Results 1 to 2 of 2

Thread: gcf05600mKdGo05600.exe

  1. #1
    Junior Member
    Join Date
    Apr 2011
    Posts
    25

    Default gcf05600mKdGo05600.exe

    I was infected by the following today:

    gcf05600mKdGo05600.exe (the zeros are zeros & after G the is the letter o)

    I lowered the priority of this process in the task manager & deleted the cache & the cookies from IE 7.

    The icons on the desk top froze; the "MS REMOVAL TOOL" kept popping up telling me to remove malware(up to 15 items!...I think this was part of the malware or virus itself) I ignored that option. Started running Avast antivirus. Eventually a blue screen appeared all icons disappeared; blank screen; then a message that looked like something windows would post:

    "A problem has been detected and Windows has been shut down to prevent damage to your computer.
    The problem seems to be caused by the following file: NTFS.SYS
    PAGE FAULT IN NONPAGED AREA
    If this is the first time you've seen this stop error screen, restart your computer. If this screen apears(sic) again, follow these steps:
    Check to make sure any new hardware of software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windwos(sic) updates you might need.
    If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.
    Technical information:

    *** STOP 0x00000050 (0xFD3094C2, 0x00000001, OxFBFE7617, 0x00000000

    *** NTFS.SYS - Address 0xFBFE7617 base at 0xFD3094C2, DateStamp 3d6abeff"

    After this the computer rebooted automatically. When it finished, I scanned with Spybot & it didn't detect any problems. Did a google & process search for this .exe & found nothing. Worried that I may still be infected.

    If you want more info. or can advise me please contact me.

    Thanks, James Lane


    PS As requested, the DDS:

    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Owner at 19:05:17.10 on Thu 04/14/2011
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.214 [GMT -4:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Portrait Displays\Pivot Software\floater.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://ixquick.com/
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    BHO: FlashCatchBHO Class: {88618a96-6d8a-42e7-b932-9073d5b2080f} - c:\program files\flashcatch\flashcatch.dll
    TB: FlashCatch: {10cecf4f-a96e-4803-8ac2-f565fb29ff47} - c:\program files\flashcatch\flashcatch.dll
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\iepro\IEProRecorder.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
    mRun: [Logitech Utility] Logi_MwX.Exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
    mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
    IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263877266968
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    Notify: igfxcui - igfxsrvc.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xyzsn41i.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-7-2 294608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-2 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-8 40384]
    R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2011-4-9 90112]
    S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
    .
    =============== Created Last 30 ================
    .
    2011-04-14 17:22:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\gCf05600mKdGo05600
    2011-04-09 23:14:58 -------- d-----w- c:\docume~1\owner\applic~1\DisplayTune
    2011-04-09 22:58:58 62009 ----a-w- c:\windows\system32\wpfb_ialmrnt5.dll
    2011-04-09 22:58:55 62009 ----a-w- c:\windows\system32\WPFB.DLL
    2011-04-09 22:58:55 2304 ----a-w- c:\windows\system32\Machnm32.sys
    2011-04-09 22:58:55 17465 ----a-w- c:\windows\system32\drivers\pivot.sys
    2011-04-09 22:58:55 11323 ----a-w- c:\windows\system32\drivers\pivotmou.sys
    2011-04-09 22:58:53 -------- d-----w- c:\program files\Portrait Displays
    2011-04-09 22:58:06 17064 ----a-w- c:\windows\system32\drivers\PdiPorts.sys
    2011-04-09 22:56:42 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
    2011-04-09 22:56:41 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
    2011-04-09 22:56:41 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
    2011-04-09 22:56:41 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
    2011-04-09 22:56:41 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
    2011-04-09 22:56:40 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
    2011-04-09 22:56:33 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
    2011-04-09 22:56:26 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
    .
    ==================== Find3M ====================
    .
    2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll
    2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec
    2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
    2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    ============= FINISH: 19:07:40.68 ===============



    In addition to attaching what was requested, I'm attaching a photo of task manager with the offending .exe.

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi jpatrick,

    Lets see if this can dig up anything;

    Please download the free version of Malwarebytes to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.

    Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.

    Once the program has loaded, select Perform FULL SCAN, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.

    Be sure that everything is checked, and click *Remove Selected.*

    *A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

    When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    Post the log in your reply.
    How Can I Reduce My Risk?

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •