PDA

View Full Version : Virus in my computer even with Spybot S& D and bitdefender free


1995ad
2009-10-03, 07:25
I have windows Xp loaded onto my computer and also had AVG free edition to protect it from Viruses.

Recently, my computer got infected with some trojan and virus that was very stubborn to remove by my AVG. Then, I removed AVG and installed bit defender free edition and Spybot Search and Destroy , both, to remove this nasty Virus from my computer. Bit defender did a whole system scan but was unable to remove the nasty Virus.

Spybot also detected a win32 virus along with some backdoor Trojan and showed that it was removed but a reboot and a system scan showed the same threat again. Now my computer becomes very slow after it boots up and mozilla firefox now takes twice the time it used to take while starting up.

Please suggest me a remedy to cure my computer from the virus.


The log of my HijackThis is given below:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:40 AM, on 10/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Owner\Desktop\bitdefender_isecurity.exe
C:\DOCUME~1\ABHILA~2\LOCALS~1\Temp\IXP000.TMP\setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ABHILA~2\LOCALS~1\Temp\IXP000.TMP"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241594980390
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECD29542-29CF-49C2-9A3D-885BB6DD43B4}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: xbhactnc - jzjkllk.dll (file missing)
O23 - Service: Norton2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9daaea7381a2a) (gupdate1c9daaea7381a2a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 4861 bytes



Please help!
Mr_JAk3
2009-10-04, 20:51
Hello 1995ad and welcome to the Forums :)

At first, please read these:
File Sharing, otherwise known as Peer To Peer. (P2P) (http://forums.spybot.info/showthread.php?t=282)
We do not support the use of illegal Pirated/Warez/Cracked software.
(http://forums.spybot.info/showpost.php?p=25290&postcount=4)

I can see signs of both of these on your pc.
We can help you but we'll get rid of these in the process.

Do you agree? :police:
1995ad
2009-10-05, 15:26
Sir, I do respect your wishes and I agree to remove them from my computer in the process of disinfecting my computer. Please help. I agree that I won't do such a thing again.
Mr_JAk3
2009-10-05, 17:08
Hi again, that’s nice to hear. :)

Have you fixed any HijackThis entries by yourself?
Let’s begin the cleanings.

You should print these instructions or save these to a text file. Follow these instructions carefully.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

Go to Control Panel -> Add/Remove Programs -> Uninstall the following:
uTorrent

Disable the bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to norton2009Reset
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.

Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; .norton2009Reset
Answer Yes
Close HIjackThis

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O20 - Winlogon Notify: xbhactnc - jzjkllk.dll (file missing)

Restart your computer

Go to the My Computer and delete the following folders (if present):
C:\Program Files\uTorrent
C:\Documents and Settings\All Users\Application Data\Norton

Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: jzjkllk.dll
Search for this and delete if found: xbhactnc


Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items and click on Remove Selected.
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

================

When you're ready, please post the following logs to here:
- MBAM's report
- a fresh HijackThis log
1995ad
2009-10-06, 14:12
According to your instructions, I have removed utorrent and also have removed the Norton trail reset service. I have also downloaded the file which you gave me. But I have another problem.


> I have already uninstalled Spybot S & D. Should I install it again?

> I have uninstalled bit defender free edition but have installed the legit version of its internet security suite 2010 .

> I have tried searching for the files : xbhactnc and jv....dll (something) with the hidden folder search option on but the result suggests that it is not to be found.

>Since I have bit defender internet security 2010, should I install malwarebytes? Won't it cause any conflicts?

> Another problem i am currently facing is that the internet sometimes fails to establish a connection.(especially after the installation of Bit defender). Is it due to a virus?

Besides that, Here is the fresh log of my HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:46 PM, on 10/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\THEKMP~1\KMPlayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241594980390
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECD29542-29CF-49C2-9A3D-885BB6DD43B4}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9daaea7381a2a) (gupdate1c9daaea7381a2a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

--
End of file - 4703 bytes

------------------------------------------------------
Thanks. Please help as soon as possible.
Mr_JAk3
2009-10-06, 19:20
Hi :)

Spybot S&D is a great tool and I'd recommend to use it for scanning in future.
Those files aren't on your pc anymore.
Yes you should install and run a scan with malwarebytes. Post the log to here when ready.

The internet connection problem and BitDefender - have you allowed legit applications like Internet Exlporer, Mozilla Firefox etc to connect the internet?

Please make sure that you don't have the Windows Firewall running along with the BitDefender firewall. Running 2 firewalls can cause problems. Instructions for disabling Windows firewall (when BitDefender's firewall is on) -> Link (http://support.microsoft.com/kb/283673)
1995ad
2009-10-07, 13:44
Hey, I have posted two log files of Malwarebytes Anti-Malware . The first one is the log file before removing the viruses. The second one is after removing the virus.
--------------------------------------------------------------------------
The first one.....


Malwarebytes' Anti-Malware 1.41
Database version: 2914
Windows 5.1.2600 Service Pack 3

10/7/2009 5:04:25 PM
mbam-log-2009-10-07 (17-04-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 168877
Time elapsed: 23 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\gasfkyrvitawvb.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{d18bbd1f-82bb-4385-bed3-e9d31a3e361e} (Hacktool.KewlButtonz) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{9dc243a5-ee33-4674-8563-89b48e779eb1} (Hacktool.KewlButtonz) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{b3d14cb9-183b-4bc8-8ce4-cba37a6fe8c6} (Hacktool.KewlButtonz) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d4bbe4c0-bd72-4a33-817c-2e7e16de20bc} (Hacktool.KewlButtonz) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.norton2009Reset (Trojan.Hacktool) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\KewlButtonz.ocx (Hacktool.KewlButtonz) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\gasfkyrvitawvb.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\KewlButtonz.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> No action taken.
_________________________________________________________________

the second one...

Malwarebytes' Anti-Malware 1.41
Database version: 2914
Windows 5.1.2600 Service Pack 3

10/7/2009 5:05:15 PM
mbam-log-2009-10-07 (17-05-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 168877
Time elapsed: 23 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\gasfkyrvitawvb.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{d18bbd1f-82bb-4385-bed3-e9d31a3e361e} (Hacktool.KewlButtonz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9dc243a5-ee33-4674-8563-89b48e779eb1} (Hacktool.KewlButtonz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b3d14cb9-183b-4bc8-8ce4-cba37a6fe8c6} (Hacktool.KewlButtonz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d4bbe4c0-bd72-4a33-817c-2e7e16de20bc} (Hacktool.KewlButtonz) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.norton2009Reset (Trojan.Hacktool) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\KewlButtonz.ocx (Hacktool.KewlButtonz) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\gasfkyrvitawvb.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\KewlButtonz.ocx (Hacktool.KewlButtonz) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
--------------------------------------------------------------------------

Further, I have done what you have said and I personally thank you very much for helping me. Please reply to this post and tell me how I can get rid of that nasty Virus.
Mr_JAk3
2009-10-08, 20:45
Hello and sorry for the delay.
I've had some problems with my Internet service provider...

Do you know anything about these?
C:\WINDOWS\system32\KewlButtonz.ocx
C:\WINDOWS\system32\h@tkeysh@@k.dll

Might be related to eg some game trainer/hotkey function...

How is the computer runnning now?
Any issues?
I recommend that you update your Bitdefender definitions and run a full system scan with it. Let me know the results.
1995ad
2009-10-10, 09:52
Out of the files which you asked me to identify, I do not know them but still I use some trainers for games that I have in my computer such as NFS Most Wanted and GTA San Andreas. :cowboy:

My computer is quite a bit slow and Firefox hangs for the first few minutes whenever i use it. Apart from that, there is no major threats and bit defender is simply taking too long to scan my computer and I still didn't make it run a full system scan even after a week of installing it.

Please suggest me a remedy for to get rid of any other infections and also the ones which you mentioned above...


