIM 6
"AIM_7" = AIM 7
"a-squared Free_is1" = a-squared Free 4.0
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Live 7.0.16" = Live 7.0.16
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.2)" = Mozilla Firefox (3.5.2)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"My Tribe" = My Tribe (remove only)
"Picasa 3" = Picasa 3
"RealPlayer 6.0" = RealPlayer
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 4:56 pm

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/15/2009 9:22:17 PM | Computer Name = CHELSEA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 8/15/2009 9:22:17 PM | Computer Name = CHELSEA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 8/15/2009 9:22:17 PM | Computer Name = CHELSEA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 8/15/2009 9:23:06 PM | Computer Name = CHELSEA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

Error - 8/15/2009 9:23:35 PM | Computer Name = CHELSEA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

Error - 8/15/2009 9:23:36 PM | Computer Name = CHELSEA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 8/15/2009 9:23:36 PM | Computer Name = CHELSEA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 8/16/2009 8:05:24 PM | Computer Name = CHELSEA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3498, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/19/2009 6:00:43 PM | Computer Name = CHELSEA | Source = Application Error | ID = 1000
Description = Faulting application ntt823bx.exe, version 1.0.15.15077, faulting
module ntt823bx.exe, version 1.0.15.15077, fault address 0x0000ce01.

Error - 8/19/2009 6:12:12 PM | Computer Name = CHELSEA | Source = Application Error | ID = 1000
Description = Faulting application ntt823bx.exe, version 1.0.15.15077, faulting
module ntt823bx.exe, version 1.0.15.15077, fault address 0x0000ce01.

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 4:56 pm

[ System Events ]
Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43016
Description = Not an EDID device

Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43016
Description = Not an EDID device

Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43016
Description = Not an EDID device

Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 8/21/2009 12:38:28 PM | Computer Name = CHELSEA | Source = ati2mtag | ID = 43015
Description = I2c return failed


< End of report >

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Origin on 21st August 2009, 5:19 pm

Please run OTListIt2.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying

    :OTL
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Microsoft Online Helper!) - {85B91C6B-1ECA-4EE2-962D-857516C30730} - C:\WINDOWS\System32\klypnzjnedd.dll ()
    O15 - HKLM\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
    O15 - HKCU\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.

    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled"=-
    "FirewallDisableNotify"=-
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    "AntiVirusDisableNotify"=-
    "UpdatesDisableNotify"=-


  • Return to OTListIt2, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTListIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Do you recognize this IP:

Code:
192.168.1.254

If not that MAY be the redirecting problem.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 5:25 pm

========== OTL ==========
127.0.0.1 localhost removed from HOSTS file successfully
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85B91C6B-1ECA-4EE2-962D-857516C30730}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85B91C6B-1ECA-4EE2-962D-857516C30730}\ deleted successfully.
LoadLibrary failed for C:\WINDOWS\System32\klypnzjnedd.dll
C:\WINDOWS\System32\klypnzjnedd.dll NOT unregistered.
C:\WINDOWS\System32\klypnzjnedd.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com\ deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify deleted successfully.

OTL by OldTimer - Version 3.0.10.7 log created on 08212009_102151


i think i've seen that ip before, but my memory is fuzzy.

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Origin on 21st August 2009, 5:32 pm

Do me a favor go to this website:

[You must be registered and logged in to see this link.]

Once there you should see some big bold letters that say "Your IP address is xx.xx

Tell me if the Ip address is this one: 192.168.1.254


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 5:35 pm

great scott it isn't!

it's
Code:
71.137.xxx.xxx

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Origin on 21st August 2009, 5:39 pm

Alright we have something to work with now:

Please run OTListIt2.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying

    :OTL
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254


  • Return to OTListIt2, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTListIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 5:41 pm

========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!

OTL by OldTimer - Version 3.0.10.7 log created on 08212009_104020

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Origin on 21st August 2009, 5:45 pm

Are you still getting redirected?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 5:48 pm

yes.

here's one of the sites i got redirected to:

[You must be registered and logged in to see this link.]

maybe that ip in the address is causing the problem?

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Origin on 21st August 2009, 5:52 pm

Is it just that one or are there more?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 5:59 pm

i looked at my cookies and there are:

Code:
66.230.188.67
Code:
64.111.196.117
Code:
206.161.121.82
Code:
206.161.121.66
Code:
206.161.121.58

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by Origin on 21st August 2009, 6:12 pm

Which browser are you using?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nasty Virus. Help Appreciated.

Post by robosheikh on 21st August 2009, 6:18 pm

firefox 3.5

robosheikh
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-08-14
OS OS : XP
Points Points : 26783
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum