OMG!!! PLEASE HELP!!! IM DESPERATE!

View previous topic View next topic Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by MsTron on 14th November 2009, 7:20 pm

Malwarebytes' Anti-Malware 1.41
Database version: 3137
Windows 5.1.2600 Service Pack 3

11/14/2009 11:13:15 AM
mbam-log-2009-11-14 (11-13-15).txt

Scan type: Quick Scan
Objects scanned: 113834
Time elapsed: 21 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\tohagugu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c4206241-8f5c-4d58-aeaf-35ae6d924e62} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bekovejaf (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c4206241-8f5c-4d58-aeaf-35ae6d924e62} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kadazoper (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77774133 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tohagugu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tohagugu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{c0136a3b-587e-4156-b7ec-d4221d6762e4}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e8688bfd-fad7-4423-a7b8-32f7629ade6c}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\77774133 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\tohagugu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\77774133\77774133.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olivia yo\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olivia yo\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

MsTron
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-11-09
OS OS : windoews XP
Points Points : 25896
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by MsTron on 14th November 2009, 7:21 pm

ty for the help ^^

MsTron
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-11-09
OS OS : windoews XP
Points Points : 25896
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by Belahzur on 14th November 2009, 9:18 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by MsTron on 14th November 2009, 11:01 pm

ComboFix 09-11-15.01 - Olivia yo 11/14/2009 14:00..2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2407 [GMT -8:00]
Running from: c:\documents and settings\Olivia yo\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1351 [VPS 091114-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Olivia yo\Local Settings\Application Data\ejlrye
c:\documents and settings\Olivia yo\Local Settings\Application Data\ejlrye\mmhtsysguard.exe
c:\windows\cdmxtras
c:\windows\kb913800.exe
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.gif
c:\windows\system32\cache329\B_329_1_0_449600.gif
c:\windows\system32\cache329\B_329_1_0_454300.gif
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\fivuriji.dll
c:\windows\system32\UACknemjqfmumswaar.db
c:\windows\system32\UACnrkkikqddottkjl.log
c:\windows\system32\witukezo.dll
c:\windows\VPro610.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACD.SYS


((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-14 22:07 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\proquota.exe
2009-11-14 22:07 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-09 07:27 . 2009-11-09 07:27 -------- dc----w- c:\program files\Trend Micro
2009-11-09 06:00 . 2009-11-14 22:09 132 -c--a-w- c:\windows\system32\rezumatenoi.dat
2009-11-09 05:53 . 2009-09-24 16:55 229304 -c--a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-09 05:53 . 2009-10-07 00:31 87784 -c--a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-09 05:53 . 2009-09-24 00:10 207280 -c--a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-09 05:52 . 2009-09-03 17:45 70408 -c--a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-09 05:52 . 2009-11-09 05:58 -------- dc----w- c:\program files\Common Files\PC Tools
2009-11-09 05:52 . 2009-11-10 20:18 -------- dc----w- c:\program files\Spyware Doctor
2009-11-09 05:52 . 2009-11-09 05:52 -------- dc----w- c:\documents and settings\Olivia yo\Application Data\PC Tools
2009-11-09 05:52 . 2009-11-09 05:52 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-09 05:50 . 2009-11-10 20:18 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-08 22:24 . 2009-11-08 22:24 4 -c--a-w- c:\windows\system32\aspdict-en.dat
2009-11-08 22:24 . 2009-11-08 22:24 16 -c--a-w- c:\windows\system32\asdict.dat
2009-11-08 22:24 . 2009-11-08 22:24 0 -c--a-w- C:\pcwords2.dat
2009-11-08 22:24 . 2009-11-08 22:24 0 -c--a-w- C:\pcwords.dat
2009-11-08 22:01 . 2009-11-08 22:01 -------- dc----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-11-08 22:01 . 2009-11-08 22:01 -------- dc----w- c:\documents and settings\Olivia yo\Application Data\The Shield Deluxe
2009-11-08 22:00 . 2009-11-08 22:00 -------- dc----w- c:\program files\Common Files\The Shield Deluxe
2009-11-08 22:00 . 2009-11-08 22:00 -------- dc----w- c:\program files\The Shield Deluxe
2009-11-08 22:00 . 2009-11-08 22:00 -------- dc----w- c:\documents and settings\All Users\Application Data\The Shield Deluxe
2009-11-08 21:59 . 2009-11-08 21:59 -------- dc----w- c:\program files\Common Files\BitDefender
2009-11-08 21:38 . 2009-11-09 22:18 -------- dc----w- c:\documents and settings\Olivia yo\Malwarebytes' helper
2009-11-08 21:36 . 2009-11-08 21:36 -------- dc----w- c:\documents and settings\Olivia yo\Malwarebytes' Anti-Malware
2009-11-03 22:08 . 2009-11-03 22:08 -------- dc----w- c:\program files\Fake Perfect World Xtreme
2009-11-03 04:59 . 2009-11-03 04:59 162304 -c--a-w- c:\documents and settings\Olivia yo\unrar.dll
2009-11-02 21:47 . 2009-11-04 07:45 -------- dc----w- c:\documents and settings\Olivia yo\Tracing
2009-11-02 21:45 . 2009-11-02 21:45 -------- dc----w- c:\program files\Microsoft
2009-11-02 21:45 . 2009-11-02 21:45 -------- dc----w- c:\program files\Windows Live SkyDrive
2009-11-02 21:38 . 2009-11-02 21:38 -------- dc----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 22:11 . 2008-09-04 06:24 -------- dc----w- c:\documents and settings\Olivia yo\Application Data\WTablet
2009-11-14 22:11 . 2008-09-27 22:11 -------- dc----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-11-09 05:12 . 2009-06-11 22:15 2967799 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-08 23:26 . 2009-04-17 19:44 -------- dc----w- c:\program files\AV Vcs 7.0 DIAMOND
2009-11-08 21:32 . 2009-06-11 22:14 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 16:50 . 2007-10-07 07:00 -------- dc----w- c:\documents and settings\Olivia yo\Application Data\Skype
2009-11-02 21:47 . 2006-07-01 22:25 76568 -c--a-w- c:\documents and settings\Olivia yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 21:44 . 2008-02-27 06:45 -------- dc----w- c:\program files\Windows Live
2009-10-17 09:20 . 2006-06-16 21:14 -------- dc----w- c:\program files\Microsoft Works
2009-10-11 23:23 . 2006-06-22 16:12 8884 -c--a-w- c:\documents and settings\Olivia yo\Application Data\wklnhst.dat
2009-10-06 02:10 . 2006-12-25 17:12 -------- dc----w- c:\documents and settings\Olivia yo\Application Data\U3
2009-09-18 00:12 . 2009-09-18 00:12 152328 -c--a-w- c:\windows\system32\drivers\bdfm.sys
2009-09-18 00:11 . 2009-09-18 00:11 105736 -c--a-w- c:\windows\system32\drivers\bdhv.sys
2009-09-16 11:20 . 2009-11-09 05:53 7383 -c--a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-11 14:18 . 2005-08-16 09:18 136192 -c--a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:54 . 2009-06-11 22:14 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53 . 2009-06-11 22:14 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2005-08-16 09:18 58880 -c--a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-08-16 09:18 832512 -c--a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-08-16 09:18 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-08-16 09:18 17408 -c--a-w- c:\windows\system32\corpol.dll
2009-08-27 20:38 . 2009-08-27 20:38 1962544 -c--a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-26 08:00 . 2005-08-16 09:19 247326 -c--a-w- c:\windows\system32\strmdll.dll
2009-08-20 22:09 . 2009-08-20 22:09 1193832 -c--a-w- c:\windows\system32\FM20.DLL
2009-08-17 16:10 . 2008-09-06 21:06 1279456 -c--a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2008-09-06 21:07 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2008-09-06 21:07 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-09-06 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-09-06 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2008-09-06 21:07 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-09-06 21:07 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2008-09-06 21:07 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2008-09-06 21:07 97480 ----a-w- c:\windows\system32\AvastSS.scr
2007-05-17 13:27 . 2007-05-17 13:27 594880 -c--a-w- c:\program files\kazaa_setup.exe
2009-08-10 12:08 . 2009-08-10 12:08 3 -csha-w- c:\windows\system32\domafewe.dll
2009-08-10 12:30 . 2009-08-10 12:30 3 -csha-w- c:\windows\system32\fazotapa.dll
2009-08-09 22:42 . 2009-08-09 22:42 3 -csha-w- c:\windows\system32\fohiyute.dll
2009-08-10 12:53 . 2009-08-10 12:53 3 -csha-w- c:\windows\system32\golosufu.dll
2009-08-10 12:30 . 2009-08-10 12:30 3 -csha-w- c:\windows\system32\haheboye.dll
2009-08-09 23:08 . 2009-08-09 23:08 3 -csha-w- c:\windows\system32\hihatofo.dll
2009-08-10 12:30 . 2009-08-10 12:30 3 -csha-w- c:\windows\system32\hirumeya.dll
2009-08-10 13:15 . 2009-08-10 13:15 3 -csha-w- c:\windows\system32\janeguwo.dll
2009-08-09 22:42 . 2009-08-09 22:42 3 -csha-w- c:\windows\system32\lazimiki.dll
2009-08-10 13:15 . 2009-08-10 13:15 3 -csha-w- c:\windows\system32\lokoyovi.dll
2009-08-10 13:15 . 2009-08-10 13:15 3 -csha-w- c:\windows\system32\lurivite.dll
2009-08-10 00:02 . 2009-08-10 00:02 3 -csha-w- c:\windows\system32\rizibuki.dll
2009-08-10 12:08 . 2009-08-10 12:08 3 -csha-w- c:\windows\system32\sabiyogi.dll
2009-08-09 23:08 . 2009-08-09 23:08 3 -csha-w- c:\windows\system32\sumovena.dll
2009-08-09 23:34 . 2009-08-09 23:34 3 -csha-w- c:\windows\system32\tajelavo.dll
2009-08-10 12:53 . 2009-08-10 12:53 3 -csha-w- c:\windows\system32\tufamovo.dll
2009-08-09 23:08 . 2009-08-09 23:08 3 -csha-w- c:\windows\system32\vagazodi.dll
2009-08-10 00:02 . 2009-08-10 00:02 3 -csha-w- c:\windows\system32\vanuvera.dll
2009-08-10 12:53 . 2009-08-10 12:53 3 -csha-w- c:\windows\system32\yogagove.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-13 1052672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"BitDefender Antiphishing Helper"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\IEShow.exe" [2009-09-14 71152]
"BDAgent"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe" [2009-09-24 1114536]
"Malwarebytes Anti-Malware (reboot)"="c:\documents and settings\Olivia yo\Malwarebytes' helper\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ANYCOM\Bluetooth-USB\BTTray.exe [2008-4-14 596584]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-16 24576]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2007-11-13 271640]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\Wacom_Tablet.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"15597:TCP"= 15597:TCP:BitComet 15597 TCP
"15597:UDP"= 15597:UDP:BitComet 15597 UDP
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/8/2009 9:53 PM 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/6/2008 1:07 PM 114768]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/10/2007 11:45 PM 124832]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/6/2008 1:07 PM 20560]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [12/13/2007 11:07 AM 18944]
R2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart --> c:\program files\SafeConnect\scManager.sys servicestart [?]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [9/3/2008 10:22 PM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2007 10:41 AM 24652]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [9/17/2009 4:12 PM 152328]
S3 Arrakis3;The Shield Deluxe Arrakis Server;c:\program files\Common Files\The Shield Deluxe\The Shield Deluxe Arrakis Server\bin\arrakis3.exe [9/13/2009 11:31 PM 183880]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/8/2009 9:52 PM 358600]
S3 USBCamera;Mega Camera Still Image Capture, Version 1.00;c:\windows\system32\Drivers\Bulk504.sys --> c:\windows\system32\Drivers\Bulk504.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 20:42]