Thanking you for your help...
Mr_JAk3
2009-10-10, 20:26
Ok the pc being slow might not be malware related but let's run 2 more scans to be sure...


Download Silent runners by Andrew Aronoff from here (http://www.silentrunners.org/Silent%20Runners.zip)
Unzip/extract it to a folder on your desktop
Double click on Silent Runners.vbs to start Silent runners
If your antivirus warns you about a script, allow it to run, this script does not contain malicious code
You will be asked if you want skip the supplementary search, click Yes
Wait for Silent runners to inform you that it has finished
A log will be created in the same folder as Silent Runners.vbs
It will have a name of Startup Programs (yourusername) date-time.txt
Use notepad to open that file
Copy and paste the contents as a reply to this topic


Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Run Gmer again and click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
1995ad
2009-10-13, 14:10
Sorry to reply so late as my ISP had its servers not working leaving me tense. I tried what you said in the above post, the only thing that was wrong is that GMERS crashed on my computer, making my computer restart every time I ran GMER. After the computer rebooted, Microsoft game me a error reporting dialogue box telling me that a serious error has been solved. It then asked me to send the error reports and when I click for more details , it told me that th efollowing files had created the problem...

C:\DOCUME~1\ABHILA~2\LOCALS~1\Temp\WER6bca.dir00\Mini101309-03.dmp

C:\DOCUME~1\ABHILA~2\LOCALS~1\Temp\WER6bca.dir00\sysdata.xml


However, Silent runners ran perfectly well.

I have posted its log...


"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Google Update" = ""C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c" ["Google Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Malwarebytes Anti-Malware (reboot)" = ""D:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript" ["Malwarebytes Corporation"]
"AdobeCS4ServiceManager" = ""C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\(Default) = "Symantec NCO BHO"
-> {HKLM...CLSID} = "Symantec NCO BHO"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll" ["Symantec Corporation"]
{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\(Default) = "Symantec Intrusion Prevention"
-> {HKLM...CLSID} = "Symantec Intrusion Prevention"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\17.0.0.136\IPSBHO.DLL" ["Symantec Corporation"]
{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\(Default) = (no title provided)
-> {HKLM...CLSID} = "McAfee SiteAdvisor BHO"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll" ["McAfee, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "The Internet"
-> {HKCU...CLSID} = "The Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\SDShelEx-win32.dll" ["TuneUp Software"]
"{4838CD50-7E5D-4811-9B17-C47A85539F28}" = "TuneUp Disk Space Explorer Shell Extension"
-> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\DseShExt-x86.dll" ["TuneUp Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = "Drwtsn32 -p %ld -e %ld" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = ""C:\Program Files\Norton Internet Security\Engine\17.0.0.136\NavShExt.dll"" ["Symantec Corporation"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\SDShelEx-win32.dll" ["TuneUp Software"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
TuneUp Disk Space Explorer Shell Extension\(Default) = "{4838CD50-7E5D-4811-9B17-C47A85539F28}"
-> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\DseShExt-x86.dll" ["TuneUp Software"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\SDShelEx-win32.dll" ["TuneUp Software"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "D:\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = ""C:\Program Files\Norton Internet Security\Engine\17.0.0.136\NavShExt.dll"" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "D:\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"MemCheckBoxInRunDlg" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStrCmpLogical" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoChangeAnimation" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStrCmpLogical" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

CDBurnerXP\
"Provider" = "CDBurnerXP"
"InvokeProgID" = "CDBurnerXPOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CDBurnerXPOpen\shell\open\command\(Default) = ""C:\Program Files\CDBurnerXP\cdbxpp.exe"" [null data]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

PDVD8PlayCDAudioOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD8\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" "%L"" ["CyberLink Corp."]

PDVD8PlayDVDMovieOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD8\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" "%L"" ["CyberLink Corp."]

PDVD8PlayVCDMovieOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD8\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" "%L"" ["CyberLink Corp."]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2009\OneClickStarter.exe /schedulestart" ["TuneUp Software GmbH"]
"GoogleUpdateTaskMachineCore" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]
"GoogleUpdateTaskMachineUA" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" ["Google Inc."]
"GoogleUpdateTaskUserS-1-5-21-839522115-1409082233-725345543-1005Core" -> launches: "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]
"GoogleUpdateTaskUserS-1-5-21-839522115-1409082233-725345543-1005UA" -> launches: "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" ["Google Inc."]
"OGALogon" -> launches: "C:\WINDOWS\system32\OGAEXEC.exe /batch" [MS]
"User_Feed_Synchronization-{18B500E5-5166-4099-B935-C582BBECC8A4}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor Toolbar"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll" ["McAfee, Inc."]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" = "Norton Toolbar"
-> {HKLM...CLSID} = "Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HK TuneUp Program Statistics Service, TuneUp.ProgramStatisticsSvc, "C:\WINDOWS\System32\TUProgSt.exe" ["TuneUp Software"]
TuneUp Theme Extension, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software"]}
WebClient, WebClient, "C:\WINDOWS\system32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [null data]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Bullzip PDF Print Monitor\Driver = "bzpdf.dll" ["Bullzip"]


---------- (launch time: 2009-10-13 16:59:53)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 153 seconds, including 13 seconds for message boxes)



----------------------------------------------------------------------

I have made some changes to my system. These are

> I removed Bit defender and put Norton Internet Security Suite 2010.

> I have also installed adobe dream weaver cs4.

both of these software's are completely genuine and they are activated as well.


Thanking you.
Mr_JAk3
2009-10-13, 20:40
Hi :)

Ok nothing bad in that log.

Please try running the GMER scan in safe mode (http://www.bleepingcomputer.com/forums/tutorial61.html).

Post the log to here along with a fresh HijackThis log.
1995ad
2009-10-14, 14:27
I have done what you said except the gmer in safe mode which I shall post as soon as possible. The reason for me writing this urgently is that fact that my computer has become dog slow when its booting up. The welcome screen appears for 5 minutes and the desktop takes another 5 minutes to load.


Another problem I have noticed is that svchost.exe in the task manager takes 99 percent CPU and is hence slowing down the computer. Please help. My computer has never been this slow.
Mr_JAk3
2009-10-14, 15:27
Ok. Please post the logs I requested and we'll have a look.
1995ad
2009-10-20, 10:14
:oops:
Sorry for replying too late. I was so hooked up with my projects that I had no time to do this. My computer is at an all time worst speed and it leaves my head cracking. I have posted the log of GMER, which I ran in Safe Mode.
:confused: :mad:
The log is posted as follows:
---------------------------------------------------------------------------------

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-20 11:59:11
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ABHILA~2\LOCALS~1\Temp\uwlcrpog.sys


---- System - GMER 1.0.15 ----

SSDT sppe.sys ZwCreateKey [0xF84BD0E0]
SSDT sppe.sys ZwEnumerateKey [0xF84DBCA4]
SSDT sppe.sys ZwEnumerateValueKey [0xF84DC032]
SSDT sppe.sys ZwOpenKey [0xF84BD0C0]
SSDT sppe.sys ZwQueryKey [0xF84DC10A]
SSDT sppe.sys ZwQueryValueKey [0xF84DBF8A]
SSDT sppe.sys ZwSetValueKey [0xF84DC19C]

INT 0x62 ? 82FDEBF8
INT 0x63 ? 82DCBBF8
INT 0x82 ? 82FDEBF8
INT 0xA4 ? 82DCBBF8
INT 0xB4 ? 82FDEBF8
INT 0xB4 ? 82FDEBF8
INT 0xB4 ? 82DCBBF8
INT 0xB4 ? 82FDEBF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 169 804E27C5 3 Bytes [BC, 4D, F8]
? sppe.sys The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? SYMDS.SYS The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F818A62C 5 Bytes JMP 82DCB1D8
.text a7yped2w.SYS F8117386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a7yped2w.SYS F81173AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a7yped2w.SYS F81173C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a7yped2w.SYS F81173C9 1 Byte [30]
.text a7yped2w.SYS F81173C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82F732D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F84EEC4C] sppe.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84EECA0] sppe.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F84BE042] sppe.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F84BE13E] sppe.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84BE0C0] sppe.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84BE800] sppe.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84BE6D6] sppe.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82DCB2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F84CDE9C] sppe.sys
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlInitUnicodeString] 00021083
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!swprintf] 01B05E00
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeSetEvent] 5DE58B5B
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 7E8366C3
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 0F740028
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 89320C8D
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmFreeMappingAddress] 0002288B
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 46B70F00
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 66D00328
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmUnmapIoSpace] 002A7E83
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 0C8D1574
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IofCompleteRequest] 248B8932
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 0F000002
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IofCallDriver] 832A46B7
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmAllocateMappingAddress] E08303C0
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 66D003FC
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoConnectInterrupt] 002C7E83
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoDetachDevice] 0C8D1E74
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeWaitForSingleObject] 208B8932
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeInitializeEvent] 8A000002
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 83880846
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlInitAnsiString] 000001C0
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 2C4EB70F
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoQueueWorkItem] 8303C183
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmMapIoSpace] D103FCE1
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2E7E8366
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoReportDetectedDevice] 8D1C7400
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoReportResourceForDetection] 83893204
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 00000218
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!NlsMbCodePageTag] 2E4EB70F
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!PoRequestPowerIrp] 021C8B89
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] B70F0000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] E0C12E46
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!sprintf] 03D00304
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0CB389F2
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ObfDereferenceObject] 80000002
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0975013E
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 1B42E853
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ZwClose] C4830000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] B05E5F04
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] E58B5B01
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CCCCC35D
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!PoStartNextPowerIrp] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!PoCallDriver] 53EC8B55
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoCreateDevice] 08758B56
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0214BE83
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 57000000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ZwOpenKey] 45C60674
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 1EEB010B
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoStartTimer] 020C868B
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeInitializeTimer] C0850000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoInitializeTimer] 808A1074
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeInitializeDpc] 00000804
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeInitializeSpinLock] A03CF024
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoInitializeIrp] 0B45950F
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ZwCreateKey] 45C604EB
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 458A000B
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 88C0840B
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ZwSetValueKey] 840F0946
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000C1
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 14B30E8B
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoStartPacket] 1C8286C6
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 88010000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C859E
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoFreeMdl] A19E8800
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmUnlockPages] C600001C
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 001C8686
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 86C60100
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 00001CA2
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 70518B01
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8D52006A
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoStartNextPacket] 001C8886
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeBugCheckEx] 55E85000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 8B000023
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeSetTimer] 70518B0E
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeCancelTimer] 8D52016A
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!_allmul] 001CA486
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmProbeAndLockPages] 41E85000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!_except_handler3] 8B000023
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!PoSetPowerState] 18C4830E
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 1C8D9E88
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 9E880000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!_aulldiv] 00001CA9
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!strstr] 0E798366
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!_strupr] 74AAB000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeQuerySystemTime] 8186C636
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 1A00001C
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!KeTickCount] 1C8386C6
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] C6020000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoDeleteDevice] 001C8E86
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 86C60200
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00001CAA
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoAllocateIrp] 959E8802
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoAllocateMdl] 8800001C
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB19E
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmLockPagableDataSection] 96868800
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8800001C
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CB286
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!ExFreePoolWithTag] C61AEB00
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoFreeIrp] 001C8186
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!IoFreeWorkItem] 86C61200
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!InitSafeBootMode] 00001C83
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlCompareMemory] 8E868801
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!memmove] 001CAA86
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[ntoskrnl.exe!MmHighestUserAddress] 80968B00
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!KeGetCurrentIrql] 89000001
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!KfRaiseIrql] 0001BC83
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!KfLowerIrql] 24468B00
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!HalGetInterruptVector] 89820C8D
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!KfReleaseSpinLock] 000000BD
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00
IAT \SystemRoot\System32\Drivers\a7yped2w.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82FDD1F8
Device \FileSystem\Fastfat \FatCdrom 82C671F8
Device \Driver\usbuhci \Device\USBPDO-0 82DE41F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 82F711F8
Device \Driver\dmio \Device\DmControl\DmConfig 82F711F8
Device \Driver\dmio \Device\DmControl\DmPnP 82F711F8
Device \Driver\dmio \Device\DmControl\DmInfo 82F711F8
Device \Driver\usbuhci \Device\USBPDO-1 82DE41F8
Device \Driver\usbuhci \Device\USBPDO-2 82DE41F8
Device \Driver\PCI_PNP7726 \Device\00000053 sppe.sys
Device \Driver\PCI_PNP7726 \Device\00000053 sppe.sys
Device \Driver\usbuhci \Device\USBPDO-3 82DE41F8
Device \Driver\sptd \Device\3768677726 sppe.sys
Device \Driver\usbehci \Device\USBPDO-4 82DC61F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82FDF1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82FDF1F8
Device \Driver\Cdrom \Device\CdRom0 82EE71F8
Device \Driver\atapi \Device\Ide\IdePort0 82FDE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 82FDE1F8
Device \Driver\atapi \Device\Ide\IdePort1 82FDE1F8
Device \Driver\atapi \Device\Ide\IdePort2 82FDE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 82FDE1F8
Device \Driver\atapi \Device\Ide\IdePort3 82FDE1F8
Device \Driver\usbuhci \Device\USBFDO-0 82DE41F8
Device \Driver\usbuhci \Device\USBFDO-1 82DE41F8
Device \Driver\usbuhci \Device\USBFDO-2 82DE41F8
Device \Driver\usbuhci \Device\USBFDO-3 82DE41F8
Device \Driver\usbehci \Device\USBFDO-4 82DC61F8
Device \Driver\Ftdisk \Device\FtControl 82FDF1F8
Device \Driver\a7yped2w \Device\Scsi\a7yped2w1 82EE61F8
Device \FileSystem\Fastfat \Fat 82C671F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 82C69470

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq@start 4
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq@imagepath \systemroot\system32\drivers\gasfkylooqxwpu.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\main@aid 10438
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\main\injector@svchost.exe gasfkycony.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkylooqxwpu.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\modules@gasfkycmd.dll \systemroot\system32\gasfkyymdwyrbn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\modules@gasfkylog.dat \systemroot\system32\gasfkympfwbwem.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\modules@gasfkywsp.dll \systemroot\system32\gasfkyjipyyqxn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\modules@gasfky.dat \systemroot\system32\gasfkyqvnsspuk.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\modules@gasfkywsp8.dll \systemroot\system32\gasfkyrvitawvb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\modules@gasfkycon.dll \systemroot\system32\gasfkyqhdpfucb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkytivkosiq\modules@gasfkycony.dll \systemroot\system32\gasfkyrfoaxxnu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF6 0x64 0xE1 0x90 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4E 0xA9 0x94 0xF4 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0xAB 0x76 0xE8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF6 0x64 0xE1 0x90 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4E 0xA9 0x94 0xF4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9C 0x0B 0xC5 0x8E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF6 0x64 0xE1 0x90 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4E 0xA9 0x94 0xF4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0xAB 0x76 0xE8 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF6 0x64 0xE1 0x90 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4E 0xA9 0x94 0xF4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0xAB 0x76 0xE8 ...

---- EOF - GMER 1.0.15 ----

----------------------------------------------------------------------------

My computer is very slow and please help me do something to make it alright...


Thanking you.
:heart:
Mr_JAk3
2009-10-20, 19:11
Hiya :)

There are some hidden leftovers from one infection.

Please download ComboFix from one of these locations:

Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Shaba
2009-10-25, 20:11
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.