Help for a girl who's not really computer savvy please.

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 10:00 pm

GMER 1.0.14.14536 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-20 16:59:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 84994128 ZwAlertResumeThread
SSDT 84986858 ZwAlertThread
SSDT 84987698 ZwAllocateVirtualMemory
SSDT 849991A8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF3A28A20] <-- ROOTKIT !!!
SSDT 849B4CC8 ZwCreateMutant
SSDT 84990870 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF3A28C90] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF3A29350] <-- ROOTKIT !!!
SSDT 8499D3E8 ZwFreeVirtualMemory
SSDT 849AE600 ZwImpersonateAnonymousToken
SSDT 849A2BD0 ZwImpersonateThread
SSDT 8498C3D8 ZwMapViewOfSection
SSDT 84986890 ZwOpenEvent
SSDT 8499D420 ZwOpenProcessToken
SSDT 849A13E0 ZwOpenThreadToken
SSDT 84A15EF8 ZwQueryValueKey
SSDT 8499D858 ZwResumeThread
SSDT 84991EA0 ZwSetContextThread
SSDT 84980CC8 ZwSetInformationProcess
SSDT 84991E30 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF3A29580] <-- ROOTKIT !!!
SSDT 849C1A28 ZwSuspendProcess
SSDT 84991E68 ZwSuspendThread
SSDT 8499CA28 ZwTerminateProcess
SSDT 84993D40 ZwTerminateThread
SSDT 8499C9F0 ZwUnmapViewOfSection
SSDT 8498A728 ZwWriteVirtualMemory

Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwCreateKey [0xF766FC8E]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwEnumerateKey [0xF766FD13]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwOpenKey [0xF766FC10]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF766F999]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) IoCreateFile
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) NtQueryDirectoryFile

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys (*** hidden *** ) [BOOT] fd5c49aced94763cd8b4c7ddb71bf468 <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fd5c49aced94763cd8b4c7ddb71bf468&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=fd5c49aced94763cd8b4c7ddb71bf468&path=system32\fd5c49aced94763cd8b4c7ddb71bf468.sys&wmid=Dkh10219&idate=2009-01-14 08:34:47:250&last_download_time=2009-1-14 8:38:22.859&first_skip=1
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Tag 5
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@ImagePath system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@DisplayName fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Group System Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fd5c49aced94763cd8b4c7ddb71bf468&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=fd5c49aced94763cd8b4c7ddb71bf468&path=system32\fd5c49aced94763cd8b4c7ddb71bf468.sys&wmid=Dkh10219&idate=2009-01-14 08:34:47:250&last_download_time=2009-1-14 8:38:22.859&first_skip=1
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Tag 5
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@ImagePath system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@DisplayName fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys 39936 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 10:04 pm

Hmm, I think the rootkit may have returned.
Please run the gmer command again.

Then try the avenger using this script.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 10:09 pm

Command was successfully execute

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 10:13 pm

Avenger still didn't work.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 10:22 pm

Now when I click on Avenger a black dialog box pops up but for only a second. This is different than earlier.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:05 pm

Does it still block the avenger if you rename it?
Try that please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:17 pm

Hello.
Please disable Symantec, I think that is what is preventing the revomal as GMER is flagging part of Symantec as a rootkit.

If that fail, we can try to disable the rootkit.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 11:35 pm

How do I go about disabling it? Should I remove anything with Symantec in it or remove anything with Norton in it? I went into my programs and didn't find one that was just named Symantic. Maybe I'm looking in the wrong place.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:37 pm

Right click the Norton/Symantec icon in the tray in the corner and exit it so they are not active.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 11:39 pm

Ok I figured it out. Now I'll try the Avenger again.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:41 pm

I doubt the avenger will run while this rootkit is active.
Once Symantec is disabled, do the gmer command again.

If it's still there, open the "Services" tab in GMER and see if that random named rootkit server is there. If so, right click it > Disable.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 11:48 pm

Would it be the one in red text?

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:51 pm

No.
Like you did with the CMD tab when you press the >>>> button, this time open the "Services" tab, and look for that random named rootkit we are trying to kill.
If we can disable it, we can delete it because once it's disabled, all it's effects should be temporarily stopped.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 12:10 am

I'm not sure what I should be looking for as in the name. I didn't see any that caught my eye except the one in red text.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 12:13 am

Look for this:
fd5c49aced94763cd8b4c7ddb71bf468


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 12:20 am

Well it was the red one. When I tried to disable it nothing happened. It says boot beside it and it is checked in when I right click on it. I scroll down to disable and it still says boot.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 12:26 am

Lets see if we can run Combofix.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Please rename Combofix.exe to Com-bo-fix.exe before we do anything.
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 12:32 am

I was able to disable it from the first page of gmer where is shows you the problems. It says it was disabled successfully. Then I was told to reboot my computer. I restarted it. Is this the same as rebooting it?

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 12:34 am

Yes.
Reboot it and let me know if the avenger will stay open.
DO NOT use the avenger yet, I am going to make a custom script to remove this rootkit.
Just let me know if it will stay open.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 12:42 am

I rebooted and checked gmer and it is definitely disabled. However the Avenger still won't stay open.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 12:44 am

Probably the other infection too.
Please try to run Combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 1:27 am

I'm done with the Combofix and I have the post but it is too big for here and rapidshare still didn't work for me.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 1:29 am

Break it up into parts.

Header and other deletions.
Files created within 30 days timedate.
Find3m
Reg loading points
Anything that's left.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:10 am

ComboFix 09-01-19.05 - Compaq_Owner 2009-01-20 20:03:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.115 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Com-bo-fix.exe
AV: Norton Internet Security 2006 *On-access scanning disabled* (Outdated)
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\temp.cab
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\recycler\ADAPT_Installer.exe

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:11 am

By the way Spyware Guard 2008 hasn't shown back up yet. I think it's gone. Hopefully

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:21 am

c:\windows\IE4 Error Log.txt
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\au3305arc.dll
c:\windows\system32\baadebfeadbf.dll
c:\windows\system32\winscenter.exe
c:\windows\vmreg.dll
D:\Autorun.inf

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:22 am

((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-20 11:28 . 2009-01-20 19:39 250 --a------ c:\windows\gmer.ini
2009-01-20 08:27 . 2009-01-20 08:49 d-------- c:\program files\Spyware Doctor
2009-01-20 08:13 . 2009-01-20 09:20 d-------- c:\documents and settings\Compaq_Owner\.SunDownloadManager
2009-01-14 15:29 . 2009-01-14 15:37 d-------- c:\windows\BDOSCAN8
2009-01-14 08:34 . 2009-01-20 19:30 39,936 --a------ c:\windows\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
2008-12-25 22:14 . 2009-01-15 11:27 d-------- c:\program files\Bonjour

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:26 am

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 01:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-20 23:37 --------- d-----w c:\program files\Norton Security Scan
2009-01-20 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-20 13:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 13:22 --------- d-----w c:\program files\Hidden Expedition Titanic
2009-01-15 16:34 --------- d-----w c:\program files\Compaq Connections
2009-01-15 16:09 --------- d-----w c:\program files\AviSynth 2.5
2008-12-29 23:40 --------- d-----w c:\program files\Mystery Case Files - Huntsville
2008-12-25 06:17 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2008-12-18 01:21 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-12 03:24 --------- d-----w c:\program files\iTunes
2008-12-12 03:24 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-12 03:23 --------- d-----w c:\program files\iPod
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 03:57 --------- d-----w c:\program files\Common Files\Apple
2008-12-01 18:28 --------- d-----w c:\program files\Norton PC Checkup
2008-11-28 03:22 --------- d-----w c:\program files\QuickTime
2008-11-28 03:17 --------- d-----w c:\program files\Safari
2008-11-21 22:56 --------- d-----w c:\program files\AIM6
2008-11-21 22:55 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-21 22:55 --------- d-----w c:\program files\AIM Toolbar
2008-11-21 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-21 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-21 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-21 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2007-10-14 03:55 1,776 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2006-06-22 14:47 774,144 -c--a-w c:\program files\RngInterstitial.dll
2009-01-14 13:26 766,464 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\qxsylblocg.dll
2007-06-16 22:58 10,856 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-26 17:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:27 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]
2005-05-31 20:21 199698 --a------ c:\windows\system32\vumer.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-04-12 53408]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"SSP Notifier"="c:\program files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 20480]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-22 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2005-12-01 c:\windows\system32\nwiz.exe]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-11-23 344064]
PowerReg Scheduler.exe [2006-12-10 256000]
TrueAssistant.lnk - c:\program files\TrueAssistant\TrueAssistant.exe [2005-04-02 372224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\123CopyDVD Pro\\123CopyDVD.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2006-08-17 99176]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-15 24652]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-10 33752]
S4 fd5c49aced94763cd8b4c7ddb71bf468;fd5c49aced94763cd8b4c7ddb71bf468;c:\windows\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys [2009-01-14 39936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-17 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-02-05 00:03]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe
HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search - [You must be registered and logged in to see this link.]
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - [You must be registered and logged in to see this link.] files\ieSpell\wikipedia.HTM
DPF: {54D53429-945C-4188-B460-C81356541882} - [You must be registered and logged in to see this link.]
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ie02gf6z.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-20 20:12:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\GTGina.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2009-01-20 20:22:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-21 01:21:56

Pre-Run: 110,584,766,464 bytes free
Post-Run: 111,400,792,064 bytes free

837 --- E O F --- 2009-01-14 13:18:03

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:30 am

By the way between the first and second post of this report there was a chunk that I left out. It was files from a game called Diner Dash and no matter how I broke it down it said it was too large. I don't think you'll need it but if you do let me know cause I saved it to my notepad. I think the Spyware Guard is gone cause I haven't had it try to perform the fake scan and the icon hasn't appeared in the lower right hand of my screen for hours. Thank you so much you are a life safer. If there is anything else you need me to do let me know. Thank You!

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 2:45 pm

Hello.
I don't need the dinner dash, it's fine. Now lets finish this.
It may appear gone, but the rootkit is still there.
Please do this.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
Viewpoint Manager Service
fd5c49aced94763cd8b4c7ddb71bf468

File::
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\qxsylblocg.dll
c:\windows\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
c:\windows\system32\vumer.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:48 pm

For some reason I can get the text to transfer to either my notepad or wordpad. I can copy but it won't paste it. I tried the Control C to and that didn't work either.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 3:51 pm

Highlight it all by dragging your mouse from top to bottom, then right click > Copy
Right click in this response box > Paste

Does that work?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 4:09 pm

Neither way seems to work. It will let me paste, but when I go into the notepad the paste option isn't even highlighted and when I click on it nothing happens.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 4:12 pm

Nevermind I didn't realize I had to have the notepad open first.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 4:13 pm

LOL!

Copy and paste the new report here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 4:33 pm

ComboFix 09-01-20.05 - Compaq_Owner 2009-01-21 11:14:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.109 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Com-bo-fix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFscript.txt
AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\qxsylblocg.dll
c:\windows\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
c:\windows\system32\vumer.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\qxsylblocg.dll
c:\windows\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
c:\windows\system32\vumer.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FD5C49ACED94763CD8B4C7DDB71BF468
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_fd5c49aced94763cd8b4c7ddb71bf468
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-21 10:23 . 2009-01-21 10:23 d-------- c:\program files\AIM Toolbar
2009-01-20 11:28 . 2009-01-20 19:39 250 --a------ c:\windows\gmer.ini
2009-01-20 08:27 . 2009-01-20 08:49 d-------- c:\program files\Spyware Doctor
2009-01-20 08:13 . 2009-01-20 09:20 d-------- c:\documents and settings\Compaq_Owner\.SunDownloadManager
2009-01-14 15:29 . 2009-01-14 15:37 d-------- c:\windows\BDOSCAN8
2008-12-25 22:14 . 2009-01-15 11:27 d-------- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 15:25 --------- d-----w c:\program files\AIM6
2009-01-21 15:23 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-21 15:22 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-20 23:37 --------- d-----w c:\program files\Norton Security Scan
2009-01-20 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-20 13:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 13:22 --------- d-----w c:\program files\Hidden Expedition Titanic
2009-01-15 16:34 --------- d-----w c:\program files\Compaq Connections
2009-01-15 16:09 --------- d-----w c:\program files\AviSynth 2.5
2008-12-29 23:40 --------- d-----w c:\program files\Mystery Case Files - Huntsville
2008-12-25 06:17 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2008-12-18 01:21 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-12 03:24 --------- d-----w c:\program files\iTunes
2008-12-12 03:24 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-12 03:23 --------- d-----w c:\program files\iPod
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 03:57 --------- d-----w c:\program files\Common Files\Apple
2008-12-01 18:28 --------- d-----w c:\program files\Norton PC Checkup
2008-11-28 03:22 --------- d-----w c:\program files\QuickTime
2008-11-28 03:17 --------- d-----w c:\program files\Safari
2008-11-21 22:55 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-21 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-21 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-21 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2007-10-14 03:55 1,776 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2006-06-22 14:47 774,144 -c--a-w c:\program files\RngInterstitial.dll
2007-06-16 22:58 10,856 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-26 17:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-21 22:55:09 38,428 -c--a-w c:\windows\Downloaded Program Files\unagiuninst.exe
+ 2009-01-21 15:23:26 38,428 -c--a-w c:\windows\Downloaded Program Files\unagiuninst.exe
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-04-12 53408]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"SSP Notifier"="c:\program files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 20480]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-22 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2005-12-01 c:\windows\system32\nwiz.exe]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-11-23 344064]
PowerReg Scheduler.exe [2006-12-10 256000]
TrueAssistant.lnk - c:\program files\TrueAssistant\TrueAssistant.exe [2005-04-02 372224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\123CopyDVD Pro\\123CopyDVD.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2006-08-17 99176]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-10 33752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-17 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-02-05 00:03]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search - [You must be registered and logged in to see this link.]
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - [You must be registered and logged in to see this link.] files\ieSpell\wikipedia.HTM
DPF: {54D53429-945C-4188-B460-C81356541882} - [You must be registered and logged in to see this link.]
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ie02gf6z.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ie02gf6z.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ie02gf6z.default\extensions\fotofox@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ie02gf6z.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-21 11:23:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\GTGina.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-01-21 11:30:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-21 16:30:22
ComboFix2.txt 2009-01-21 16:03:14
ComboFix3.txt 2009-01-21 01:22:36

Pre-Run: 111,178,637,312 bytes free
Post-Run: 111,093,063,680 bytes free

205 --- E O F --- 2009-01-14 13:18:03

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 4:34 pm

You did well, the rootkit is gone. Hooray!

Please post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 4:35 pm

How do I do that?

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 4:39 pm

Oh yeah, forgot, the rootkit wouldn't allow it.

Download from one of these links and post a log:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 5:04 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:51 PM, on 1/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Compaq_Owner\Desktop\hijackgpthis.exe

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 5:04 pm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Check &Spelling - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - [You must be registered and logged in to see this link.] Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {54D53429-945C-4188-B460-C81356541882} (SaveImageFiles Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - [You must be registered and logged in to see this link.]
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\HP Game Console\GameConsoleService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - [You must be registered and logged in to see this link.]

--
End of file - 15511 bytes

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 5:09 pm

Hello.
Looks good, we just need to make sure this machine is secure.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
    O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - [You must be registered and logged in to see this link.]
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.

I see you have Adobe Reader version 7 installed on here, this is old and has holes malware may abuse, we need to close these holes.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Adobe Reader 7

Then download and install version 9 from here:
[You must be registered and logged in to see this link.]

Please let me know when you have done that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 6:13 pm

Ok I did all that. Now let me ask your advice. This morning when I thought this was done I used my credit/debit card to make a purchase from Toys R Us through their secure checkout and I also paid bills probably before I was aware of this. Do you think I should call my bank and have a new card issued?

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 6:18 pm

I'm not quite sure what this rootkit does, I can't research it as it was randomly named, I saw someone else with (probably) the same thing here:
[You must be registered and logged in to see this link.]

Please do not run tools that were posted for that user.

That's how I wanted to use GMER -del service command to try and take it out.
If for your sense of security, then yes, I would ask for a new credit card. The rootkit (I don't think anyway) has keylogging abilities (see the above topic link), but I don't want you to go away worrying. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 6:20 pm

Should I uninstall all the programs we used like gmer etc. Also thank you very much and I'll let you know if I have any problems. Awesome (sparkly)

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 103
Joined Joined : 2009-01-20
Gender Gender : Female
OS OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 6:22 pm

Yes, Combofix has a special routine for uninstalling itself, by doing this:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u <== note the space between the x and /



[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Doctor Inferno on Sat May 02, 2009 6:53 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum