Wife's laptop infected

K

kylemaso

New member
Please help me clean my wife's computer. She got a "Virtumonde" trojan that I cannot remove. Thanks in advance
Kyle


DDS (Ver_10-10-10.03) - NTFSx86
Run by User at 22:50:32.58 on Mon 10/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.118 [GMT -4:00]

AV: Security Master AV *On-access scanning enabled* (Updated) {EBAA06D4-936E-4565-BC83-E17770425493}
FW: Security Master AV *enabled* {3078E016-0B9F-4D65-9D4F-4CAE3144B087}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\updugt32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Apoint\Apntex.exe
"C:\WINDOWS\System32\svchost.exe"
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\F91WMCTN\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page =
uDefault_Page_URL = hxxp://www.windstream.net
uWindow Title = Windows Internet Explorer provided by Windstream
uSearch Bar =
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
mURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mWinlogon: System=ziswin.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB6998] command.com /c del "c:\windows\uwimetapediwi.dll_old"
uRunOnce: [SpybotDeletingD7356] cmd.exe /c del "c:\windows\uwimetapediwi.dll_old"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /installquiet
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [bascstray] BascsTray.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DVDSentry] "c:\windows\system32\DSentry.exe"
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Gtinet] rundll32.exe "c:\windows\uwimetapediwi.dll",Startup
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA7525] command.com /c del "c:\windows\uwimetapediwi.dll_old"
mRunOnce: [SpybotDeletingC6006] cmd.exe /c del "c:\windows\uwimetapediwi.dll_old"
StartupFolder: c:\documents and settings\user\start menu\programs\startup\updugt32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\applic~1.lnk - c:\program files\novell\zenworks\NalView.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: tenderfoot.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229039078121
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
IFEO: image file execution options -
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2005-1-26 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-15 135664]
S3 040b979b10373198;040b979b10373198;c:\windows\temp\11480c1fcbf8a [2010-10-11 840192]
S3 85fd5a8838da4c58;85fd5a8838da4c58;\??\c:\windows\temp\113202561d816 --> c:\windows\temp\113202561d816 [?]
S3 ca71bd57551fd5e2;ca71bd57551fd5e2;\??\c:\windows\temp\11520fa564420 --> c:\windows\temp\11520fa564420 [?]
S3 e2c629d1415dc042;e2c629d1415dc042;c:\windows\temp\11480333d6cac [2010-10-11 840192]
S3 ef636f5a9cd82383;ef636f5a9cd82383;\??\c:\windows\temp\11440d62d7b16 --> c:\windows\temp\11440d62d7b16 [?]

=============== Created Last 30 ================

2010-10-09 22:49:00 -------- d-----w- c:\docume~1\user\locals~1\applic~1\{8638D86D-DFDD-4D85-9D78-2312DD378723}
2010-10-09 06:53:06 840192 ----a-w- c:\windows\system32\drivers\yygfik.sys
2010-10-08 22:36:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-08 17:16:21 47616 ---ha-w- c:\windows\compokup.dll
2010-10-08 17:02:27 0 ---ha-w- c:\windows\Xpugivegohekev.bin
2010-10-08 17:01:15 565248 ----a-w- c:\windows\system32\drivers\yckur.sys
2010-10-08 17:00:12 47616 ---ha-w- c:\windows\system32\compokup.dll

==================== Find3M ====================


============= FINISH: 23:03:13.33 ===============
 
:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.


