PDA

View Full Version : Please Help, Thank You :)


YsTyler
2010-10-01, 13:31
Hello there, I seem to have a really interesting virus I have never before seen on my friends computer.

I have ran HJT and tried to remove the "04's (autoloading entries)" but got a message saying the admin had suspended the privilages for editing registry files. I enabled registry editing and tried to delete the specific auto loading entries again, but instead got an error that basically crashed HTJ by spamming the 200+ character title of the auto loading entry. Before I ran Spybot and did some basic removals, the computer would not even load HTJ citing: "Out of Memory".

The weirdest part about this virus is that through iexplore.exe it is picking up on random radio stations (music, talk shows, etc), and a ton of IE related failures and script error notices - but he does not have IE installed on his PC (he uses firefox instead). I figured out using task manager to close iexplore.exe stops the radio stations.

Any suggestions?
- Austin

(PS: Thank you again for your assistance in this matter. :D)


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tyler at 4:01:39.98 on Fri 10/01/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1554 [GMT -7:00]

AV: Security Suite *On-access scanning enabled* (Updated) {F5E52F41-190C-46f6-9FC3-55470285CC2B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
BHO: c:\windows\system32\cirogi3giy.dll: {b1ba40a2-75f2-51bd-f413-04b13a2c8953} - c:\windows\system32\cirogi3giy.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [HNUnaIXnqe] c:\docume~1\tyler\locals~1\temp\login.exe
uRun: [MKfa] c:\windows\win.exe
uRun: [MKcZ] c:\windows\mdm.exe
uRun: [MKeuf] c:\windows\spoolsv.exe
uRun: [HNUnaIXnd] c:\docume~1\tyler\locals~1\temp\avp.exe
uRun: [HNUnaIXnrc] c:\docume~1\tyler\locals~1\temp\winamp.exe
uRun: [HNUnaIXnf] c:\docume~1\tyler\locals~1\temp\win.exe
uRun: [MKerb] c:\windows\taskmgr.exe
uRun: [MKfPc] c:\windows\win16.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Vyilejefiqa] rundll32.exe "c:\windows\ocacofezip.dll",Startup
mRun: [HNUnaIXnqe] c:\docume~1\tyler\locals~1\temp\login.exe
mRun: [MKfa] c:\windows\win.exe
mRun: [MKcZ] c:\windows\mdm.exe
mRun: [MKeuf] c:\windows\spoolsv.exe
mRun: [HNUnaIXnd] c:\docume~1\tyler\locals~1\temp\avp.exe
mRun: [HNUnaIXnrc] c:\docume~1\tyler\locals~1\temp\winamp.exe
mRun: [HNUnaIXnf] c:\docume~1\tyler\locals~1\temp\win.exe
mRun: [MKerb] c:\windows\taskmgr.exe
mRun: [MKfPc] c:\windows\win16.exe
StartupFolder: c:\docume~1\tyler\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
STS: c:\windows\system32\cirogi3giy.dll: {b1ba40a2-75f2-51bd-f413-04b13a2c8953} - c:\windows\system32\cirogi3giy.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tyler\applic~1\mozilla\firefox\profiles\wq37sfdp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101057100&s=
FF - component: c:\documents and settings\tyler\application data\mozilla\firefox\profiles\wq37sfdp.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\documents and settings\tyler\application data\mozilla\firefox\profiles\wq37sfdp.default\extensions\gamebox@toolbar\components\toolbarhomewmp.dll
FF - HiddenExtension: XULRunner: {AB3E9AE3-EC66-4064-9509-E59A981DE49D} - c:\documents and settings\tyler\local settings\application data\{AB3E9AE3-EC66-4064-9509-E59A981DE49D}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-8-4 816672]
R3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2008-12-1 768256]
R3 ksaudfl;ksaudfl;c:\windows\system32\drivers\ksaudfl.sys [2008-10-24 1830912]
S0 cerc6;cerc6; [x]
S3 cpuz132;cpuz132;\??\c:\docume~1\tyler\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\tyler\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-9-12 79360]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-9-5 25832]

=============== Created Last 30 ================

2010-10-01 09:59:52 596 --sha-r- c:\documents and settings\tyler\ntuser.pol
2010-10-01 09:58:07 0 d--h--w- c:\windows\system32\GroupPolicy
2010-10-01 09:34:01 0 dc----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-01 09:34:01 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-10-01 09:29:48 0 d-----w- c:\windows\pss
2010-10-01 09:26:36 0 d-----w- c:\program files\Trend Micro
2010-10-01 09:26:05 0 d-----w- c:\program files\Defraggler
2010-10-01 09:13:24 0 d-----w- c:\program files\CCleaner
2010-09-26 20:31:37 0 d-----w- c:\windows\system32\LogFiles
2010-09-22 20:03:37 2714 ----a-w- c:\windows\ubevanoqiqurih.dll
2010-09-17 19:27:56 0 d-----w- c:\windows\system32\XPSViewer
2010-09-17 19:27:23 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-09-17 19:27:23 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-09-17 19:27:23 117760 ------w- c:\windows\system32\prntvpt.dll
2010-09-17 19:27:22 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-09-17 19:27:22 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-09-17 19:27:22 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-09-17 19:27:22 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-09-17 19:27:22 0 dc----w- C:\4c7b139f450bfc1c1ec831145b
2010-09-17 18:28:21 21636 ---h--w- c:\windows\winamp.exe
2010-09-17 05:07:19 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-09-17 05:07:17 0 d-----w- c:\windows\Logs
2010-09-16 19:34:58 0 dc----w- c:\docume~1\alluse~1\applic~1\CCP
2010-09-16 19:34:58 0 d-----w- c:\program files\CCP
2010-09-16 08:16:37 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-09-16 08:16:37 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-09-16 08:16:20 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-09-16 08:14:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-09-16 08:14:10 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-09-16 08:14:09 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-09-16 08:14:09 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-09-15 10:22:11 21636 ---h--w- c:\windows\win16.exe
2010-09-15 10:22:10 21604 ---h--w- c:\windows\iexplarer.exe
2010-09-15 10:22:10 21604 ---h--w- c:\windows\debug.exe
2010-09-15 10:02:47 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-09-15 10:02:46 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-09-15 10:02:23 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-09-14 22:44:40 21604 ---h--w- c:\windows\avp32.exe
2010-09-14 22:40:42 21604 ---h--w- c:\windows\setup.exe
2010-09-14 21:24:43 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-09-14 20:58:23 21604 ---h--w- c:\windows\csrss.exe
2010-09-14 10:06:27 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-09-14 10:00:16 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-09-14 10:00:16 0 d-----w- c:\windows\system32\PreInstall
2010-09-14 10:00:14 0 d--h--w- c:\windows\$hf_mig$
2010-09-14 08:56:01 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-09-14 05:44:51 21604 ---h--w- c:\windows\gdi32.exe
2010-09-14 04:01:49 21604 ---h--w- c:\windows\cmd.exe
2010-09-14 03:51:45 21604 ---h--w- c:\windows\win32.exe
2010-09-14 03:49:51 21604 ---h--w- c:\windows\hexdump.exe
2010-09-14 03:49:50 21604 ---h--w- c:\windows\drweb.exe
2010-09-14 03:49:49 21604 ---h--w- c:\windows\install.exe
2010-09-14 02:03:25 120 ----a-w- c:\windows\Ohiwimenipavuro.dat
2010-09-14 02:03:25 0 ----a-w- c:\windows\Fzinexame.bin
2010-09-14 01:52:47 0 d-----w- c:\program files\Security Suite Platinum
2010-09-14 01:48:18 2838 ----a-w- c:\windows\oracekiriyijike.dll
2010-09-14 01:47:51 21636 ---h--w- c:\windows\taskmgr.exe
2010-09-14 01:29:57 21604 ---h--w- c:\windows\avp.exe
2010-09-14 01:28:33 2838 ----a-w- c:\windows\uyadokezez.dll
2010-09-14 01:28:02 21604 ---h--w- c:\windows\wininst.exe
2010-09-14 01:28:00 21636 ---h--w- c:\windows\spoolsv.exe
2010-09-13 20:13:04 21604 ---h--w- c:\windows\nvsvc32.exe
2010-09-13 20:13:04 21588 ---h--w- c:\windows\sysedit.exe
2010-09-13 20:13:03 21636 ---h--w- c:\windows\mdm.exe
2010-09-13 20:13:02 21636 ---h--w- c:\windows\login.exe
2010-09-13 20:13:01 60004 ---h--w- c:\windows\user.exe
2010-09-13 20:12:57 30000 ----a-w- c:\windows\system32\cirogi3giy.dll
2010-09-13 20:12:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-09-13 00:26:16 90112 ------w- c:\windows\Updreg.EXE
2010-09-13 00:25:53 7062 ----a-w- c:\windows\system32\audiopid.vxd
2010-09-13 00:25:14 0 d-----w- c:\windows\system32\ReinstallBackups
2010-09-13 00:24:34 33126 ----a-w- c:\windows\system32\kschimp.ini
2010-09-13 00:24:34 189952 ----a-w- c:\windows\system32\KSXPPI32.dll
2010-09-13 00:24:29 7556 ----a-w- c:\windows\system32\MixerDefaultXP.reg
2010-09-13 00:24:29 3556 ----a-w- c:\windows\system32\DeviceDefaultsXP.reg
2010-09-13 00:24:29 268 ---ha-r- c:\windows\ctfile.rfc
2010-09-13 00:24:29 2630 ----a-w- c:\windows\MixerName.reg
2010-09-13 00:24:29 23292 ----a-w- c:\windows\ksaudENG.reg
2010-09-13 00:24:13 0 d-----w- c:\program files\common files\Creative Labs Shared
2010-09-13 00:19:54 2395592 -c--a-w- C:\Start.exe
2010-09-12 21:04:37 4174814 ------w- c:\windows\system32\CT4MGM.SF2
2010-09-12 21:04:37 0 d-----w- c:\windows\system32\Defaults
2010-09-12 21:04:27 10624 -c--a-w- c:\windows\system32\dllcache\gameenum.sys
2010-09-12 21:04:27 10624 ----a-w- c:\windows\system32\drivers\gameenum.sys
2010-09-12 21:04:12 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-09-12 21:04:12 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-09-12 21:04:00 86446 ----a-w- c:\windows\system32\instwdm.ini
2010-09-12 21:04:00 3072 ----a-w- c:\windows\CTXFIRES.DLL
2010-09-12 21:04:00 11776 ----a-w- c:\windows\INRES.DLL
2010-09-12 21:04:00 10240 ----a-w- c:\windows\CTDCRES.DLL
2010-09-12 21:04:00 0 d-----w- c:\windows\system32\Data
2010-09-12 21:03:59 0 d-----w- c:\program files\Creative
2010-09-12 20:38:25 0 d-----w- c:\docume~1\tyler\applic~1\DriverFinder
2010-09-12 20:36:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Easy Driver Pro
2010-09-12 19:49:32 0 d-----w- c:\program files\Microsoft
2010-09-12 19:47:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Driver Whiz
2010-09-12 17:45:56 0 d-----w- C:\Neo
2010-09-12 15:48:27 0 d-----w- c:\program files\VDMSound
2010-09-12 13:06:52 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-09-12 12:51:29 0 d-----w- c:\program files\DAEMON Tools Lite
2010-09-12 12:43:33 0 d-----w- c:\program files\DAEMON Tools Toolbar
2010-09-12 12:43:15 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-09-12 12:42:47 0 d-----w- c:\docume~1\tyler\applic~1\DAEMON Tools Lite
2010-09-12 12:42:44 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2010-09-12 12:42:36 0 d-----w- c:\windows\system32\3077
2010-09-11 21:11:23 0 d-----w- c:\program files\uTorrent
2010-09-11 21:11:16 0 d-----w- c:\docume~1\tyler\applic~1\uTorrent
2010-09-06 05:21:07 0 dc----w- c:\docume~1\alluse~1\applic~1\BioWare
2010-09-06 02:02:27 0 d-----w- c:\program files\Dragon Age
2010-09-06 02:00:04 0 d-----w- c:\program files\common files\BioWare
2010-09-05 21:05:36 0 d-----w- c:\docume~1\tyler\applic~1\Petroglyph
2010-09-05 21:04:44 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-09-05 01:43:39 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-09-05 01:23:50 0 d-----w- c:\program files\LucasArts

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-04 22:51:25 4096 ----a-w- c:\windows\d3dx.dat
2010-07-28 14:02:12 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 4:02:21.51 ===============
ken545
2010-10-05, 00:20
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.


You have some nasty nasty stuff on this system.



Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
ken545
2010-10-14, 14:02
Due to inactivity, this thread will now be closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.