View Full Version : Wife's laptop infected
kylemaso
2010-10-12, 06:13
Please help me clean my wife's computer. She got a "Virtumonde" trojan that I cannot remove. Thanks in advance
Kyle
DDS (Ver_10-10-10.03) - NTFSx86
Run by User at 22:50:32.58 on Mon 10/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.118 [GMT -4:00]
AV: Security Master AV *On-access scanning enabled* (Updated) {EBAA06D4-936E-4565-BC83-E17770425493}
FW: Security Master AV *enabled* {3078E016-0B9F-4D65-9D4F-4CAE3144B087}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\updugt32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Apoint\Apntex.exe
"C:\WINDOWS\System32\svchost.exe"
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\F91WMCTN\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://my.yahoo.com/
uSearch Page =
uDefault_Page_URL = hxxp://www.windstream.net
uWindow Title = Windows Internet Explorer provided by Windstream
uSearch Bar =
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
mURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mWinlogon: System=ziswin.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB6998] command.com /c del "c:\windows\uwimetapediwi.dll_old"
uRunOnce: [SpybotDeletingD7356] cmd.exe /c del "c:\windows\uwimetapediwi.dll_old"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /installquiet
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [bascstray] BascsTray.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DVDSentry] "c:\windows\system32\DSentry.exe"
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Gtinet] rundll32.exe "c:\windows\uwimetapediwi.dll",Startup
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA7525] command.com /c del "c:\windows\uwimetapediwi.dll_old"
mRunOnce: [SpybotDeletingC6006] cmd.exe /c del "c:\windows\uwimetapediwi.dll_old"
StartupFolder: c:\documents and settings\user\start menu\programs\startup\updugt32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\applic~1.lnk - c:\program files\novell\zenworks\NalView.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: tenderfoot.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229039078121
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
IFEO: image file execution options -
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2005-1-26 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-15 135664]
S3 040b979b10373198;040b979b10373198;c:\windows\temp\11480c1fcbf8a [2010-10-11 840192]
S3 85fd5a8838da4c58;85fd5a8838da4c58;\??\c:\windows\temp\113202561d816 --> c:\windows\temp\113202561d816 [?]
S3 ca71bd57551fd5e2;ca71bd57551fd5e2;\??\c:\windows\temp\11520fa564420 --> c:\windows\temp\11520fa564420 [?]
S3 e2c629d1415dc042;e2c629d1415dc042;c:\windows\temp\11480333d6cac [2010-10-11 840192]
S3 ef636f5a9cd82383;ef636f5a9cd82383;\??\c:\windows\temp\11440d62d7b16 --> c:\windows\temp\11440d62d7b16 [?]
=============== Created Last 30 ================
2010-10-09 22:49:00 -------- d-----w- c:\docume~1\user\locals~1\applic~1\{8638D86D-DFDD-4D85-9D78-2312DD378723}
2010-10-09 06:53:06 840192 ----a-w- c:\windows\system32\drivers\yygfik.sys
2010-10-08 22:36:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-08 17:16:21 47616 ---ha-w- c:\windows\compokup.dll
2010-10-08 17:02:27 0 ---ha-w- c:\windows\Xpugivegohekev.bin
2010-10-08 17:01:15 565248 ----a-w- c:\windows\system32\drivers\yckur.sys
2010-10-08 17:00:12 47616 ---ha-w- c:\windows\system32\compokup.dll
==================== Find3M ====================
============= FINISH: 23:03:13.33 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.
You have a lot of malware going on, looks like you may be rootkit infected.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
kylemaso
2010-10-14, 21:29
Thanks for the help so far. When Combofix finished running on the laptop and Windows rebooted it gave me a blue screen. After restarting in safe mode and copying the combofix file it rebooted normally. I am not sure what happened there. Here is the Combofix log.