2009-11-08 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2007-12-13 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Send to &Bluetooth Device... - c:\program files\ANYCOM\Bluetooth-USB\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ANYCOM\Bluetooth-USB\btsendto_ie.htm
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Corel Painter Essentials 21a - c:\program files\Corel\Corel Painter Essentials 2\registration.exe
SharedTaskScheduler-{202e4229-20e2-4d61-89de-a82deb385ddf} - c:\windows\system32\sowemame.dll
SSODL-ziyopezir-{202e4229-20e2-4d61-89de-a82deb385ddf} - c:\windows\system32\sowemame.dll
AddRemove-Fake Perfect World Full Client 3.9.5 - c:\program files\Fake Perfect World\Uninstall.exe
AddRemove-_{53A908D4-99C6-469B-BC13-F4189F260742} - c:\program files\Corel\Corel Painter Essentials 4\MSILauncher {53A908D4-99C6-469B-BC13-F4189F260742}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-14 14:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-890585496-2387925784-1018619401-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4940)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\ANYCOM\Bluetooth-USB\bin\btwdins.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\windows\ehome\RMSvc.exe
c:\program files\SafeConnect\scManager.sys
c:\windows\system32\wdfmgr.exe
c:\program files\Windows Media Connect 2\wmccds.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-11-14 14:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-14 22:27

Pre-Run: 18,242,674,688 bytes free
Post-Run: 20,929,863,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - DA0FCD617FAEE0DE62BD030280F08F04

MsTron
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-11-09
OS OS : windoews XP
Points Points : 25896
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by Belahzur on 15th November 2009, 2:11 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\rezumatenoi.dat
    c:\windows\system32\aspdict-en.dat
    c:\windows\system32\asdict.dat
    C:\pcwords2.dat
    C:\pcwords.dat
    c:\program files\kazaa_setup.exe
    c:\windows\system32\domafewe.dll
    c:\windows\system32\fazotapa.dll
    c:\windows\system32\fohiyute.dll
    c:\windows\system32\golosufu.dll
    c:\windows\system32\haheboye.dll
    c:\windows\system32\hihatofo.dll
    c:\windows\system32\hirumeya.dll
    c:\windows\system32\janeguwo.dll
    c:\windows\system32\lazimiki.dll
    c:\windows\system32\lokoyovi.dll
    c:\windows\system32\lurivite.dll
    c:\windows\system32\rizibuki.dll
    c:\windows\system32\sabiyogi.dll
    c:\windows\system32\sumovena.dll
    c:\windows\system32\tajelavo.dll
    c:\windows\system32\tufamovo.dll
    c:\windows\system32\vagazodi.dll
    c:\windows\system32\vanuvera.dll
    c:\windows\system32\yogagove.dll


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by MsTron on 15th November 2009, 6:20 am

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!

OTM by OldTimer - Version 3.1.1.0 log created on 11142009_221838

MsTron
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-11-09
OS OS : windoews XP
Points Points : 25896
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by MsTron on 15th November 2009, 6:20 am

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!

OTM by OldTimer - Version 3.1.1.0 log created on 11142009_221838

MsTron
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-11-09
OS OS : windoews XP
Points Points : 25896
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by Belahzur on 15th November 2009, 11:32 pm

Hello.
You missed :files in the script.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by MsTron on 16th November 2009, 6:00 am

ya for some reason they werent in there when i pasted... i copied them correctly but they dissappeared when i pasted them :/

MsTron
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-11-09
OS OS : windoews XP
Points Points : 25896
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by Belahzur on 16th November 2009, 6:51 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
:files
c:\windows\system32\rezumatenoi.dat
c:\windows\system32\aspdict-en.dat
c:\windows\system32\asdict.dat
C:\pcwords2.dat
C:\pcwords.dat
c:\program files\kazaa_setup.exe
c:\windows\system32\domafewe.dll
c:\windows\system32\fazotapa.dll
c:\windows\system32\fohiyute.dll
c:\windows\system32\golosufu.dll
c:\windows\system32\haheboye.dll
c:\windows\system32\hihatofo.dll
c:\windows\system32\hirumeya.dll
c:\windows\system32\janeguwo.dll
c:\windows\system32\lazimiki.dll
c:\windows\system32\lokoyovi.dll
c:\windows\system32\lurivite.dll
c:\windows\system32\rizibuki.dll
c:\windows\system32\sabiyogi.dll
c:\windows\system32\sumovena.dll
c:\windows\system32\tajelavo.dll
c:\windows\system32\tufamovo.dll
c:\windows\system32\vagazodi.dll
c:\windows\system32\vanuvera.dll
c:\windows\system32\yogagove.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by MsTron on 16th November 2009, 7:52 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file ":files" not found!
Deletion of file ":files" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\rezumatenoi.dat" deleted successfully.
File "c:\windows\system32\aspdict-en.dat" deleted successfully.
File "c:\windows\system32\asdict.dat" deleted successfully.
File "C:\pcwords2.dat" deleted successfully.
File "C:\pcwords.dat" deleted successfully.
File "c:\program files\kazaa_setup.exe" deleted successfully.
File "c:\windows\system32\domafewe.dll" deleted successfully.
File "c:\windows\system32\fazotapa.dll" deleted successfully.
File "c:\windows\system32\fohiyute.dll" deleted successfully.
File "c:\windows\system32\golosufu.dll" deleted successfully.
File "c:\windows\system32\haheboye.dll" deleted successfully.
File "c:\windows\system32\hihatofo.dll" deleted successfully.
File "c:\windows\system32\hirumeya.dll" deleted successfully.
File "c:\windows\system32\janeguwo.dll" deleted successfully.
File "c:\windows\system32\lazimiki.dll" deleted successfully.
File "c:\windows\system32\lokoyovi.dll" deleted successfully.
File "c:\windows\system32\lurivite.dll" deleted successfully.
File "c:\windows\system32\rizibuki.dll" deleted successfully.
File "c:\windows\system32\sabiyogi.dll" deleted successfully.
File "c:\windows\system32\sumovena.dll" deleted successfully.
File "c:\windows\system32\tajelavo.dll" deleted successfully.
File "c:\windows\system32\tufamovo.dll" deleted successfully.
File "c:\windows\system32\vagazodi.dll" deleted successfully.
File "c:\windows\system32\vanuvera.dll" deleted successfully.
File "c:\windows\system32\yogagove.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

MsTron
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-11-09
OS OS : windoews XP
Points Points : 25896
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OMG!!! PLEASE HELP!!! IM DESPERATE!

Post by Belahzur on 16th November 2009, 8:20 pm

Ok, good, that worked.

How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum