My computer is infected....Hello all

View previous topic View next topic Go down

My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 12:22 pm

When i go to google and try to do a search the same names come up toseeka, maxim, bullezeye, i have norton antivirus installed as well as i ran spybot but the problem is still there how can i find out exactly where the problem is? Thank you

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Doctor Inferno on 1st April 2009, 12:37 pm

Welcome to GeekPolice!

Please read this topic first:

[You must be registered and logged in to see this link.]


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 2:17 pm

Thank you, and here you go

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:18 AM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GmoteServer\RunServerCheckForJava.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Limewire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Magic\Deployment\MGrntw.exe
C:\PVSW\bin\W3DBSMGR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Estimator\Local Settings\Temporary Internet Files\Content.IE5\6S30ROLG\hijackgpthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Smart-Shopper - {4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-18 Startup: Gmote Server.lnk = C:\Program Files\GmoteServer\GmoteServer.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: Gmote Server.lnk = C:\Program Files\GmoteServer\GmoteServer.bat (User 'Default user')
O4 - Startup: Gmote Server.lnk = C:\Program Files\GmoteServer\GmoteServer.bat
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [You must be registered and logged in to see this link.]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [You must be registered and logged in to see this link.]
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\WINDOWS\System32\cscui32.dll
O20 - Winlogon Notify: 14fce4c6565 - C:\WINDOWS\System32\cscui32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12458 bytes

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 1st April 2009, 2:23 pm

Hello.
Before we clean the machine up, I want to uninstall a few things.

  • Open HijackThis
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 2:42 pm

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Media Player
Adobe Media Player
Adobe Reader 8.1.2
Adobe Shockwave Player
AIM 6
AppCore
Backup
BlackBerry Desktop Software 4.2
BlackBerry Desktop Software 4.2
Broadcom Advanced Control Suite
ccCommon
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
GearDrvs
GearDrvs
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp LaserJet-all-in-one
Intel(R) Graphics Media Accelerator Driver
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LaserAIO
LimeWire 4.16.6
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Magic Desktop Deployment 8.30
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MIKE 2000+ Estimating
MIKE 2000+ Estimating
Mixxx
MSN Toolbar
MSXML4 Parser
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
Pervasive System Analyzer
Pervasive.SQL V8 Workgroup (v8.6)
Picasa 2
Picture Package Music Transfer
PowerDVD 5.7
Print Server Driver
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SmartShopper
Sony Picture Utility
SPBBC 32bit
Spybot - Search & Destroy
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
Uniblue RegistryBooster 2009
Uniblue RegistryBooster 2009
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Visual Take-Off+
WD Diagnostics
Windows Internet Explorer 8 Release Candidate 1
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinZip 11.2

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 1st April 2009, 2:47 pm

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.
Should you choose to remove them, but you are having trouble doing so, please let me know in your next post here and I will aid you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Adobe Reader 8.1.2
  • Java 2 Runtime Environment, SE v1.4.2_03
  • Java(TM) 6 Update 11
  • Java(TM) 6 Update 2
  • Java(TM) 6 Update 5
  • Java(TM) 6 Update 7
  • Java(TM) SE Runtime Environment 6 Update 1
  • LimeWire 4.16.6
  • Uniblue RegistryBooster 2009
  • Uniblue RegistryBooster 2009
  • Viewpoint Media Player

Now lets see if we can clean this up.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Smart-Shopper - {4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
    O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O20 - AppInit_DLLs: C:\WINDOWS\System32\cscui32.dll
    O20 - Winlogon Notify: 14fce4c6565 - C:\WINDOWS\System32\cscui32.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 5:54 pm

Ok so i did everything you have told me to do, when i run the Malwarebytes i run a full system scan and it runs up until it reaches the file C:\\Windows\inf\xinput9_1_0_x86.PNF, I DID IT AGAIN A SECOND TIME AND AGAIN THE SAME OUTCOME, BUT WHAT I DID NOTICE WAS THE SECOND TIME AROUND THE FILE CHANGED ITS LOCATION because the scan scanned threw more files then before.

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 1st April 2009, 6:02 pm

Okay, looks like we'll have to go in manually.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 6:07 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by Estimator at 14:05:27.92 on Wed 04/01/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.278 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Comput-Ability\Visual TakeOff\VTO.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Magic\Deployment\MGrntw.exe
C:\PVSW\bin\W3DBSMGR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Estimator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = [You must be registered and logged in to see this link.]
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: SmartShopper: {8bcb5337-ec01-4e38-840c-a964f174255b} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\estima~1\startm~1\programs\startup\gmotes~1.lnk - c:\program files\gmoteserver\GmoteServer.bat
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - [You must be registered and logged in to see this link.]
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [You must be registered and logged in to see this link.]
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - [You must be registered and logged in to see this link.]
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [You must be registered and logged in to see this link.]
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - [You must be registered and logged in to see this link.]
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - [You must be registered and logged in to see this link.]
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - [You must be registered and logged in to see this link.]
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Notify: 14fce4c6565 - c:\windows\system32\cscui32.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\cscui32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-6 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-1 38496]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090401.003\NAVENG.SYS [2009-4-1 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090401.003\NAVEX15.SYS [2009-4-1 876144]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

=============== Created Last 30 ================

2009-04-01 13:57 9 a------- c:\windows\system\~PVSW~.LOC
2009-04-01 13:57 0 a------- c:\windows\system\mglock.dat
2009-04-01 13:57 0 a------- C:\mglock.dat
2009-04-01 11:44 --d----- c:\docume~1\estima~1\applic~1\Malwarebytes
2009-04-01 11:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 11:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 11:44 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 11:44 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-31 12:17 --d----- c:\program files\Spybot - Search & Destroy
2009-03-31 12:17 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-31 12:14 --d----- c:\docume~1\estima~1\applic~1\Uniblue
2009-03-31 12:13 -cd-h--- c:\docume~1\alluse~1\applic~1\~0
2009-03-31 07:57 0 a------- c:\windows\system32\29.tmp
2009-03-29 16:09 1,351 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-03-29 16:09 --dsh--- c:\windows\system32\NetworkService32
2009-03-29 16:09 139,264 a------- c:\windows\system32\cscui32.dll
2009-03-13 11:49 --d----- c:\program files\StepMania

==================== Find3M ====================

2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-19 12:31 31,280 a------- c:\windows\system32\drivers\SymIM.sys
2009-02-19 12:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat
2009-02-19 12:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf
2009-02-19 12:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys
2009-02-19 12:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys
2009-02-19 12:31 96,560 a------- c:\windows\system32\drivers\symfw.sys
2009-02-19 12:31 38,576 a------- c:\windows\system32\drivers\symids.sys
2009-02-19 12:31 37,424 a------- c:\windows\system32\drivers\symndis.sys
2009-02-19 12:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys
2009-02-19 12:31 13,616 a------- c:\windows\system32\drivers\symdns.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-26 10:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-15 03:17 636,264 a------- c:\windows\system32\dllcache\iexplore.exe
2009-01-15 03:17 392,040 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 03:13 5,888,512 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-15 03:12 10,963,968 a------- c:\windows\system32\dllcache\ieframe.dll
2009-01-15 03:06 1,182,720 a------- c:\windows\system32\dllcache\urlmon.dll
2009-01-15 03:06 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-01-15 03:06 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-01-15 03:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 03:05 911,872 a------- c:\windows\system32\dllcache\wininet.dll
2009-01-15 03:05 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-01-15 03:05 109,056 a------- c:\windows\system32\dllcache\occache.dll
2009-01-15 03:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 03:05 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 03:04 755,200 a------- c:\windows\system32\dllcache\VGX.dll
2009-01-15 03:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 03:04 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-01-15 03:04 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 03:02 1,975,296 a------- c:\windows\system32\dllcache\iertutil.dll
2009-01-15 03:02 593,920 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-15 03:02 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-01-15 03:01 183,808 a------- c:\windows\system32\dllcache\iepeers.dll
2009-01-15 03:01 59,904 a------- c:\windows\system32\dllcache\icardie.dll
2009-01-15 03:01 54,272 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-15 03:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 03:01 34,304 a------- c:\windows\system32\dllcache\imgutil.dll
2009-01-15 03:01 348,160 a------- c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 03:01 46,592 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 03:01 216,064 a------- c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 03:01 66,560 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 03:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 03:00 48,128 a------- c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 03:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 03:00 45,568 a------- c:\windows\system32\dllcache\mshta.exe
2009-01-15 02:53 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 02:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-15 02:50 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-01-15 02:35 445,440 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-11 01:00 79,360 -------- c:\windows\system32\dllcache\iecompat.dll
2009-01-09 13:02 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-04-22 15:09 0 a--sh--- c:\docume~1\estima~1\applic~1\00480e2fab3dc4ac21c3e809a978f8f56d9a95fc3e.dat
2007-03-04 11:30 8 a------- c:\docume~1\estima~1\applic~1\usb.dat.bin
2008-08-22 09:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat
2008-09-22 03:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080923\index.dat

============= FINISH: 14:06:11.60 ===============

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 1st April 2009, 6:13 pm

Hmm.
Before we remove the malware I can see, I want to check something out.

Download the Registry Search Tool from [You must be registered and logged in to see this link.]

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens, enter the following:
8bcb5337-ec01-4e38-840c-a964f174255b

Press 'OK'

The search will run for a while then alert you when it is finished.
Press 'OK' and copy the contents of the WordPad window and post in this thread.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 6:19 pm

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "8bcb5337-ec01-4e38-840c-a964f174255b" 4/1/2009 2:18:45 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCB5337-EC01-4E38-840C-A964F174255B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCB5337-EC01-4E38-840C-A964F174255B}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCB5337-EC01-4E38-840C-A964F174255B}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCB5337-EC01-4E38-840C-A964F174255B}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCB5337-EC01-4E38-840C-A964F174255B}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCB5337-EC01-4E38-840C-A964F174255B}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCB5337-EC01-4E38-840C-A964F174255B}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Smart-Shopper.HbInfoBand\CLSID]
@="{8BCB5337-EC01-4E38-840C-A964F174255B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Smart-Shopper.HbInfoBand.1\CLSID]
@="{8BCB5337-EC01-4E38-840C-A964F174255B}"

[HKEY_USERS\S-1-5-21-648950360-2189984887-328261712-1006\Software\Microsoft\Internet Explorer\Explorer Bars\{8BCB5337-EC01-4E38-840C-A964F174255B}]

[HKEY_USERS\S-1-5-21-648950360-2189984887-328261712-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B}]

[HKEY_USERS\S-1-5-21-648950360-2189984887-328261712-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B}\iexplore]

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 1st April 2009, 6:22 pm

Hello.
Thanks.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\29.tmp
    c:\docume~1\alluse~1\applic~1\~0
    c:\windows\system32\NetworkService32
    c:\windows\system32\cscui32.dll
    c:\program files\smart-shopper

    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCB5337-EC01-4E38-840C-A964F174255B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Smart-Shopper.HbInfoBand]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{5CBE2611-C31B-401F-89BC-4CBB25E853D7}"=-
    "{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\14fce4c6565]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=-
    "AppInit_DLLs"=""
    [-HKEY_USERS\S-1-5-21-648950360-2189984887-328261712-1006\Software\Microsoft\Internet Explorer\Explorer Bars\{8BCB5337-EC01-4E38-840C-A964F174255B}]
    [-HKEY_USERS\S-1-5-21-648950360-2189984887-328261712-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B}]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 6:32 pm

========== FILES ==========
c:\windows\system32\29.tmp moved successfully.
c:\docume~1\alluse~1\applic~1\~0 moved successfully.
c:\windows\system32\NetworkService32 moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\cscui32.dll
c:\windows\system32\cscui32.dll NOT unregistered.
c:\windows\system32\cscui32.dll moved successfully.
c:\program files\Smart-Shopper\Bin\2.5.1 moved successfully.
c:\program files\Smart-Shopper\Bin moved successfully.
c:\program files\Smart-Shopper moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCB5337-EC01-4E38-840C-A964F174255B}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Smart-Shopper.HbInfoBand\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{5CBE2611-C31B-401F-89BC-4CBB25E853D7} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CBE2611-C31B-401F-89BC-4CBB25E853D7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\14fce4c6565\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-648950360-2189984887-328261712-1006\Software\Microsoft\Internet Explorer\Explorer Bars\{8BCB5337-EC01-4E38-840C-A964F174255B}\\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-648950360-2189984887-328261712-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04012009_143141

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 1st April 2009, 6:35 pm

Hello.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 6:47 pm

the same thing

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 1st April 2009, 6:55 pm

Google search hijacks? I want to have a look at something.


  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32"
    start notepad C:\look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 7:21 pm

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 1st April 2009, 7:23 pm

Nope, clean.
Lets dig a litte deeper.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty for now.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 1st April 2009, 7:44 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 1st April 2009, 7:52 pm

No rootkit, none of the usual common Google hijackers.
Lets see if this finds anything.

* Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 2nd April 2009, 3:04 pm

i just tried it and it did the scan for 2hrs and 20 min then got stuck, i closed it then my computer went blue with a fatal error message i just shut it down now iam back on it

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by ayogeo on 2nd April 2009, 3:06 pm

i just did a google search and everything is fine, but what can i do to make sure of this

ayogeo
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-04-01
OS OS : xp
Points Points : 28114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer is infected....Hello all

Post by Belahzur on 2nd April 2009, 3:11 pm

I think the problem may just have been temporary files needed cleaning, sometimes these things just fix themself. LMBO or ROFL

Delete all the programs we have used.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum