PDA

View Full Version : I am having big troubles



genki
2009-04-12, 13:15
Hey Guys!

I am actually having some problems. I got a virus on my computer that I think I already cleaned it, but I am having some problems, I can not burn my data on a dvd nor I can use usbs or the local wirless network! And when I open my msn, it keeps sending people .exe files but show it as a picture file format! I used combo fix and it gave me the following report:

ComboFix 09-04-04.01 - Home 2009-04-12 12:43:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.586 [GMT 3:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Home\LOCALS~1\Temp\install_flash_player.exe
c:\windows\system32\jefiyuna.dll
c:\windows\system32\ojepumiv.ini
c:\windows\system32\vimupejo.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-12 12:15 . 2009-04-12 12:15 <DIR> d-------- c:\windows\LastGood.Tmp
2009-04-12 10:43 . 2009-04-12 11:12 <DIR> d-------- c:\windows\system32\NtmsData
2009-04-11 15:42 . 2009-04-11 16:31 108,032 --------- C:\paret2.exe
2009-04-11 12:02 . 2009-04-11 13:37 81,920 --a------ c:\windows\system32\ftp_non_crp.exe
2009-04-11 10:29 . 2009-04-12 12:46 109,010 --a------ c:\windows\system32\drivers\5738aad2.sys
2009-04-11 10:28 . 2009-04-11 10:28 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-04-10 23:08 . 2009-04-10 16:18 38,962 -r-hs---- c:\windows\fxsteller.exe
2009-04-07 11:48 . 2009-04-07 11:48 <DIR> d-------- c:\program files\iTunes
2009-04-07 11:48 . 2009-04-07 11:48 <DIR> d-------- c:\program files\iPod
2009-04-07 11:48 . 2009-04-07 11:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-02 16:43 . 2009-04-02 16:46 139,264 --a------ c:\windows\War3Unin.exe
2009-04-02 16:43 . 2009-04-06 10:45 1,404 --a------ c:\windows\War3Unin.dat
2009-04-01 09:43 . 2009-04-12 12:46 <DIR> d-------- c:\documents and settings\Home\Tracing
2009-04-01 09:42 . 2009-04-01 09:42 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-04-01 09:42 . 2009-04-03 09:14 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-04-01 09:42 . 2009-04-01 09:42 <DIR> d-------- c:\program files\Microsoft
2009-04-01 09:34 . 2009-04-01 09:34 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-30 18:38 . 2009-03-30 18:38 <DIR> d-------- c:\windows\GRE Red & Blue Bible
2009-03-30 18:38 . 2009-03-30 23:09 <DIR> d-------- C:\GRE Red & Blue Bible
2009-03-30 18:08 . 2009-03-30 18:08 <DIR> d-------- c:\program files\GreBible
2009-03-27 23:56 . 2009-03-27 23:56 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-03-27 23:53 . 2009-03-27 23:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-27 23:52 . 2009-03-27 23:53 <DIR> d--h-c--- c:\windows\ie8
2009-03-23 16:03 . 2009-04-12 11:19 49 --a------ c:\windows\NeroDigital.ini
2009-03-22 13:33 . 2009-04-12 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-03-22 12:44 . 2009-03-22 12:45 <DIR> d-------- c:\documents and settings\Home\Application Data\Ahead
2009-03-22 12:38 . 2009-03-22 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ahead
2009-03-22 12:34 . 2009-03-22 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-16 12:59 . 2009-03-16 12:59 <DIR> d-------- c:\program files\BrainWave Generator
2009-03-12 16:21 . 2009-03-12 16:26 189,784 --a------ c:\windows\system32\PnkBstrB.xtr
2009-03-12 16:08 . 2009-03-26 11:14 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-12 14:00 . 2009-03-18 14:17 145,874 --a------ c:\windows\Me.xml
2009-03-12 10:57 . 2009-03-12 10:57 73 --a------ c:\windows\userList.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 09:46 --------- d-----w c:\program files\DNA
2009-04-12 09:46 --------- d-----w c:\documents and settings\Home\Application Data\DNA
2009-04-12 09:28 --------- d-----w c:\documents and settings\Home\Application Data\BitTorrent
2009-04-11 07:32 --------- d-----w c:\program files\Garena
2009-04-10 17:09 --------- d-----w c:\program files\ESET
2009-04-07 08:48 --------- d-----w c:\program files\Common Files\Apple
2009-04-06 11:34 --------- d-----w c:\program files\Warcraft III
2009-04-01 06:41 --------- d-----w c:\program files\Windows Live
2009-03-28 06:50 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-27 20:53 --------- d-----w c:\program files\Yahoo!
2009-03-26 08:10 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-26 08:10 22,328 ----a-w c:\documents and settings\Home\Application Data\PnkBstrK.sys
2009-03-22 10:49 --------- d-----w c:\program files\Google
2009-03-22 09:38 --------- d-----w c:\program files\Common Files\Ahead
2009-03-22 09:28 --------- d-----w c:\documents and settings\Home\Application Data\CyberLink
2009-03-22 09:28 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-03-19 13:32 23,400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-07 06:29 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-26 09:39 --------- d-----w c:\documents and settings\Home\Application Data\id Software
2009-02-25 10:35 --------- d-----w c:\documents and settings\All Users\Application Data\id Software
2009-02-23 12:57 --------- d-----w c:\documents and settings\Home\Application Data\DiskAid
2009-02-14 13:36 --------- d-----w c:\documents and settings\All Users\Application Data\foldit
2009-02-14 12:41 --------- d-----w c:\program files\foldit
2009-02-13 16:03 --------- d-----w c:\program files\Bonjour
2009-02-07 16:24 34 ----a-w c:\documents and settings\Home\jagex_runescape_preferences.dat
2009-01-02 08:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122220081229\index.dat
2009-01-02 08:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009010220090103\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-26 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-08 68856]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-04 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-21 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-21 81920]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-08 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-08 600896]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 196709]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-24 185872]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-12-24 949376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nwiz"="nwiz.exe" [2007-05-21 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"Registration"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"d:\\quake 3 arena\\Copy of quake3.exe"=
"d:\\quake 3 arena\\quake3.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ESET\\nod32krn.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-24 15424]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S2 gupdate1c9aadbc5ad8394;Google Update Service (gupdate1c9aadbc5ad8394);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 133104]
S3 garenapengine;GarenaPEngine;\??\c:\docume~1\Home\LOCALS~1\Temp\VSY71.tmp --> c:\docume~1\Home\LOCALS~1\Temp\VSY71.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-04-12 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 13:48]

2009-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-2111687655-839522115-1003.job
- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-04 22:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1622f98a-2c77-4545-974a-1ebda4ef8b04} - c:\windows\system32\buvoyaki.dll
HKLM-Run-paromufinu - c:\windows\system32\piwihivo.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 12:46:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxmxewqbit]
"imagepath"="\systemroot\system32\drivers\ovfsthxufjxumas.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\garenapengine]
"ImagePath"="\??\c:\docume~1\Home\LOCALS~1\Temp\VSY71.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\5738aad2]
"ImagePath"="\SystemRoot\System32\drivers\5738aad2.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1644491937-2111687655-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-12 12:47:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-12 09:47:29

Pre-Run: 39,582,023,680 bytes free
Post-Run: 40,976,605,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

215 --- E O F --- 2009-04-02 20:59:10

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806 )

pskelley
2009-04-14, 12:39
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions, there are no excuses for not following the directions.

Have you considered that your problems may be caused by not following directions? If you look at the top of the forum, you will see Pinned (sticky) information placed there for you.
http://forums.spybot.info/showthread.php?t=288 <<< directions

File Sharing, otherwise known as Peer To Peer. (P2P)
http://forums.spybot.info/showthread.php?t=282
c:\program files\DNA
c:\documents and settings\Home\Application Data\DNA
c:\documents and settings\Home\Application Data\BitTorrent
Uninstall all p2p programs before you post.

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

If you still have problems you want help with, and will take the time to read and follow the directions. Then provide the HiJackThis log as described in those directions, I will have a look at your problems.

Thanks