Kyle
ComboFix 10-10-12.03 - User 10/14/2010 13:29:58.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.267 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\~GLHTTP1.TMP
c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users\Application Data\b831c0c
c:\documents and settings\All Users\Application Data\b831c0c\11.mof
c:\documents and settings\All Users\Application Data\b831c0c\BackUp\Application Explorer.lnk
c:\documents and settings\All Users\Application Data\b831c0c\BackUp\Digital Line Detect.lnk
c:\documents and settings\All Users\Application Data\b831c0c\BackUp\LimeWire On Startup.lnk
c:\documents and settings\All Users\Application Data\b831c0c\BackUp\Windows Search.lnk
c:\documents and settings\All Users\Application Data\b831c0c\SMAV.ico
c:\documents and settings\All Users\Application Data\b831c0c\SMAVSys\vd952342.bd
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}\chrome.manifest
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}\install.rdf
c:\documents and settings\User\Recent\cb.dll
c:\documents and settings\User\Recent\cb.drv
c:\documents and settings\User\Recent\cb.sys
c:\documents and settings\User\Recent\cb.tmp
c:\documents and settings\User\Recent\CLSV.exe
c:\documents and settings\User\Recent\ddv.tmp
c:\documents and settings\User\Recent\eb.drv
c:\documents and settings\User\Recent\energy.dll
c:\documents and settings\User\Recent\exec.dll
c:\documents and settings\User\Recent\exec.sys
c:\documents and settings\User\Recent\fan.dll
c:\documents and settings\User\Recent\fix.drv
c:\documents and settings\User\Recent\grid.tmp
c:\documents and settings\User\Recent\PE.drv
c:\documents and settings\User\Recent\PE.sys
c:\documents and settings\User\Recent\ppal.dll
c:\documents and settings\User\Recent\ppal.drv
c:\documents and settings\User\Recent\runddlkey.sys
c:\documents and settings\User\Recent\sld.exe
c:\documents and settings\User\Recent\snl2w.drv
c:\documents and settings\user\Start Menu\Programs\Startup\updugt32.exe
C:\LOG3.tmp
C:\LOG4.tmp
C:\LOGA9.tmp
C:\LOGAA.tmp
C:\LOGB0.tmp
C:\LOGD.tmp
c:\windows\compokup.dll
c:\windows\system32\compokup.dll
c:\windows\system32\drivers\yckur.sys
----- BITS: Possible infected sites -----
hxxp://uaa104
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_yckur
-------\Service_yckur
((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.
2010-10-12 02:34 . 2010-10-12 02:34 -------- d-----w- c:\program files\ERUNT
2010-10-10 00:25 . 2010-10-10 00:25 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-10-09 06:53 . 2010-10-14 17:50 840192 ----a-w- c:\windows\system32\drivers\yygfik.sys
2010-10-08 22:36 . 2010-10-09 10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36 . 2010-10-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-08 17:02 . 2010-10-12 11:37 0 ---ha-w- c:\windows\Xpugivegohekev.bin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-10 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="c:\windows\system32\nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-02-08 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [1/26/2005 10:55 PM 59328]
S?2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 10:29 PM 135664]
S3 040b979b10373198;040b979b10373198;\??\c:\windows\TEMP\11480c1fcbf8a --> c:\windows\TEMP\11480c1fcbf8a [?]
S3 7740e0574180fbc4;7740e0574180fbc4;\??\c:\windows\TEMP\8160d1485da7 --> c:\windows\TEMP\8160d1485da7 [?]
S3 85fd5a8838da4c58;85fd5a8838da4c58;\??\c:\windows\TEMP\113202561d816 --> c:\windows\TEMP\113202561d816 [?]
S3 ca71bd57551fd5e2;ca71bd57551fd5e2;\??\c:\windows\TEMP\11520fa564420 --> c:\windows\TEMP\11520fa564420 [?]
S3 e2c629d1415dc042;e2c629d1415dc042;\??\c:\windows\TEMP\11480333d6cac --> c:\windows\TEMP\11480333d6cac [?]
S3 ef636f5a9cd82383;ef636f5a9cd82383;\??\c:\windows\TEMP\11440d62d7b16 --> c:\windows\TEMP\11440d62d7b16 [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - yygfik
.
Contents of the 'Scheduled Tasks' folder
2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]
2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]
2010-10-14 c:\windows\Tasks\User_Feed_Synchronization-{0FA48CAD-70F5-43AA-998D-BE8715FA0925}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: tenderfoot.com
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
HKLM-Run-bascstray - BascsTray.exe
HKLM-Run-Gtinet - c:\windows\uwimetapediwi.dll
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\040b979b10373198]
"ImagePath"="\??\c:\windows\TEMP\11480c1fcbf8a"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\7740e0574180fbc4]
"ImagePath"="\??\c:\windows\TEMP\8160d1485da7"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\85fd5a8838da4c58]
"ImagePath"="\??\c:\windows\TEMP\113202561d816"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ca71bd57551fd5e2]
"ImagePath"="\??\c:\windows\TEMP\11520fa564420"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e2c629d1415dc042]
"ImagePath"="\??\c:\windows\TEMP\11480333d6cac"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ef636f5a9cd82383]
"ImagePath"="\??\c:\windows\TEMP\11440d62d7b16"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yygfik]
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1084)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(3784)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\System32\SCardSvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\imapi.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-10-14 13:54:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-14 17:54
Pre-Run: 70,437,478,400 bytes free
Post-Run: 70,279,798,784 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 23DFEBD096F981CD1DAA92B524779413
kylemaso
2010-10-14, 21:35
I posted too quickly. The error came back. It says there is a problem detected and windows has been shut down to prevent damage to your computer.
DRIVER_IRQL_NOT_LESS_OR_EQUIL
Technical information:
*** STOP: 0x000000D1 (0xF8C52000, 0X00000002, 0X00000000, 0XF8585C89)
*** yygfik.sys - Address F8585C89 base at F8581000, Datestamp 4cac4840
What is this?
Thanks, Kyle
Thats part of the infection and all systems react differently to them
You can run both of these programs in Safemode with Network Support
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
kylemaso
2010-10-15, 02:19
Hey Ken, I cannot get her laptop to reboot. I have tried every safe mode setting and rebooting in normal mode. The computer gets stuck at "windows\system32\drivers\isapnp.sys" When rebooting in "safe modes" and never gets past a black screen in a regular boot.
If this is the end, I will reformat and reinstall.
Let me know.
Kyle
:rockon:
kylemaso
2010-10-15, 02:42
I may have jumped the gun too soon again Ken! When robooting in Safe Mode with command prompt, and selecting reboot from Windows Recovery I get as far as the background and it seems to load the programs, but then goes to the blue screen error noted earlier. Upon rebooting in safe mode with networking options, I was able to reboot in standard safe mode with networking and am running malwarebytes.
Kyle
Never Surrender!
Great, I was looking into your problem. I am hoping Malwarebytes removes some more bad stuff if not we will have to run Combofix again to remove the malware that is causing this problem
kylemaso
2010-10-15, 02:55
Unfortunately Malwarebytes didn't find anythingthat I could see. But here is the log....
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4786
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702
10/14/2010 7:51:53 PM
mbam-log-2010-10-14 (19-51-53).txt
Scan type: Quick scan
Objects scanned: 150242
Time elapsed: 6 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
kylemaso
2010-10-15, 02:59
PS I wasn't able to update Malewarebytes with this weeks update, the computer gave me the same blue screen error, but I updated it 4 days ago...
Kyle
Go ahead and run TFC, its a temp file cleaner and you have some bad stuff in your temp files.
Then do this.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::
Driver::
yygfik
File::
c:\windows\system32\drivers\yygfik.sys
c:\windows\Xpugivegohekev.bin
c:\windows\uwimetapediwi.dll
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yygfik]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
kylemaso
2010-10-15, 03:25
I have noticed that there is a user identity upon startup in safemode that doesn't show up in the user area of the control panel. It is password protected and we don't know how to get rid of it.
Combofix gives me an error of "were you trying to run CFScript? The name CFScript is incorrectly spelt" and that is how it is spelled....
And that is all she wrote, the program exits when I click "ok"
kyle
kylemaso
2010-10-15, 03:29
My bad disregard last error msg, I didn't save as CFScript on my desktop.
I am a momentary dumbass....
Kyle,
Been a loooong day, been at this for many hours so take your time and I will be back in the morning.
My wife graduated from Florida, been to Florida Field many times. Looking forward to see the Mississippi State game Saturday night
kylemaso
2010-10-15, 03:41
Have a good night and I will post the log in a little while.
GO Gators!
kyle
kylemaso
2010-10-15, 03:49
Here is the log. The laptop started without being in safe mode and seems to be running much better. What next? Could the user BMOC "big man on campus" be the builder of this computer? We dont see his user name in the user screen in the control panel, only on startup in safe mode....
kyle
ComboFix 10-10-12.03 - User 10/14/2010 20:30:26.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.335 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\drivers\yygfik.sys"
"c:\windows\uwimetapediwi.dll"
"c:\windows\Xpugivegohekev.bin"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\yygfik.sys
c:\windows\Xpugivegohekev.bin
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_YYGFIK
-------\Service_yygfik
((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
.
2010-10-14 17:15 . 2010-10-14 17:55 -------- d-----w- C:\Combo-Fix
2010-10-12 02:34 . 2010-10-12 02:34 -------- d-----w- c:\program files\ERUNT
2010-10-10 00:25 . 2010-10-10 00:25 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-10-08 22:36 . 2010-10-09 10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36 . 2010-10-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-10 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="c:\windows\system32\nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-02-08 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [1/26/2005 10:55 PM 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 10:29 PM 135664]
S3 040b979b10373198;040b979b10373198;\??\c:\windows\TEMP\11480c1fcbf8a --> c:\windows\TEMP\11480c1fcbf8a [?]
S3 7740e0574180fbc4;7740e0574180fbc4;\??\c:\windows\TEMP\8160d1485da7 --> c:\windows\TEMP\8160d1485da7 [?]
S3 85fd5a8838da4c58;85fd5a8838da4c58;\??\c:\windows\TEMP\113202561d816 --> c:\windows\TEMP\113202561d816 [?]
S3 ca71bd57551fd5e2;ca71bd57551fd5e2;\??\c:\windows\TEMP\11520fa564420 --> c:\windows\TEMP\11520fa564420 [?]
S3 e2c629d1415dc042;e2c629d1415dc042;\??\c:\windows\TEMP\11480333d6cac --> c:\windows\TEMP\11480333d6cac [?]
S3 ef636f5a9cd82383;ef636f5a9cd82383;\??\c:\windows\TEMP\11440d62d7b16 --> c:\windows\TEMP\11440d62d7b16 [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]
2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]
2010-10-15 c:\windows\Tasks\User_Feed_Synchronization-{0FA48CAD-70F5-43AA-998D-BE8715FA0925}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: tenderfoot.com
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\040b979b10373198]
"ImagePath"="\??\c:\windows\TEMP\11480c1fcbf8a"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\7740e0574180fbc4]
"ImagePath"="\??\c:\windows\TEMP\8160d1485da7"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\85fd5a8838da4c58]
"ImagePath"="\??\c:\windows\TEMP\113202561d816"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ca71bd57551fd5e2]
"ImagePath"="\??\c:\windows\TEMP\11520fa564420"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e2c629d1415dc042]
"ImagePath"="\??\c:\windows\TEMP\11480333d6cac"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ef636f5a9cd82383]
"ImagePath"="\??\c:\windows\TEMP\11440d62d7b16"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1068)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(2208)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\System32\SCardSvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-10-14 20:43:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-15 00:43
ComboFix2.txt 2010-10-14 17:54
Pre-Run: 70,375,411,712 bytes free
Post-Run: 70,362,116,096 bytes free
- - End Of File - - 1007449C245B8F6F62D561347B590F1F
Hi,
Did you run TFC ? Still looking at stuff that needs to go.
Boot to safemode and delete everything inside this folder but not the folder itself
c:\windows\TEMP
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::
Driver::
040b979b10373198
7740e0574180fbc4
85fd5a8838da4c58
ca71bd57551fd5e2
e2c629d1415dc042
ef636f5a9cd82383
Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\040b979b10373198]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\7740e0574180fbc4]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\85fd5a8838da4c58]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ca71bd57551fd5e2]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e2c629d1415dc042]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ef636f5a9cd82383]
"ImagePath"=-
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
kylemaso
2010-10-15, 19:45
Hey Ken, I ran TFC last night as per your directions. The problems rebooting may have had something to do with the problems you are still seeing, tho I am not sure. Here is the latest Combofix log. I still am unsure what the extra user name is that is showing on safe startup. Let me know if you have any ideas. Thanks for your continued help here!
Kyle
ComboFix 10-10-12.03 - User 10/15/2010 12:22:40.3.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.330 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_040b979b10373198
-------\Service_7740e0574180fbc4
-------\Service_85fd5a8838da4c58
-------\Service_ca71bd57551fd5e2
-------\Service_e2c629d1415dc042
-------\Service_ef636f5a9cd82383
((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
.
2010-10-14 17:15 . 2010-10-14 17:55 -------- d-----w- C:\Combo-Fix
2010-10-12 02:34 . 2010-10-12 02:34 -------- d-----w- c:\program files\ERUNT
2010-10-10 00:25 . 2010-10-10 00:25 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-10-08 22:36 . 2010-10-09 10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36 . 2010-10-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((( SnapShot@2010-10-14_17.49.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-15 16:29 . 2010-10-15 16:29 16384 c:\windows\temp\Perflib_Perfdata_35c.dat
+ 2010-10-14 17:53 . 2010-10-14 17:53 1550 c:\windows\SoftwareDistribution\EventCache\{495F3796-97B5-4F07-8821-6083693DE133}.bin
+ 2010-10-15 16:13 . 2010-10-15 16:13 192512 c:\windows\ERDNT\10-15-2010\Users\00000002\UsrClass.dat
+ 2010-10-15 16:13 . 2005-10-20 16:02 163328 c:\windows\ERDNT\10-15-2010\ERDNT.EXE
+ 2010-10-15 16:13 . 2010-10-15 16:13 7921664 c:\windows\ERDNT\10-15-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-10 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="c:\windows\system32\nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-02-08 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [1/26/2005 10:55 PM 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 10:29 PM 135664]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - BASFND
.
Contents of the 'Scheduled Tasks' folder
2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]
2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]
2010-10-15 c:\windows\Tasks\User_Feed_Synchronization-{0FA48CAD-70F5-43AA-998D-BE8715FA0925}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: tenderfoot.com
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1064)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(3856)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2010-10-15 12:35:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-15 16:35
ComboFix2.txt 2010-10-15 00:43
ComboFix3.txt 2010-10-14 17:54
Pre-Run: 70,319,206,400 bytes free
Post-Run: 70,301,360,128 bytes free
- - End Of File - - C6314E0D6029B4166B6EBC8742697712
Hello kyle,
Your Combofix log looks fine, all that garbage is gone. Not sure about the user in Safemode, can you delete the account if its not needed ?
Are you still having problems booting up or has that cleared up now ?
Lets sweep for leftovers
Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
kylemaso
2010-10-16, 00:39
17 items found! it keeps getting better though.
Kyle
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=02e617ae3d3c7440a519ac860c96894a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-15 05:48:38
# local_time=2010-10-15 01:48:38 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=51234
# found=17
# cleaned=17
# scan_time=1839
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\b831c0c\11.mof.vir Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\compokup.dll.vir a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\compokup.dll.vir a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\yckur.sys.vir a variant of Win32/Bubnix.AU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\yygfik.sys.vir a variant of Win32/Bubnix.AW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP487\A0269506.bat BAT/KillFiles.NCB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP487\A0269517.dll a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP488\A0270525.DLL Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP488\A0270529.DLL a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP488\A0270532.dll a variant of Win32/Cimag.DP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP489\A0270551.bat BAT/KillFiles.NCB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP489\A0271578.dll a variant of Win32/Cimag.DP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0271694.mof Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0271719.dll a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0271720.dll a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0271760.sys a variant of Win32/Bubnix.AU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0282074.sys a variant of Win32/Bubnix.AW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Kyle,
All ESET found where in Qoobox, which are backups of what Combofix removed, it also found entries in your System Restore program so we need to flush it all out and its so important to create a new Restore Point.
System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.
Please follow the steps below to create a clean restore point:
Click Start > Run > copy and paste the following into the run box:
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.
Then remove all previous Restore Points
Click Start > Run > copy and paste the following into the run box:
cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.
You never said if your having boot problems ???????????????????
kylemaso
2010-10-16, 00:59
The last boot was when combofix ran the last time and I didn't have any startup problems that I saw. Everything seemed normal and I was able to get on the web thru wireless like normal.
kylemaso
2010-10-16, 01:01
Done with the restore point and the cleanup. Nothing happened when I told it to delete all but the last restore point. Did it do it?
Kyle
Glad it all worked, need to finish working with you by Saturday so I can get together with fellow Gators for the game on Saturday :) Up here in Connecticut we have a Gator Club and get together at local pubs to watch the game.
Can you boot to safemode and go into your user accounts ? The reason I am asking is sometimes malware will create a bogus account, not sure if this is the case here. Read this and see if you can remove it
http://www.microsoft.com/windowsxp/using/setup/winxp/accounts.mspx
Let me know how it goes ???
kylemaso
2010-10-16, 01:23
Rebooted in safe mode and attempted to delete user account BMOC. The error msg "cannot perform this operation on built-in accounts" comes up. I changed the status in properties to"account is disabled" and now it has a red x on the face. Rebooting in safe mode again, there is no option to pick a user and the computer go directly to the main desktop. It is still in safe mode, what next?
Thanks, Kyle
Kyle,
What I would like you to do is post here, like this forum its free you just need to register, they can help you remove that account, we just do malware removal on this forum and right now my plate is full.
http://forums.pcpitstop.com/index.php?/forum/3-user-to-user-help/
Feel free to link this to this thread so they can see what we have done, if they feel its malware related let me know and we can dig deeper.
TFC Temp File Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
kylemaso
2010-10-16, 01:54
When I type "Combofix /uninstall" in the run box it has begun to run the scan again. I put the space between x and the / but not between the / and the u. Do I need to use the windows uninstall program?
No, just go ahead and run OTC, it will remove it
kylemaso
2010-10-16, 01:58
Do I need to worry about the new scan it just ran?
Let it run and post the log
kylemaso
2010-10-16, 02:13
Thanks a million for all of your help these last three days Ken. I for sure thought her computer was totally messed up and would need a reinstall. I am glad you volenteer your time here helping out. I will reinstall Spybot without the teatimer and spywareblaster and firefox 3. I will also have her read the links you provided about infections. The log below is the last Combofix run before I ran OTC.
Thanks again, and I will check your reply after I post the log. I will also post on the other forum you gave me about the user in safe mode.
Kyle
ComboFix 10-10-12.03 - User 10/15/2010 18:52:43.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.246 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: /unistall
.
((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
.
2010-10-15 17:09 . 2010-10-15 17:09 -------- d-----w- c:\program files\ESET
2010-10-14 17:15 . 2010-10-14 17:55 -------- d-----w- C:\Combo-Fix
2010-10-12 02:34 . 2010-10-12 02:34 -------- d-----w- c:\program files\ERUNT
2010-10-10 00:25 . 2010-10-10 00:25 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-10-08 22:36 . 2010-10-09 10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36 . 2010-10-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((( SnapShot@2010-10-14_17.49.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-15 22:49 . 2010-10-15 22:49 16384 c:\windows\temp\Perflib_Perfdata_e4.dat
+ 2010-10-14 17:53 . 2010-10-14 17:53 1550 c:\windows\SoftwareDistribution\EventCache\{495F3796-97B5-4F07-8821-6083693DE133}.bin
+ 2010-10-15 16:13 . 2010-10-15 16:13 192512 c:\windows\ERDNT\10-15-2010\Users\00000002\UsrClass.dat
+ 2010-10-15 16:13 . 2005-10-20 16:02 163328 c:\windows\ERDNT\10-15-2010\ERDNT.EXE
+ 2010-10-15 16:13 . 2010-10-15 16:13 7921664 c:\windows\ERDNT\10-15-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-10 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="c:\windows\system32\nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-02-08 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [1/26/2005 10:55 PM 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 10:29 PM 135664]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - BASFND
.
Contents of the 'Scheduled Tasks' folder
2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]
2010-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]
2010-10-15 c:\windows\Tasks\User_Feed_Synchronization-{0FA48CAD-70F5-43AA-998D-BE8715FA0925}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: tenderfoot.com
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1060)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(2828)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-15 19:01:08
ComboFix-quarantined-files.txt 2010-10-15 23:01
ComboFix2.txt 2010-10-15 22:47
ComboFix3.txt 2010-10-15 16:35
ComboFix4.txt 2010-10-15 00:43
ComboFix5.txt 2010-10-15 22:51
Pre-Run: 71,529,140,224 bytes free
Post-Run: 71,510,388,736 bytes free
- - End Of File - - 051C85F3EB267D825A16B442E34E024B
Your good to go.
Go Gators
My pleasure,
Take care,
Ken :)