You have a lot of malware going on, looks like you may be rootkit infected.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Thanks for the help so far. When Combofix finished running on the laptop and Windows rebooted it gave me a blue screen. After restarting in safe mode and copying the combofix file it rebooted normally. I am not sure what happened there. Here is the Combofix log.
Kyle

ComboFix 10-10-12.03 - User 10/14/2010 13:29:58.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.267 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~GLHTTP1.TMP
c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users\Application Data\b831c0c
c:\documents and settings\All Users\Application Data\b831c0c\11.mof
c:\documents and settings\All Users\Application Data\b831c0c\BackUp\Application Explorer.lnk
c:\documents and settings\All Users\Application Data\b831c0c\BackUp\Digital Line Detect.lnk
c:\documents and settings\All Users\Application Data\b831c0c\BackUp\LimeWire On Startup.lnk
c:\documents and settings\All Users\Application Data\b831c0c\BackUp\Windows Search.lnk
c:\documents and settings\All Users\Application Data\b831c0c\SMAV.ico
c:\documents and settings\All Users\Application Data\b831c0c\SMAVSys\vd952342.bd
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}\chrome.manifest
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{8638D86D-DFDD-4D85-9D78-2312DD378723}\install.rdf
c:\documents and settings\User\Recent\cb.dll
c:\documents and settings\User\Recent\cb.drv
c:\documents and settings\User\Recent\cb.sys
c:\documents and settings\User\Recent\cb.tmp
c:\documents and settings\User\Recent\CLSV.exe
c:\documents and settings\User\Recent\ddv.tmp
c:\documents and settings\User\Recent\eb.drv
c:\documents and settings\User\Recent\energy.dll
c:\documents and settings\User\Recent\exec.dll
c:\documents and settings\User\Recent\exec.sys
c:\documents and settings\User\Recent\fan.dll
c:\documents and settings\User\Recent\fix.drv
c:\documents and settings\User\Recent\grid.tmp
c:\documents and settings\User\Recent\PE.drv
c:\documents and settings\User\Recent\PE.sys
c:\documents and settings\User\Recent\ppal.dll
c:\documents and settings\User\Recent\ppal.drv
c:\documents and settings\User\Recent\runddlkey.sys
c:\documents and settings\User\Recent\sld.exe
c:\documents and settings\User\Recent\snl2w.drv
c:\documents and settings\user\Start Menu\Programs\Startup\updugt32.exe
C:\LOG3.tmp
C:\LOG4.tmp
C:\LOGA9.tmp
C:\LOGAA.tmp
C:\LOGB0.tmp
C:\LOGD.tmp
c:\windows\compokup.dll
c:\windows\system32\compokup.dll
c:\windows\system32\drivers\yckur.sys

----- BITS: Possible infected sites -----

hxxp://uaa104
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_yckur
-------\Service_yckur


((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-12 02:34 . 2010-10-12 02:34 -------- d-----w- c:\program files\ERUNT
2010-10-10 00:25 . 2010-10-10 00:25 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-10-09 06:53 . 2010-10-14 17:50 840192 ----a-w- c:\windows\system32\drivers\yygfik.sys
2010-10-08 22:36 . 2010-10-09 10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36 . 2010-10-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-08 17:02 . 2010-10-12 11:37 0 ---ha-w- c:\windows\Xpugivegohekev.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="c:\windows\system32\nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-02-08 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [1/26/2005 10:55 PM 59328]
S?2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 10:29 PM 135664]
S3 040b979b10373198;040b979b10373198;\??\c:\windows\TEMP\11480c1fcbf8a --> c:\windows\TEMP\11480c1fcbf8a [?]
S3 7740e0574180fbc4;7740e0574180fbc4;\??\c:\windows\TEMP\8160d1485da7 --> c:\windows\TEMP\8160d1485da7 [?]
S3 85fd5a8838da4c58;85fd5a8838da4c58;\??\c:\windows\TEMP\113202561d816 --> c:\windows\TEMP\113202561d816 [?]
S3 ca71bd57551fd5e2;ca71bd57551fd5e2;\??\c:\windows\TEMP\11520fa564420 --> c:\windows\TEMP\11520fa564420 [?]
S3 e2c629d1415dc042;e2c629d1415dc042;\??\c:\windows\TEMP\11480333d6cac --> c:\windows\TEMP\11480333d6cac [?]
S3 ef636f5a9cd82383;ef636f5a9cd82383;\??\c:\windows\TEMP\11440d62d7b16 --> c:\windows\TEMP\11440d62d7b16 [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - yygfik
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]

2010-10-14 c:\windows\Tasks\User_Feed_Synchronization-{0FA48CAD-70F5-43AA-998D-BE8715FA0925}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: tenderfoot.com
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
HKLM-Run-bascstray - BascsTray.exe
HKLM-Run-Gtinet - c:\windows\uwimetapediwi.dll
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\040b979b10373198]
"ImagePath"="\??\c:\windows\TEMP\11480c1fcbf8a"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\7740e0574180fbc4]
"ImagePath"="\??\c:\windows\TEMP\8160d1485da7"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\85fd5a8838da4c58]
"ImagePath"="\??\c:\windows\TEMP\113202561d816"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ca71bd57551fd5e2]
"ImagePath"="\??\c:\windows\TEMP\11520fa564420"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e2c629d1415dc042]
"ImagePath"="\??\c:\windows\TEMP\11480333d6cac"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ef636f5a9cd82383]
"ImagePath"="\??\c:\windows\TEMP\11440d62d7b16"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yygfik]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3784)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\System32\SCardSvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\imapi.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-10-14 13:54:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-14 17:54

Pre-Run: 70,437,478,400 bytes free
Post-Run: 70,279,798,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 23DFEBD096F981CD1DAA92B524779413
 
I posted too quickly. The error came back. It says there is a problem detected and windows has been shut down to prevent damage to your computer.

DRIVER_IRQL_NOT_LESS_OR_EQUIL

Technical information:

*** STOP: 0x000000D1 (0xF8C52000, 0X00000002, 0X00000000, 0XF8585C89)

*** yygfik.sys - Address F8585C89 base at F8581000, Datestamp 4cac4840

What is this?
Thanks, Kyle
 
Thats part of the infection and all systems react differently to them


You can run both of these programs in Safemode with Network Support


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode






Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean






Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAMCapture.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
 
Hey Ken, I cannot get her laptop to reboot. I have tried every safe mode setting and rebooting in normal mode. The computer gets stuck at "windows\system32\drivers\isapnp.sys" When rebooting in "safe modes" and never gets past a black screen in a regular boot.

If this is the end, I will reformat and reinstall.
Let me know.
Kyle

:rockon:
 
I may have jumped the gun too soon again Ken! When robooting in Safe Mode with command prompt, and selecting reboot from Windows Recovery I get as far as the background and it seems to load the programs, but then goes to the blue screen error noted earlier. Upon rebooting in safe mode with networking options, I was able to reboot in standard safe mode with networking and am running malwarebytes.
Kyle

Never Surrender!
 
Great, I was looking into your problem. I am hoping Malwarebytes removes some more bad stuff if not we will have to run Combofix again to remove the malware that is causing this problem
 
Unfortunately Malwarebytes didn't find anythingthat I could see. But here is the log....
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4786

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

10/14/2010 7:51:53 PM
mbam-log-2010-10-14 (19-51-53).txt

Scan type: Quick scan
Objects scanned: 150242
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
PS I wasn't able to update Malewarebytes with this weeks update, the computer gave me the same blue screen error, but I updated it 4 days ago...
Kyle
 
Go ahead and run TFC, its a temp file cleaner and you have some bad stuff in your temp files.

Then do this.


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::


Code: 
Driver::
yygfik

File::
c:\windows\system32\drivers\yygfik.sys
c:\windows\Xpugivegohekev.bin
c:\windows\uwimetapediwi.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yygfik]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
 
I have noticed that there is a user identity upon startup in safemode that doesn't show up in the user area of the control panel. It is password protected and we don't know how to get rid of it.

Combofix gives me an error of "were you trying to run CFScript? The name CFScript is incorrectly spelt" and that is how it is spelled....

And that is all she wrote, the program exits when I click "ok"
kyle
 
Kyle,

Been a loooong day, been at this for many hours so take your time and I will be back in the morning.

My wife graduated from Florida, been to Florida Field many times. Looking forward to see the Mississippi State game Saturday night
 
Here is the log. The laptop started without being in safe mode and seems to be running much better. What next? Could the user BMOC "big man on campus" be the builder of this computer? We dont see his user name in the user screen in the control panel, only on startup in safe mode....
kyle

ComboFix 10-10-12.03 - User 10/14/2010 20:30:26.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.335 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\yygfik.sys"
"c:\windows\uwimetapediwi.dll"
"c:\windows\Xpugivegohekev.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\yygfik.sys
c:\windows\Xpugivegohekev.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YYGFIK
-------\Service_yygfik


((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
.

2010-10-14 17:15 . 2010-10-14 17:55 -------- d-----w- C:\Combo-Fix
2010-10-12 02:34 . 2010-10-12 02:34 -------- d-----w- c:\program files\ERUNT
2010-10-10 00:25 . 2010-10-10 00:25 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-10-08 22:36 . 2010-10-09 10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36 . 2010-10-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="c:\windows\system32\nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-02-08 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [1/26/2005 10:55 PM 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 10:29 PM 135664]
S3 040b979b10373198;040b979b10373198;\??\c:\windows\TEMP\11480c1fcbf8a --> c:\windows\TEMP\11480c1fcbf8a [?]
S3 7740e0574180fbc4;7740e0574180fbc4;\??\c:\windows\TEMP\8160d1485da7 --> c:\windows\TEMP\8160d1485da7 [?]
S3 85fd5a8838da4c58;85fd5a8838da4c58;\??\c:\windows\TEMP\113202561d816 --> c:\windows\TEMP\113202561d816 [?]
S3 ca71bd57551fd5e2;ca71bd57551fd5e2;\??\c:\windows\TEMP\11520fa564420 --> c:\windows\TEMP\11520fa564420 [?]
S3 e2c629d1415dc042;e2c629d1415dc042;\??\c:\windows\TEMP\11480333d6cac --> c:\windows\TEMP\11480333d6cac [?]
S3 ef636f5a9cd82383;ef636f5a9cd82383;\??\c:\windows\TEMP\11440d62d7b16 --> c:\windows\TEMP\11440d62d7b16 [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]

2010-10-15 c:\windows\Tasks\User_Feed_Synchronization-{0FA48CAD-70F5-43AA-998D-BE8715FA0925}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: tenderfoot.com
.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\040b979b10373198]
"ImagePath"="\??\c:\windows\TEMP\11480c1fcbf8a"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\7740e0574180fbc4]
"ImagePath"="\??\c:\windows\TEMP\8160d1485da7"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\85fd5a8838da4c58]
"ImagePath"="\??\c:\windows\TEMP\113202561d816"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ca71bd57551fd5e2]
"ImagePath"="\??\c:\windows\TEMP\11520fa564420"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e2c629d1415dc042]
"ImagePath"="\??\c:\windows\TEMP\11480333d6cac"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ef636f5a9cd82383]
"ImagePath"="\??\c:\windows\TEMP\11440d62d7b16"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2208)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\System32\SCardSvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-10-14 20:43:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-15 00:43
ComboFix2.txt 2010-10-14 17:54

Pre-Run: 70,375,411,712 bytes free
Post-Run: 70,362,116,096 bytes free

- - End Of File - - 1007449C245B8F6F62D561347B590F1F
 
Hi,

Did you run TFC ? Still looking at stuff that needs to go.

Boot to safemode and delete everything inside this folder but not the folder itself
c:\windows\TEMP



Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe





Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::


Code: 
Driver::
040b979b10373198
7740e0574180fbc4
85fd5a8838da4c58
ca71bd57551fd5e2
e2c629d1415dc042
ef636f5a9cd82383


Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\040b979b10373198]
"ImagePath"=-

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\7740e0574180fbc4]
"ImagePath"=-

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\85fd5a8838da4c58]
"ImagePath"=-

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ca71bd57551fd5e2]
"ImagePath"=-

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e2c629d1415dc042]
"ImagePath"=-

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ef636f5a9cd82383]
"ImagePath"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
 
Hey Ken, I ran TFC last night as per your directions. The problems rebooting may have had something to do with the problems you are still seeing, tho I am not sure. Here is the latest Combofix log. I still am unsure what the extra user name is that is showing on safe startup. Let me know if you have any ideas. Thanks for your continued help here!
Kyle

ComboFix 10-10-12.03 - User 10/15/2010 12:22:40.3.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.330 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_040b979b10373198
-------\Service_7740e0574180fbc4
-------\Service_85fd5a8838da4c58
-------\Service_ca71bd57551fd5e2
-------\Service_e2c629d1415dc042
-------\Service_ef636f5a9cd82383


((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
.

2010-10-14 17:15 . 2010-10-14 17:55 -------- d-----w- C:\Combo-Fix
2010-10-12 02:34 . 2010-10-12 02:34 -------- d-----w- c:\program files\ERUNT
2010-10-10 00:25 . 2010-10-10 00:25 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-10-08 22:36 . 2010-10-09 10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36 . 2010-10-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-14_17.49.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-15 16:29 . 2010-10-15 16:29 16384 c:\windows\temp\Perflib_Perfdata_35c.dat
+ 2010-10-14 17:53 . 2010-10-14 17:53 1550 c:\windows\SoftwareDistribution\EventCache\{495F3796-97B5-4F07-8821-6083693DE133}.bin
+ 2010-10-15 16:13 . 2010-10-15 16:13 192512 c:\windows\ERDNT\10-15-2010\Users\00000002\UsrClass.dat
+ 2010-10-15 16:13 . 2005-10-20 16:02 163328 c:\windows\ERDNT\10-15-2010\ERDNT.EXE
+ 2010-10-15 16:13 . 2010-10-15 16:13 7921664 c:\windows\ERDNT\10-15-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="c:\windows\system32\nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-02-08 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [1/26/2005 10:55 PM 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 10:29 PM 135664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BASFND
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]

2010-10-15 c:\windows\Tasks\User_Feed_Synchronization-{0FA48CAD-70F5-43AA-998D-BE8715FA0925}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: tenderfoot.com
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3856)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2010-10-15 12:35:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-15 16:35
ComboFix2.txt 2010-10-15 00:43
ComboFix3.txt 2010-10-14 17:54

Pre-Run: 70,319,206,400 bytes free
Post-Run: 70,301,360,128 bytes free

- - End Of File - - C6314E0D6029B4166B6EBC8742697712
 
Hello kyle,

Your Combofix log looks fine, all that garbage is gone. Not sure about the user in Safemode, can you delete the account if its not needed ?

Are you still having problems booting up or has that cleared up now ?

Lets sweep for leftovers

Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
17 items found! it keeps getting better though.
Kyle
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=02e617ae3d3c7440a519ac860c96894a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-15 05:48:38
# local_time=2010-10-15 01:48:38 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=51234
# found=17
# cleaned=17
# scan_time=1839
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\b831c0c\11.mof.vir Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\compokup.dll.vir a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\compokup.dll.vir a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\yckur.sys.vir a variant of Win32/Bubnix.AU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\yygfik.sys.vir a variant of Win32/Bubnix.AW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP487\A0269506.bat BAT/KillFiles.NCB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP487\A0269517.dll a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP488\A0270525.DLL Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP488\A0270529.DLL a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP488\A0270532.dll a variant of Win32/Cimag.DP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP489\A0270551.bat BAT/KillFiles.NCB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP489\A0271578.dll a variant of Win32/Cimag.DP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0271694.mof Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0271719.dll a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0271720.dll a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0271760.sys a variant of Win32/Bubnix.AU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0282074.sys a variant of Win32/Bubnix.AW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
 
You must log in or register to reply here.
Back
Top